xworm | 238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a

General

Target

238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a.exe
Size

7.7MB
MD5

027ad6a104d074597068c1781cc0c90d
SHA1

b489c6f4d29db588ecfc65df7ea92d6c23de4a20
SHA256

238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a
SHA512

0e3beecff23c8d426d859758b5c9aa4490e5d47ea69e4301c73fe499bd6535ec8dfe22dae552c8e14203d78768cd2ccfb70f78e876de2ba4b2532cf502b40e4f
SSDEEP

196608:xKLCFU/jHq/puROyhxeyOC7+oiRkbtejBe5:xmq/pkOYxehohbt

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:18194

soon-logical.gl.at.ply.gg:18194

Mutex

APoxCrOmNOvTLB4L

Attributes

Install_directory
%Userprofile%
install_file
chrome.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/380-13-0x00000000000B0000-0x00000000000C0000-memory.dmp	family_xworm
behavioral1/files/0x0008000000019441-12.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2688	powershell.exe
1204	powershell.exe
2860	powershell.exe
2668	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk	start.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk	start.exe

Executes dropped EXE 2 IoCs

pid	Process
284	Xworm V5.6.exe
380	start.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\chrome.exe"	start.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2668	powershell.exe
2688	powershell.exe
1204	powershell.exe
2860	powershell.exe
380	start.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	start.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	380	start.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
380	start.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 284	1404	238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a.exe	31
PID 1404 wrote to memory of 284	1404	238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a.exe	31
PID 1404 wrote to memory of 284	1404	238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a.exe	31
PID 1404 wrote to memory of 380	1404	238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a.exe	32
PID 1404 wrote to memory of 380	1404	238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a.exe	32
PID 1404 wrote to memory of 380	1404	238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a.exe	32
PID 380 wrote to memory of 2668	380	start.exe	33
PID 380 wrote to memory of 2668	380	start.exe	33
PID 380 wrote to memory of 2668	380	start.exe	33
PID 380 wrote to memory of 2688	380	start.exe	35
PID 380 wrote to memory of 2688	380	start.exe	35
PID 380 wrote to memory of 2688	380	start.exe	35
PID 380 wrote to memory of 1204	380	start.exe	37
PID 380 wrote to memory of 1204	380	start.exe	37
PID 380 wrote to memory of 1204	380	start.exe	37
PID 380 wrote to memory of 2860	380	start.exe	39
PID 380 wrote to memory of 2860	380	start.exe	39
PID 380 wrote to memory of 2860	380	start.exe	39
PID 284 wrote to memory of 2528	284	Xworm V5.6.exe	41
PID 284 wrote to memory of 2528	284	Xworm V5.6.exe	41
PID 284 wrote to memory of 2528	284	Xworm V5.6.exe	41

C:\Users\Admin\AppData\Local\Temp\238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a.exe
"C:\Users\Admin\AppData\Local\Temp\238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 284 -s 732
    3⤵
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\start.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\start.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'start.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
39KB

MD5
51e4348a35c9b40b0136fa204442f9c2

SHA1
aea47a3a717ca9cce49966093def7d8f5a53709a

SHA256
a8047efe920772b13508683a7d80de379b0cf2dc40b39a9cd37f949de6a90479

SHA512
f15353f1b29ead57efe865935ef0cbd9efa2f0e81e47a92993279a59ea4174fde1e9bb2546c35deda6cfa641cfa0ecd58f8a2f6006f0589ce95553d7debfa3bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c6785b5ccefb9b72f3978a37d875179e

SHA1
b77d1502c1003a05c56187aeab47f43a2e237a57

SHA256
ebf908bb2f807629d0ae2e35bd1876c2dde815797fbf752da77ecc24eb0c60bf

SHA512
66029ff79c5ffeba65f214c9921ac6ddccf429553c1eff42f7d96107fb67026fb44b79e9f07023664c94b6e862693d55b109eae11879155b315e3a99a8bf90a3

Download Submit
memory/284-46-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/284-14-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/284-15-0x0000000000D20000-0x0000000001C08000-memory.dmp

Filesize
14.9MB

Download
memory/380-13-0x00000000000B0000-0x00000000000C0000-memory.dmp

Filesize
64KB

Download
memory/1404-16-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1404-0-0x000007FEF6573000-0x000007FEF6574000-memory.dmp

Filesize
4KB

Download
memory/1404-2-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1404-1-0x0000000001360000-0x0000000001B16000-memory.dmp

Filesize
7.7MB

Download
memory/2668-21-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2668-22-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2688-28-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2688-29-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads