xworm | 4414027d7369fa5b62c6cff9836dc792389c085defc5cba782793159e81036b1

General

Target

Spoofer.exe
Size

90KB
MD5

cb8398c640f85445d6e14a2e325eb826
SHA1

2e888003ab1bda0e17297361901be57fbc746e4e
SHA256

4414027d7369fa5b62c6cff9836dc792389c085defc5cba782793159e81036b1
SHA512

268d3bace276b09e15f089e5e19b0181c3060c2965f1d24a2355123bfff8d0f274051c24132040002a0abf727f259756fecebc858050eeaa5445525a7d9d4833
SSDEEP

1536:5jx25uS8KkpHTe9yivqHLrZ+UGpCr8lFo4XwCjAaBhlPrTAdxJ2MT6UaIPxnLxHY:51KuNrpH21CHLt9GMCbHlPXAhEU3xZ6z

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

trip-thesaurus.gl.at.ply.gg:16715

Attributes

Install_directory
%AppData%
install_file
SecurityHealthSystray.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fd-2.dat	family_xworm
behavioral1/memory/2760-7-0x0000000000C50000-0x0000000000C6C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2960	powershell.exe
2108	powershell.exe
1964	powershell.exe
864	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	Woofer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	Woofer.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	Woofer.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	Spoofer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSystray.exe"	Woofer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1144	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2760	Woofer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2644	powershell.exe
2960	powershell.exe
2108	powershell.exe
1964	powershell.exe
864	powershell.exe
2760	Woofer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	Woofer.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	2760	Woofer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2760	Woofer.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2644	2328	Spoofer.exe	30
PID 2328 wrote to memory of 2644	2328	Spoofer.exe	30
PID 2328 wrote to memory of 2644	2328	Spoofer.exe	30
PID 2328 wrote to memory of 2644	2328	Spoofer.exe	30
PID 2328 wrote to memory of 2760	2328	Spoofer.exe	32
PID 2328 wrote to memory of 2760	2328	Spoofer.exe	32
PID 2328 wrote to memory of 2760	2328	Spoofer.exe	32
PID 2328 wrote to memory of 2760	2328	Spoofer.exe	32
PID 2760 wrote to memory of 2960	2760	Woofer.exe	34
PID 2760 wrote to memory of 2960	2760	Woofer.exe	34
PID 2760 wrote to memory of 2960	2760	Woofer.exe	34
PID 2760 wrote to memory of 2108	2760	Woofer.exe	36
PID 2760 wrote to memory of 2108	2760	Woofer.exe	36
PID 2760 wrote to memory of 2108	2760	Woofer.exe	36
PID 2760 wrote to memory of 1964	2760	Woofer.exe	38
PID 2760 wrote to memory of 1964	2760	Woofer.exe	38
PID 2760 wrote to memory of 1964	2760	Woofer.exe	38
PID 2760 wrote to memory of 864	2760	Woofer.exe	40
PID 2760 wrote to memory of 864	2760	Woofer.exe	40
PID 2760 wrote to memory of 864	2760	Woofer.exe	40
PID 2760 wrote to memory of 1144	2760	Woofer.exe	42
PID 2760 wrote to memory of 1144	2760	Woofer.exe	42
PID 2760 wrote to memory of 1144	2760	Woofer.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYgBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAawBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAdQBnACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Users\Admin\AppData\Roaming\Woofer.exe
  "C:\Users\Admin\AppData\Roaming\Woofer.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Woofer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Woofer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JEOJKBD7YHV2NSRNK8PQ.temp

Filesize
7KB

MD5
5921b399230cdc1871c6c3d0b89f66ef

SHA1
880ac6dae6b63d5f97114d84fe31064f2b14c711

SHA256
07a4977409ea0c9c8458fe5c4a9ae5ea8fdf6a7978ddac10cb807e8f25401580

SHA512
1f0bbb4289de1c01493b8b628406c41f3af6d75ff6bc968ba80775486266c6b3999fd26efcdb55e378893be0577e38460a09661a71275408d7a58cca12980212

Download Submit
\Users\Admin\AppData\Roaming\Woofer.exe

Filesize
84KB

MD5
401884996ecf50f3c44e4bc55e228b3c

SHA1
8eec44a33a180a8ea816f1d07d40c396dfa243d0

SHA256
602eb973f30d7c9533eb827f3731b057e17271bcc7617c1526c9909b71baa683

SHA512
ea8b57b10ad3c569e2456c0cfedaada977db6f8dd768e15800e3af535b68299e66e3f77df613ee3a30a8bcd68a8deff315f5531ac6a40135de0a0126a28e6d08

Download Submit
memory/2108-22-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2108-23-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2760-6-0x000007FEF4EE3000-0x000007FEF4EE4000-memory.dmp

Filesize
4KB

Download
memory/2760-7-0x0000000000C50000-0x0000000000C6C000-memory.dmp

Filesize
112KB

Download
memory/2760-39-0x000007FEF4EE3000-0x000007FEF4EE4000-memory.dmp

Filesize
4KB

Download
memory/2960-15-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2960-16-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads