xworm | 7e123df6e3f5b7c3f91c57a9f7d7511db49e7f406e0f479df405cbc86ab92898

General

Target

NewPurchaseOrder.rtf
Size

66KB
MD5

52b9edce3719a332f117735c74d70b27
SHA1

027c2f05b720790bd29b96a54c42ea9625c6291d
SHA256

7e123df6e3f5b7c3f91c57a9f7d7511db49e7f406e0f479df405cbc86ab92898
SHA512

8ecbac8a98ba0369752ee4fa4a1fa8e48573d5cb4f3fa76d14059d9e1d7aa43fa9dcf18524c11b9cb2bb3b07011477239531934de54162dd44ce1f7e578fe848
SSDEEP

192:Tu+MOxqg6kYkpt5JwYiXyMAoyO7ttFFFFhxPWg6mKIxRpBPmwK2aYR8+m8qPHljr:5gkptLPiXjAoyGV/Ilf/E4kSTN

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2800-40-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2800-42-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2800-41-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow	pid	Process
5	2052	EQNEDT32.EXE

Downloads MZ/PE file

Drops startup file 3 IoCs

Processes:

Keily.exeRegSvcs.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keily.vbs	Keily.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	RegSvcs.exe

Executes dropped EXE 2 IoCs

Processes:

ttpayment.exeKeily.exe

pid	Process
2932	ttpayment.exe
2072	Keily.exe

Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEttpayment.exeRegSvcs.exe

pid	Process
2052	EQNEDT32.EXE
2932	ttpayment.exe
2800	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	RegSvcs.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/files/0x0005000000018697-11.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Keily.exe

description	pid	Process	procid_target
PID 2072 set thread context of 2800	2072	Keily.exe	35

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Keily.exeRegSvcs.exeWINWORD.EXEEQNEDT32.EXEttpayment.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ttpayment.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

Processes:

EQNEDT32.EXE

pid	Process
2052	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
1636	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegSvcs.exe

pid	Process
2800	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Keily.exe

pid	Process
2072	Keily.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description	pid	Process
Token: SeDebugPrivilege	2800	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

ttpayment.exeKeily.exe

pid	Process
2932	ttpayment.exe
2932	ttpayment.exe
2072	Keily.exe
2072	Keily.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

ttpayment.exeKeily.exe

pid	Process
2932	ttpayment.exe
2932	ttpayment.exe
2072	Keily.exe
2072	Keily.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXERegSvcs.exe

pid	Process
1636	WINWORD.EXE
1636	WINWORD.EXE
2800	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EQNEDT32.EXEttpayment.exeKeily.exeWINWORD.EXE

description	pid	Process	procid_target
PID 2052 wrote to memory of 2932	2052	EQNEDT32.EXE	30
PID 2052 wrote to memory of 2932	2052	EQNEDT32.EXE	30
PID 2052 wrote to memory of 2932	2052	EQNEDT32.EXE	30
PID 2052 wrote to memory of 2932	2052	EQNEDT32.EXE	30
PID 2932 wrote to memory of 2072	2932	ttpayment.exe	32
PID 2932 wrote to memory of 2072	2932	ttpayment.exe	32
PID 2932 wrote to memory of 2072	2932	ttpayment.exe	32
PID 2932 wrote to memory of 2072	2932	ttpayment.exe	32
PID 2072 wrote to memory of 2800	2072	Keily.exe	35
PID 2072 wrote to memory of 2800	2072	Keily.exe	35
PID 2072 wrote to memory of 2800	2072	Keily.exe	35
PID 2072 wrote to memory of 2800	2072	Keily.exe	35
PID 2072 wrote to memory of 2800	2072	Keily.exe	35
PID 2072 wrote to memory of 2800	2072	Keily.exe	35
PID 2072 wrote to memory of 2800	2072	Keily.exe	35
PID 2072 wrote to memory of 2800	2072	Keily.exe	35
PID 1636 wrote to memory of 1148	1636	WINWORD.EXE	37
PID 1636 wrote to memory of 1148	1636	WINWORD.EXE	37
PID 1636 wrote to memory of 1148	1636	WINWORD.EXE	37
PID 1636 wrote to memory of 1148	1636	WINWORD.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NewPurchaseOrder.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1148

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\ttpayment.exe
  "C:\Users\Admin\AppData\Local\Temp\ttpayment.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\ageless\Keily.exe
    "C:\Users\Admin\AppData\Local\Temp\ttpayment.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\ttpayment.exe"
      4⤵
      Drops startup file
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gunfights

Filesize
38KB

MD5
31b9adae5cfabbd01afb10a08d6f5635

SHA1
1046a9126d5ba77e13cb5d59545dd5c4bd2cb1ce

SHA256
25505a951156c726d6035459864684c131d527ce2081a0478cc2dbe42005b700

SHA512
eeda82bb75f7500f728e7f31a5c4b98dcaac0b2cc1fbad2ce723c3b92f78ebbf696a1630311c0a20e967fba8f7e3e5c10f2e140a953f05940ca078124210824c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttpayment.exe

Filesize
929KB

MD5
92641a47e20f8186735784351748f376

SHA1
cdbc5d83f3c6dfb725901f960133d7eca3be3bf0

SHA256
8773328b5fa6aab667879c3f3fe95b7618540c80d776338828031e9c83af27a2

SHA512
88ce243c7bf6f77d8124fac75608d6e5b825645aad591ca2b8336578ead512311ad0551ecb062defb0bcd59f5f1fa3eb88bf0d59da97e9c310b0cf3535a83e8a

Download Submit
\Users\Admin\AppData\Roaming\XClient.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1636-0-0x000000002F1E1000-0x000000002F1E2000-memory.dmp

Filesize
4KB

Download
memory/1636-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1636-2-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/1636-47-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/2800-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2800-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2800-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads