xworm | fcde1964bf5a6864ae27f37f2275d72177414c1cc0c7a335b9016df530ca8861

General

Target

XbinderV2.1.exe
Size

5.0MB
MD5

4fae9d58f316945e4dd804b87ea448ea
SHA1

2040e113ff666ff86b4c6bbe0ad8ffb90b8b08b9
SHA256

fcde1964bf5a6864ae27f37f2275d72177414c1cc0c7a335b9016df530ca8861
SHA512

609b7cd7e4baf006ddbff99e44d6724e009938bccc1ae332417abe21c0de1001275c54e33c9d18d6de751bcaa4e4f2482877368116564d0f6dca83f4ef16d3c7
SSDEEP

24576:yair/rjVJbC7vztZJIS002Kgp/nn6V9g:ya07qx0Zns

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:63603

37.4.250.236:63603

Attributes

Install_directory
%AppData%
install_file
Runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0002000000022ab7-7.dat	family_xworm
behavioral1/memory/2708-26-0x0000000000CF0000-0x0000000000D08000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1164	powershell.exe
1736	powershell.exe
1656	powershell.exe
3584	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	XbinderV2.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Runtime.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime.lnk	Runtime.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime.lnk	Runtime.exe

Executes dropped EXE 2 IoCs

pid	Process
2708	Runtime.exe
1388	XBinder v2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1164	powershell.exe
1164	powershell.exe
1736	powershell.exe
1736	powershell.exe
1656	powershell.exe
1656	powershell.exe
3584	powershell.exe
3584	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	Runtime.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	2708	Runtime.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2708	2216	XbinderV2.1.exe	87
PID 2216 wrote to memory of 2708	2216	XbinderV2.1.exe	87
PID 2216 wrote to memory of 1388	2216	XbinderV2.1.exe	88
PID 2216 wrote to memory of 1388	2216	XbinderV2.1.exe	88
PID 2708 wrote to memory of 1164	2708	Runtime.exe	90
PID 2708 wrote to memory of 1164	2708	Runtime.exe	90
PID 2708 wrote to memory of 1736	2708	Runtime.exe	94
PID 2708 wrote to memory of 1736	2708	Runtime.exe	94
PID 2708 wrote to memory of 1656	2708	Runtime.exe	96
PID 2708 wrote to memory of 1656	2708	Runtime.exe	96
PID 2708 wrote to memory of 3584	2708	Runtime.exe	99
PID 2708 wrote to memory of 3584	2708	Runtime.exe	99

C:\Users\Admin\AppData\Local\Temp\XbinderV2.1.exe
"C:\Users\Admin\AppData\Local\Temp\XbinderV2.1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\Runtime.exe
  "C:\Users\Admin\AppData\Local\Temp\Runtime.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe
  "C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe"
  2⤵
  - Executes dropped EXE
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d8567f2d1c8a09bbfe613145bf78577

SHA1
f2af10d629e6d7d2ecec76c34bd755ecf61be931

SHA256
7437b098af4618fbcefe7522942c862aeaf39a0b82ce05b0797185c552f22a3c

SHA512
89130e5c514e33f5108e308f300614dc63989f3e6a4e762a12982af341ab1c5748dd93fd185698dcf6d3a1ea7234228d04ad962e4ee0a15a683e988f115a84ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime.exe

Filesize
69KB

MD5
e68e6918f51b7f4e8aee2645dcc5bbe6

SHA1
e706b613e0807035a789767cceef4a44690491fe

SHA256
3fcf495988ff9e7fd380a4da2cb845b9eb364e6a45040a702faa7e1fe2a00725

SHA512
1b1e9ab37632a65d89368178ee7220d666966f74cfa593216e1ea12e2eebad30f30fb85dbf90702a90e228facfaec27f90d5969f1e08b1e445e5f8751e152a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe

Filesize
3.5MB

MD5
a98358eb7f4953aa6d60015ccd8506ce

SHA1
d9be0c9d6d968c1baef11027a7ace6a0e869e75a

SHA256
21e0cc9ef715cc2147b9ec481b3fb876dbae8a4491367b478513128d7f7b8555

SHA512
62389e840c375a15d317d024d2e07b861b5b66447abb0423f603b73d2ec0853e3f947f78498a40dd835b48ca50562af9364c65c448a60172fa9011b6e564fac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iiv4rqjz.qkl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1164-42-0x000001EC47EF0000-0x000001EC47F12000-memory.dmp

Filesize
136KB

Download
memory/1388-31-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download
memory/1388-32-0x0000025E70430000-0x0000025E704CC000-memory.dmp

Filesize
624KB

Download
memory/1388-30-0x0000025E54C20000-0x0000025E54FAE000-memory.dmp

Filesize
3.6MB

Download
memory/1388-85-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download
memory/1388-29-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download
memory/2216-1-0x0000000000800000-0x00000000008B6000-memory.dmp

Filesize
728KB

Download
memory/2216-0-0x00007FFCD46A3000-0x00007FFCD46A5000-memory.dmp

Filesize
8KB

Download
memory/2216-28-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download
memory/2216-5-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download
memory/2708-26-0x0000000000CF0000-0x0000000000D08000-memory.dmp

Filesize
96KB

Download
memory/2708-83-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download
memory/2708-84-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download
memory/2708-27-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download
memory/2708-86-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing