xworm | fea9620c907c32bef37b6e5a08699eae88ecc0ee014e52495a39a46312d4766f

General

Target

loader.exe
Size

2.6MB
MD5

2b45969ccbd973f5bc6a10716093e00b
SHA1

596467ce3d6a3a3a80abaca3b8df30a52c95ccab
SHA256

fea9620c907c32bef37b6e5a08699eae88ecc0ee014e52495a39a46312d4766f
SHA512

b985d5a73027e07519d8f180b6b87e1b95f6a5185dc279db783f3c6f5e788b0bb9279f74bd4bb1a52fb766970d34a0e2a3a67446fd825f70d68981ef77264578
SSDEEP

49152:Uhsk/i2lNbPzoc9MmJdW8zo7UqT31p+/JLD9bC8N1FIZfIUzon0KW6My0+:gni2lRoNYo7DT3m/JL5bCCEbo0KW6

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

185.94.29.228:4444

Attributes

Install_directory
%Temp%
install_file
Spotify.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012116-5.dat	family_xworm
behavioral1/memory/2772-7-0x0000000000A20000-0x0000000000A36000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2852	powershell.exe
2448	powershell.exe
1896	powershell.exe
1436	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spotify.lnk	spotify.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spotify.lnk	spotify.exe

Executes dropped EXE 3 IoCs

pid	Process
2772	spotify.exe
2784	loaderr.exe
1136	loaderr.exe

Loads dropped DLL 2 IoCs

pid	Process
2660	loader.exe
2784	loaderr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2784	loaderr.exe
1436	powershell.exe
2852	powershell.exe
2448	powershell.exe
1896	powershell.exe
2772	spotify.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	spotify.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2772	spotify.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2772	spotify.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2772	2660	loader.exe	30
PID 2660 wrote to memory of 2772	2660	loader.exe	30
PID 2660 wrote to memory of 2772	2660	loader.exe	30
PID 2660 wrote to memory of 2784	2660	loader.exe	31
PID 2660 wrote to memory of 2784	2660	loader.exe	31
PID 2660 wrote to memory of 2784	2660	loader.exe	31
PID 2784 wrote to memory of 1136	2784	loaderr.exe	32
PID 2784 wrote to memory of 1136	2784	loaderr.exe	32
PID 2784 wrote to memory of 1136	2784	loaderr.exe	32
PID 1136 wrote to memory of 2688	1136	loaderr.exe	34
PID 1136 wrote to memory of 2688	1136	loaderr.exe	34
PID 1136 wrote to memory of 2688	1136	loaderr.exe	34
PID 2772 wrote to memory of 1436	2772	spotify.exe	36
PID 2772 wrote to memory of 1436	2772	spotify.exe	36
PID 2772 wrote to memory of 1436	2772	spotify.exe	36
PID 2772 wrote to memory of 2852	2772	spotify.exe	38
PID 2772 wrote to memory of 2852	2772	spotify.exe	38
PID 2772 wrote to memory of 2852	2772	spotify.exe	38
PID 2772 wrote to memory of 2448	2772	spotify.exe	40
PID 2772 wrote to memory of 2448	2772	spotify.exe	40
PID 2772 wrote to memory of 2448	2772	spotify.exe	40
PID 2772 wrote to memory of 1896	2772	spotify.exe	42
PID 2772 wrote to memory of 1896	2772	spotify.exe	42
PID 2772 wrote to memory of 1896	2772	spotify.exe	42

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Public\spotify.exe
  "C:\Users\Public\spotify.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\spotify.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spotify.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spotify.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Spotify.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- C:\Users\Public\loaderr.exe
  "C:\Users\Public\loaderr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Public\loaderr.exe
    "C:\Users\Public\loaderr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d656b1589bfa0d968c08259262980ffb

SHA1
71a45a712230062b1ddfed87af8818ac9bc4af14

SHA256
f8f10299648f62839694003eb94b8e69370ab4959ba858f1a051d7dd96d9a9a2

SHA512
59e28d1559164951606242625b3dacf66f7b4f8d2e2188c054f5c8a83aee06315347750d925957d0a0a97c5f891afb7a6ed89ae319109cc1c912a115d037ddae

Download Submit
C:\Users\Public\loaderr.exe

Filesize
2.6MB

MD5
70fe91a0c5f9296f4308747688d8ab23

SHA1
6373f4d14fdfd86e331aea70e992ce34c7042352

SHA256
d0044db239a246c9f854c9a0d3fff9fad04a5f4d2af570d259d39462d2842332

SHA512
0f23e322325ef03a270389cf44ac0caa162780f076e28da487f2ede7cc1c0a6c2ae23e3ea376cc0674f49c64849bbaa891e9a1d4ae2c8276ac90680b2267bb32

Download Submit
C:\Users\Public\spotify.exe

Filesize
64KB

MD5
170e58907106b43016812cecfe258605

SHA1
eee4342a64a84bbc386656b332ba4c4790be6fdd

SHA256
918f973b0d444685b0d85469a76bc0f4a6c75345b68aa2ea80206b280ba50eb4

SHA512
b39262ffab616fffbcfd4f276e44e72dad99f5463d6d9ae262cd7a5b96aa66d07d20e2429fc230a140110c01ba1d397abb9e1c8c265e3b76e8a3debb31d058e2

Download Submit
memory/1436-23-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/1436-22-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2660-1-0x00000000001A0000-0x0000000000448000-memory.dmp

Filesize
2.7MB

Download
memory/2660-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2772-7-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download
memory/2772-17-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-16-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-47-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-48-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-29-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2852-30-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing