xworm | 096b33571e80d18c1763a3bd5d019e3177f1547b3ca6e6205a349075ce2fec18

General

Target

product sample requirement.exe
Size

438KB
MD5

07d5a83558349a82cfa1dc6d68f4d84b
SHA1

064af18045030703bc4c62c99f1abe5700832e8a
SHA256

096b33571e80d18c1763a3bd5d019e3177f1547b3ca6e6205a349075ce2fec18
SHA512

aa9d794e0ffb14163f3d1c2df374b99da287b7ce1df965e271921a700a9972c6ead3830f0319eb9ec2d1352e2c0a06bb192045e482b2d54fe091c29dc58946bf
SSDEEP

12288:pMFo7mq6/FqLzEvttwVnGUaGtyk6JXFajEHUC:pko7mq+I/EOoEIr

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

teebro1800.dynamic-dns.net:2195

Mutex

wyDwhmVwMImivlWa

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/812-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/812-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/812-30-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/812-29-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/812-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2784	powershell.exe
2780	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 812	2328	product sample requirement.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	product sample requirement.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	product sample requirement.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2328	product sample requirement.exe
2328	product sample requirement.exe
2328	product sample requirement.exe
2328	product sample requirement.exe
2780	powershell.exe
2784	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	product sample requirement.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	812	product sample requirement.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2780	2328	product sample requirement.exe	31
PID 2328 wrote to memory of 2780	2328	product sample requirement.exe	31
PID 2328 wrote to memory of 2780	2328	product sample requirement.exe	31
PID 2328 wrote to memory of 2780	2328	product sample requirement.exe	31
PID 2328 wrote to memory of 2784	2328	product sample requirement.exe	33
PID 2328 wrote to memory of 2784	2328	product sample requirement.exe	33
PID 2328 wrote to memory of 2784	2328	product sample requirement.exe	33
PID 2328 wrote to memory of 2784	2328	product sample requirement.exe	33
PID 2328 wrote to memory of 2304	2328	product sample requirement.exe	35
PID 2328 wrote to memory of 2304	2328	product sample requirement.exe	35
PID 2328 wrote to memory of 2304	2328	product sample requirement.exe	35
PID 2328 wrote to memory of 2304	2328	product sample requirement.exe	35
PID 2328 wrote to memory of 2932	2328	product sample requirement.exe	37
PID 2328 wrote to memory of 2932	2328	product sample requirement.exe	37
PID 2328 wrote to memory of 2932	2328	product sample requirement.exe	37
PID 2328 wrote to memory of 2932	2328	product sample requirement.exe	37
PID 2328 wrote to memory of 812	2328	product sample requirement.exe	38
PID 2328 wrote to memory of 812	2328	product sample requirement.exe	38
PID 2328 wrote to memory of 812	2328	product sample requirement.exe	38
PID 2328 wrote to memory of 812	2328	product sample requirement.exe	38
PID 2328 wrote to memory of 812	2328	product sample requirement.exe	38
PID 2328 wrote to memory of 812	2328	product sample requirement.exe	38
PID 2328 wrote to memory of 812	2328	product sample requirement.exe	38
PID 2328 wrote to memory of 812	2328	product sample requirement.exe	38
PID 2328 wrote to memory of 812	2328	product sample requirement.exe	38

C:\Users\Admin\AppData\Local\Temp\product sample requirement.exe
"C:\Users\Admin\AppData\Local\Temp\product sample requirement.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\product sample requirement.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TWmzcmqkuotC.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4200.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\product sample requirement.exe
  "C:\Users\Admin\AppData\Local\Temp\product sample requirement.exe"
  2⤵
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\product sample requirement.exe
  "C:\Users\Admin\AppData\Local\Temp\product sample requirement.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4200.tmp

Filesize
1KB

MD5
42515fe01585ce398c02a72e2496f3d6

SHA1
f1e161b7b14b3c60855ab8f92243880581b5d8b8

SHA256
6ba2f9a739419a493eeb4087cc21af7dcec3c463740ea8f2dd6c5ff1851d8fd8

SHA512
cb0ca09661a8c5ac6d48ee361f5f382daa94576aa21fb61cf654c7dbd264da645a48812031b8456f2150409941f7b85dcd6e5fd7abc1a909e0c2fad2f90bf5f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7b6936e02b52c5fedbb4f54df6863375

SHA1
47939d1a9b3eb2f90388d152eb3583930326683c

SHA256
cdf71c04775d174831179d91a957f177a0de91a3283e9257c438a811abdab015

SHA512
091a916bb4ce2efc390b36fedb0b0a1f3237ef3b2e7fdf3d02839516e3397f2e2aedbe5c2416c7a2bfbb07da48a8c9583ee1b4a89987deddd2f74954e9bcf260

Download Submit
memory/812-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/812-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/812-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/812-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/812-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/812-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/812-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/812-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2328-6-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2328-1-0x00000000000D0000-0x0000000000144000-memory.dmp

Filesize
464KB

Download
memory/2328-0-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/2328-2-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-3-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/2328-5-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-4-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/2328-31-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads