xworm | 12bc7739ff2e83c94c4ccff18eba664e1697ffb9db986c446c8fb35a663c3a00

General

Target

runtime/msedge_visual_render.exe
Size

188KB
MD5

e796b778b392f06de4d340ec0f88b4cc
SHA1

32561bf3b022aef8a62bac3e820ef7e3bc648f57
SHA256

1ff08d4cbe1a41c10692941c7835b93ea5738057dc381cf4704136436911df05
SHA512

dcdbeb8d1720b2bfe8ce8c2311414b71ec090eb94db53d379c08cbf7b17a25ac4bc9488315e867406bb1661a76df223c953f01c7d40997fdf9ccb20daaf4c8c7
SSDEEP

3072:2rhv4AbmL4mkbrz9EO7PvJKRUGKXs+S++7KFSbxeY+qDDrMn:2r7bmclbX3ZGqStKEbxI

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

23.ip.gl.ply.gg:57660

Attributes

Install_directory
%AppData%
install_file
msedge.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1632-1-0x0000000000340000-0x0000000000374000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3100 powershell.exe
876 powershell.exe
3376 powershell.exe
1032 powershell.exe

pid	process
3100	powershell.exe
876	powershell.exe
3376	powershell.exe
1032	powershell.exe

Drops startup file 2 IoCs

Processes:

msedge_visual_render.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge_visual_render.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge_visual_render.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msedge_visual_render.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Roaming\\msedge.exe"	msedge_visual_render.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
876	powershell.exe
876	powershell.exe
3376	powershell.exe
3376	powershell.exe
1032	powershell.exe
1032	powershell.exe
3100	powershell.exe
3100	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

msedge_visual_render.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1632	msedge_visual_render.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	1632	msedge_visual_render.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msedge_visual_render.exe

description	pid	process	target process
PID 1632 wrote to memory of 876	1632	msedge_visual_render.exe	powershell.exe
PID 1632 wrote to memory of 876	1632	msedge_visual_render.exe	powershell.exe
PID 1632 wrote to memory of 3376	1632	msedge_visual_render.exe	powershell.exe
PID 1632 wrote to memory of 3376	1632	msedge_visual_render.exe	powershell.exe
PID 1632 wrote to memory of 1032	1632	msedge_visual_render.exe	powershell.exe
PID 1632 wrote to memory of 1032	1632	msedge_visual_render.exe	powershell.exe
PID 1632 wrote to memory of 3100	1632	msedge_visual_render.exe	powershell.exe
PID 1632 wrote to memory of 3100	1632	msedge_visual_render.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\runtime\msedge_visual_render.exe
"C:\Users\Admin\AppData\Local\Temp\runtime\msedge_visual_render.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\runtime\msedge_visual_render.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge_visual_render.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5ba388a6597d5e09191c2c88d2fdf598

SHA1
13516f8ec5a99298f6952438055c39330feae5d8

SHA256
e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

SHA512
ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ca6377e0364987a60026b50b7d16c5db

SHA1
fe51dafbb7f6e6fb5b22152326e34b0ef8f339ec

SHA256
d51c75942569d68f771f14ad589a6b3a33eda85a99025e812b47abcd96bcc033

SHA512
017def6386f99dbd0fa8ed7c0192c4f781c4b8dbb6ae2c53f66119d1378a1caf3970ec8cc4215eb3aa142644d44a027f6b3803c3c041122be4cbaf737e2ecacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1406e40bc90234838ab278843448a11

SHA1
7e056692cfcf53a92ba8582a5fc0d2a418ef0c81

SHA256
fdc53165753f599dd5a22b0bd229f8e4c63e73dc47aece0b475c79a7255b1d10

SHA512
8ada81e44b16bfca0141dfe52a0b63e3cc7827b8dc45bfea87f834ffb759eeac87426c722b75fd76a447ab5efb69e0053b9fb34bd42d40b413a48f702eb70ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2j32cgqi.qk1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/876-11-0x00007FFAE7830000-0x00007FFAE82F2000-memory.dmp

Filesize
10.8MB

Download
memory/876-13-0x00007FFAE7830000-0x00007FFAE82F2000-memory.dmp

Filesize
10.8MB

Download
memory/876-17-0x00007FFAE7830000-0x00007FFAE82F2000-memory.dmp

Filesize
10.8MB

Download
memory/876-16-0x00007FFAE7830000-0x00007FFAE82F2000-memory.dmp

Filesize
10.8MB

Download
memory/876-12-0x00007FFAE7830000-0x00007FFAE82F2000-memory.dmp

Filesize
10.8MB

Download
memory/876-2-0x000001F840D50000-0x000001F840D72000-memory.dmp

Filesize
136KB

Download
memory/1632-1-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/1632-0-0x00007FFAE7833000-0x00007FFAE7835000-memory.dmp

Filesize
8KB

Download
memory/1632-53-0x00007FFAE7830000-0x00007FFAE82F2000-memory.dmp

Filesize
10.8MB

Download
memory/1632-54-0x00007FFAE7833000-0x00007FFAE7835000-memory.dmp

Filesize
8KB

Download
memory/1632-55-0x00007FFAE7830000-0x00007FFAE82F2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads