xworm | 9c1dd9cff28ed7de7eea5fd29c496fcbb4126a8e9460cf4fb53b604223e68188

General

Target

msedge.exe
Size

148KB
MD5

fb5350f3e1dc1599e93ef75d0de3b1a8
SHA1

a195ebc55dd2aedbd3a8255128f7769e9b8c6585
SHA256

9c1dd9cff28ed7de7eea5fd29c496fcbb4126a8e9460cf4fb53b604223e68188
SHA512

4c3e76c008a0d1424fe46bccf3893a18c2d4561bbd38e52b57995f0f1982631187df4d31d0f16e24118c2145737f0abcdd948c803f330dfb967f9f05178e5f37
SSDEEP

3072:YDDCEPVk9tf+bCUo9Cbv6OWKe5BV0bUniyimyS:BWbKQ5e5v0bURy

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

care-melissa.gl.at.ply.gg:50810

Attributes

Install_directory
%AppData%
install_file
Edge.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/2328-1-0x0000000000B30000-0x0000000000B5A000-memory.dmp	family_xworm
behavioral1/files/0x000a000000016c1a-35.dat	family_xworm
behavioral1/memory/852-37-0x00000000010F0000-0x000000000111A000-memory.dmp	family_xworm
behavioral1/memory/1268-40-0x0000000001140000-0x000000000116A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2532	powershell.exe
2492	powershell.exe
2628	powershell.exe
2380	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Edge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Edge.lnk	msedge.exe

Executes dropped EXE 2 IoCs

pid	Process
852	Edge.exe
1268	Edge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2532	powershell.exe
2492	powershell.exe
2628	powershell.exe
2380	powershell.exe
2328	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	msedge.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	852	Edge.exe
Token: SeDebugPrivilege	1268	Edge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2328	msedge.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2532	2328	msedge.exe	31
PID 2328 wrote to memory of 2532	2328	msedge.exe	31
PID 2328 wrote to memory of 2532	2328	msedge.exe	31
PID 2328 wrote to memory of 2492	2328	msedge.exe	33
PID 2328 wrote to memory of 2492	2328	msedge.exe	33
PID 2328 wrote to memory of 2492	2328	msedge.exe	33
PID 2328 wrote to memory of 2628	2328	msedge.exe	35
PID 2328 wrote to memory of 2628	2328	msedge.exe	35
PID 2328 wrote to memory of 2628	2328	msedge.exe	35
PID 2328 wrote to memory of 2380	2328	msedge.exe	37
PID 2328 wrote to memory of 2380	2328	msedge.exe	37
PID 2328 wrote to memory of 2380	2328	msedge.exe	37
PID 2328 wrote to memory of 320	2328	msedge.exe	39
PID 2328 wrote to memory of 320	2328	msedge.exe	39
PID 2328 wrote to memory of 320	2328	msedge.exe	39
PID 800 wrote to memory of 852	800	taskeng.exe	42
PID 800 wrote to memory of 852	800	taskeng.exe	42
PID 800 wrote to memory of 852	800	taskeng.exe	42
PID 800 wrote to memory of 1268	800	taskeng.exe	43
PID 800 wrote to memory of 1268	800	taskeng.exe	43
PID 800 wrote to memory of 1268	800	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Edge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Edge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Edge" /tr "C:\Users\Admin\AppData\Roaming\Edge.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:320

C:\Windows\system32\taskeng.exe
taskeng.exe {B30B568C-F30A-4C6A-A7BC-74388C8F8AFE} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Roaming\Edge.exe
  C:\Users\Admin\AppData\Roaming\Edge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Users\Admin\AppData\Roaming\Edge.exe
  C:\Users\Admin\AppData\Roaming\Edge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Edge.exe

Filesize
148KB

MD5
fb5350f3e1dc1599e93ef75d0de3b1a8

SHA1
a195ebc55dd2aedbd3a8255128f7769e9b8c6585

SHA256
9c1dd9cff28ed7de7eea5fd29c496fcbb4126a8e9460cf4fb53b604223e68188

SHA512
4c3e76c008a0d1424fe46bccf3893a18c2d4561bbd38e52b57995f0f1982631187df4d31d0f16e24118c2145737f0abcdd948c803f330dfb967f9f05178e5f37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6b9b95ac64e36f91c2057276cab6300b

SHA1
6120b6fb6c4d62805c7975d0dc1914583984ac0d

SHA256
5aadb5ebaeedbabcf512fee8486192ff994a1821562fc163d47f3a4384c57b64

SHA512
3d03b1ae157aec0e364a36e21e98aa032a086a61fbc9b2ee2ea741b6373c9e251895afad48deb6f6ba95d7d51759744bf60745fa87b853121afe6948a7e0c460

Download Submit
memory/852-37-0x00000000010F0000-0x000000000111A000-memory.dmp

Filesize
168KB

Download
memory/1268-40-0x0000000001140000-0x000000000116A000-memory.dmp

Filesize
168KB

Download
memory/2328-32-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/2328-1-0x0000000000B30000-0x0000000000B5A000-memory.dmp

Filesize
168KB

Download
memory/2328-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2328-33-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/2328-27-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2492-14-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2492-15-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

Filesize
32KB

Download
memory/2532-8-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2532-7-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2532-6-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads