xworm | acde7c8b874d94dcc71b696b356d13f54a7c3b848b160a196979feea61d35f04

General

Target

rat test.exe
Size

69KB
MD5

59eb60dd98cdf74da6285b2253aaa71e
SHA1

eb8e7cabf1643b8fcb10b61479e7af01d6438a92
SHA256

acde7c8b874d94dcc71b696b356d13f54a7c3b848b160a196979feea61d35f04
SHA512

8ecd6a7e972d4fab01c79fc9b068e7f2cf879c56d52016c25dff71ca9b217c4a82fd330f8ab008113a95835e82e2f12f265f42326d6fbe1b991ad1a3d248a185
SSDEEP

1536:2T5btPKoUfwcaQWa5bQChtIF6vcCO/18+rdlt7:I8aQWqbQC0QcCO/fdD

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:21252

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2156-1-0x0000000001060000-0x0000000001078000-memory.dmp	family_xworm
behavioral1/files/0x000a000000004e74-30.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2588	powershell.exe
2580	powershell.exe
316	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rat test.lnk	rat test.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rat test.lnk	rat test.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rat test = "C:\\Users\\Admin\\AppData\\Local\\rat test.exe"	rat test.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rat test.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rat test.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2588	powershell.exe
2580	powershell.exe
316	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	rat test.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2156	rat test.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2588	2156	rat test.exe	31
PID 2156 wrote to memory of 2588	2156	rat test.exe	31
PID 2156 wrote to memory of 2588	2156	rat test.exe	31
PID 2156 wrote to memory of 2580	2156	rat test.exe	33
PID 2156 wrote to memory of 2580	2156	rat test.exe	33
PID 2156 wrote to memory of 2580	2156	rat test.exe	33
PID 2156 wrote to memory of 316	2156	rat test.exe	35
PID 2156 wrote to memory of 316	2156	rat test.exe	35
PID 2156 wrote to memory of 316	2156	rat test.exe	35
PID 2156 wrote to memory of 2912	2156	rat test.exe	37
PID 2156 wrote to memory of 2912	2156	rat test.exe	37
PID 2156 wrote to memory of 2912	2156	rat test.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\rat test.exe
"C:\Users\Admin\AppData\Local\Temp\rat test.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rat test.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rat test.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\rat test.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rat test" /tr "C:\Users\Admin\AppData\Local\rat test.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2912

C:\Windows\system32\taskeng.exe
taskeng.exe {1AC584E7-CE2C-4813-BED1-DEDE821DB9B8} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\rat test.exe

Filesize
69KB

MD5
59eb60dd98cdf74da6285b2253aaa71e

SHA1
eb8e7cabf1643b8fcb10b61479e7af01d6438a92

SHA256
acde7c8b874d94dcc71b696b356d13f54a7c3b848b160a196979feea61d35f04

SHA512
8ecd6a7e972d4fab01c79fc9b068e7f2cf879c56d52016c25dff71ca9b217c4a82fd330f8ab008113a95835e82e2f12f265f42326d6fbe1b991ad1a3d248a185

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6b8db5ec4dc40fff4307bda6b3e2922b

SHA1
799b601f3b010d9c2f7e6fea3a66f7419ee22a6b

SHA256
b934dc2a6bc076d37adf756b3e5efc7c0c9253c5625f6aa0e2ac7302dfca476e

SHA512
89f7c346707b17f5950aa2e10b1855232fff384cc0895a28a83319895ed0170333d3763d639bc5dc162dc23c946b7d7721573f88d84dc314523fdb8e2070ec38

Download Submit
memory/2156-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2156-28-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x0000000001060000-0x0000000001078000-memory.dmp

Filesize
96KB

Download
memory/2156-32-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-15-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2580-16-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2588-7-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2588-8-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2588-9-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads