xworm | f9cd798df715647337e56cedf49fcf778ed456d82f4a39114830e6de52568696

Reason

Machine shutdown

General

Target

2024-01-10-18-19-14.exe
Size

74KB
MD5

2536196d167ace8223ae7453964efc43
SHA1

56299f1745c8ec79d0208b14d10eb744d927b70e
SHA256

f9cd798df715647337e56cedf49fcf778ed456d82f4a39114830e6de52568696
SHA512

625b771cdda5f60569657c6c347dc22deda3cc545f783f212a6a48a6d4c013d65e18b67ec8124e6e58fe84f80d511a4ce29bc657d94911b13e30fbc86da6aa5c
SSDEEP

1536:l09hsM7RYzLo4DsZSICu4My9mGm51dU0tppsOuVggs0Rh69:lCD7RcjDs0ICuesGodXXM3R

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

trip-thesaurus.gl.at.ply.gg:16715

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000029ed0-4.dat	family_xworm
behavioral1/memory/2784-12-0x0000000000AC0000-0x0000000000AD8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3652	powershell.exe
3812	powershell.exe
1164	powershell.exe
3372	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	2024-01-10-18-19-14.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	2024-01-10-18-19-14.exe

Executes dropped EXE 2 IoCs

pid	Process
2784	2024-01-10-18-19-14.exe
1984	SecurityHealthSystray

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSystray"	2024-01-10-18-19-14.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\2024-01-10-18-19-14.exe	2024-01-10-18-19-14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-01-10-18-19-14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "228"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4800	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2784	2024-01-10-18-19-14.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1340	powershell.exe
1340	powershell.exe
3812	powershell.exe
3812	powershell.exe
1164	powershell.exe
1164	powershell.exe
3372	powershell.exe
3372	powershell.exe
3652	powershell.exe
3652	powershell.exe
2784	2024-01-10-18-19-14.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	2024-01-10-18-19-14.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	2784	2024-01-10-18-19-14.exe
Token: SeDebugPrivilege	1984	SecurityHealthSystray
Token: SeShutdownPrivilege	4336	shutdown.exe
Token: SeRemoteShutdownPrivilege	4336	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2784	2024-01-10-18-19-14.exe
3508	LogonUI.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 1340	5024	2024-01-10-18-19-14.exe	77
PID 5024 wrote to memory of 1340	5024	2024-01-10-18-19-14.exe	77
PID 5024 wrote to memory of 1340	5024	2024-01-10-18-19-14.exe	77
PID 5024 wrote to memory of 2784	5024	2024-01-10-18-19-14.exe	79
PID 5024 wrote to memory of 2784	5024	2024-01-10-18-19-14.exe	79
PID 2784 wrote to memory of 3812	2784	2024-01-10-18-19-14.exe	81
PID 2784 wrote to memory of 3812	2784	2024-01-10-18-19-14.exe	81
PID 2784 wrote to memory of 1164	2784	2024-01-10-18-19-14.exe	83
PID 2784 wrote to memory of 1164	2784	2024-01-10-18-19-14.exe	83
PID 2784 wrote to memory of 3372	2784	2024-01-10-18-19-14.exe	85
PID 2784 wrote to memory of 3372	2784	2024-01-10-18-19-14.exe	85
PID 2784 wrote to memory of 3652	2784	2024-01-10-18-19-14.exe	87
PID 2784 wrote to memory of 3652	2784	2024-01-10-18-19-14.exe	87
PID 2784 wrote to memory of 4800	2784	2024-01-10-18-19-14.exe	89
PID 2784 wrote to memory of 4800	2784	2024-01-10-18-19-14.exe	89
PID 2784 wrote to memory of 4336	2784	2024-01-10-18-19-14.exe	92
PID 2784 wrote to memory of 4336	2784	2024-01-10-18-19-14.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-01-10-18-19-14.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10-18-19-14.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdgBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAaABqACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\2024-01-10-18-19-14.exe
  "C:\Windows\2024-01-10-18-19-14.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\2024-01-10-18-19-14.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2024-01-10-18-19-14.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4800
- - C:\Windows\SYSTEM32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4336

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a07855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a287707e1e76dd9e002b1961be29ad0

SHA1
8ec256db90072b98064e986d58be4ffc7a04a4cf

SHA256
c32cacc7309da41133879871e0c04b81c8349d9f04e73592327f05aeefedb304

SHA512
08472fd732d9b491badc2519a73d2bc21031a8f72e4e910ec9f117b7feb2431f84e2620c6e3e9010038a4bbc599942421458d0732032411944dc6bec3fc1428c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjom3crh.0fz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\2024-01-10-18-19-14.exe

Filesize
68KB

MD5
0c8294e9d43eab4f86105d4c92afbfa0

SHA1
338416be49b72459690d9bc8e5d0da66dae8ffd5

SHA256
55b9e348d510dcaeb9ac6d33eb7d4057cbfe186feb3ce476eb26935db1fd393d

SHA512
f24cd690851ce0a2dff4c009ebc87d8072c6ad76cfaa5ff16fa318af87887fbc623fdfe26b141b4c1c7ab8f911bbae503b7514fb8ef5229f5579b5a5106be491

Download Submit
memory/1340-43-0x00000000070E0000-0x0000000007184000-memory.dmp

Filesize
656KB

Download
memory/1340-46-0x0000000007860000-0x0000000007EDA000-memory.dmp

Filesize
6.5MB

Download
memory/1340-19-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/1340-18-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/1340-16-0x0000000005260000-0x000000000588A000-memory.dmp

Filesize
6.2MB

Download
memory/1340-28-0x00000000059C0000-0x0000000005D17000-memory.dmp

Filesize
3.3MB

Download
memory/1340-29-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/1340-30-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

Filesize
304KB

Download
memory/1340-32-0x0000000071110000-0x000000007115C000-memory.dmp

Filesize
304KB

Download
memory/1340-31-0x00000000064A0000-0x00000000064D4000-memory.dmp

Filesize
208KB

Download
memory/1340-41-0x0000000075030000-0x00000000757E1000-memory.dmp

Filesize
7.7MB

Download
memory/1340-42-0x00000000070B0000-0x00000000070CE000-memory.dmp

Filesize
120KB

Download
memory/1340-15-0x0000000075030000-0x00000000757E1000-memory.dmp

Filesize
7.7MB

Download
memory/1340-44-0x0000000075030000-0x00000000757E1000-memory.dmp

Filesize
7.7MB

Download
memory/1340-45-0x0000000075030000-0x00000000757E1000-memory.dmp

Filesize
7.7MB

Download
memory/1340-17-0x0000000005120000-0x0000000005142000-memory.dmp

Filesize
136KB

Download
memory/1340-47-0x0000000007220000-0x000000000723A000-memory.dmp

Filesize
104KB

Download
memory/1340-48-0x00000000072B0000-0x00000000072BA000-memory.dmp

Filesize
40KB

Download
memory/1340-79-0x0000000075030000-0x00000000757E1000-memory.dmp

Filesize
7.7MB

Download
memory/1340-50-0x00000000074B0000-0x0000000007546000-memory.dmp

Filesize
600KB

Download
memory/1340-51-0x0000000007430000-0x0000000007441000-memory.dmp

Filesize
68KB

Download
memory/1340-52-0x0000000007470000-0x000000000747E000-memory.dmp

Filesize
56KB

Download
memory/1340-53-0x0000000007480000-0x0000000007495000-memory.dmp

Filesize
84KB

Download
memory/1340-54-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/1340-13-0x000000007503E000-0x000000007503F000-memory.dmp

Filesize
4KB

Download
memory/1340-66-0x0000000007560000-0x0000000007568000-memory.dmp

Filesize
32KB

Download
memory/1340-14-0x0000000002A10000-0x0000000002A46000-memory.dmp

Filesize
216KB

Download
memory/2784-49-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

Filesize
64KB

Download
memory/2784-12-0x0000000000AC0000-0x0000000000AD8000-memory.dmp

Filesize
96KB

Download
memory/2784-11-0x00007FFB445D3000-0x00007FFB445D5000-memory.dmp

Filesize
8KB

Download
memory/2784-105-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

Filesize
64KB

Download
memory/3812-55-0x0000015A8A2D0000-0x0000015A8A2F2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads