xworm | fcde1964bf5a6864ae27f37f2275d72177414c1cc0c7a335b9016df530ca8861

General

Target

XbinderV2.1.exe
Size

5.0MB
MD5

4fae9d58f316945e4dd804b87ea448ea
SHA1

2040e113ff666ff86b4c6bbe0ad8ffb90b8b08b9
SHA256

fcde1964bf5a6864ae27f37f2275d72177414c1cc0c7a335b9016df530ca8861
SHA512

609b7cd7e4baf006ddbff99e44d6724e009938bccc1ae332417abe21c0de1001275c54e33c9d18d6de751bcaa4e4f2482877368116564d0f6dca83f4ef16d3c7
SSDEEP

24576:yair/rjVJbC7vztZJIS002Kgp/nn6V9g:ya07qx0Zns

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:63603

37.4.250.236:63603

Attributes

Install_directory
%AppData%
install_file
Runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000012000-5.dat	family_xworm
behavioral1/memory/2812-14-0x0000000000D50000-0x0000000000D68000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3016	powershell.exe
2916	powershell.exe
1524	powershell.exe
1564	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime.lnk	Runtime.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime.lnk	Runtime.exe

Executes dropped EXE 3 IoCs

pid	Process
2812	Runtime.exe
2552	XBinder v2.exe
1196	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1420	XbinderV2.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3016	powershell.exe
2916	powershell.exe
1524	powershell.exe
1564	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	XBinder v2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	Runtime.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2812	Runtime.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2812	1420	XbinderV2.1.exe	30
PID 1420 wrote to memory of 2812	1420	XbinderV2.1.exe	30
PID 1420 wrote to memory of 2812	1420	XbinderV2.1.exe	30
PID 1420 wrote to memory of 2552	1420	XbinderV2.1.exe	31
PID 1420 wrote to memory of 2552	1420	XbinderV2.1.exe	31
PID 1420 wrote to memory of 2552	1420	XbinderV2.1.exe	31
PID 2812 wrote to memory of 3016	2812	Runtime.exe	33
PID 2812 wrote to memory of 3016	2812	Runtime.exe	33
PID 2812 wrote to memory of 3016	2812	Runtime.exe	33
PID 2812 wrote to memory of 2916	2812	Runtime.exe	35
PID 2812 wrote to memory of 2916	2812	Runtime.exe	35
PID 2812 wrote to memory of 2916	2812	Runtime.exe	35
PID 2812 wrote to memory of 1524	2812	Runtime.exe	37
PID 2812 wrote to memory of 1524	2812	Runtime.exe	37
PID 2812 wrote to memory of 1524	2812	Runtime.exe	37
PID 2812 wrote to memory of 1564	2812	Runtime.exe	39
PID 2812 wrote to memory of 1564	2812	Runtime.exe	39
PID 2812 wrote to memory of 1564	2812	Runtime.exe	39

C:\Users\Admin\AppData\Local\Temp\XbinderV2.1.exe
"C:\Users\Admin\AppData\Local\Temp\XbinderV2.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\Runtime.exe
  "C:\Users\Admin\AppData\Local\Temp\Runtime.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe
  "C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Runtime.exe

Filesize
69KB

MD5
e68e6918f51b7f4e8aee2645dcc5bbe6

SHA1
e706b613e0807035a789767cceef4a44690491fe

SHA256
3fcf495988ff9e7fd380a4da2cb845b9eb364e6a45040a702faa7e1fe2a00725

SHA512
1b1e9ab37632a65d89368178ee7220d666966f74cfa593216e1ea12e2eebad30f30fb85dbf90702a90e228facfaec27f90d5969f1e08b1e445e5f8751e152a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe

Filesize
3.5MB

MD5
a98358eb7f4953aa6d60015ccd8506ce

SHA1
d9be0c9d6d968c1baef11027a7ace6a0e869e75a

SHA256
21e0cc9ef715cc2147b9ec481b3fb876dbae8a4491367b478513128d7f7b8555

SHA512
62389e840c375a15d317d024d2e07b861b5b66447abb0423f603b73d2ec0853e3f947f78498a40dd835b48ca50562af9364c65c448a60172fa9011b6e564fac4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
16f17ea1d17d38301876af769d3dd3e7

SHA1
3ac589971aaf41c9d5bd048fb292a653ca308356

SHA256
3c76abe7140cf9b853a9f1e1f041b4a08c5c4c2342e2fd33a87c3e87f8581f4d

SHA512
f26e993eae653d8aba2b1e8d84d8f554b0ead86e99fb168c8766d831e39e4312c44e6ee5d964e6c426fa3da0e9477d6871292a5d84bc23357681c9ee983a4119

Download Submit
memory/1420-17-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1420-1-0x0000000000A60000-0x0000000000B16000-memory.dmp

Filesize
728KB

Download
memory/1420-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1420-9-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-18-0x000000001BE30000-0x000000001BECC000-memory.dmp

Filesize
624KB

Download
memory/2552-16-0x0000064477A20000-0x0000064477DAE000-memory.dmp

Filesize
3.6MB

Download
memory/2812-14-0x0000000000D50000-0x0000000000D68000-memory.dmp

Filesize
96KB

Download
memory/2812-15-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-47-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-31-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2916-32-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/3016-24-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/3016-25-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing