xworm | 9df8c23f18ef49662420510fd26519f1d975f7ae217af46ca58343284090d28e

General

Target

Solara.exe
Size

53.0MB
MD5

44a04e5d735a5c6f0a8f8866867111ff
SHA1

c47f6cf5d11f51442f4e42534db4bee6b52ca2b6
SHA256

03194e16bdfc38e781ebbc7eea7b6273370d4991aa7a12bbf100ef53feefa7ee
SHA512

97ebde8201a839327e48618e2aad4098600c51b7a963943b2597875570cdd4e634b647dc800de8cbde9cbbe6ac63f01e04dbd0cd8df8ec275ecacd9c0173fb06
SSDEEP

1572864:oD0LQqMrlpA+Ql4Jd6xTivfSQqiu8VNmn:oOyklm6xenDOIgn

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:18549

25.ip.gl.ply.gg:18549

cover-expanded.gl.at.ply.gg:18549

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000120d6-2.dat	family_xworm
behavioral1/memory/2500-6-0x0000000000AB0000-0x0000000000AC8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2300	powershell.exe
2940	powershell.exe
2604	powershell.exe
3068	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	xcclienttt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	xcclienttt.exe

Executes dropped EXE 1 IoCs

pid	Process
2500	xcclienttt.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	Solara.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\svhost"	xcclienttt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2300	powershell.exe
2940	powershell.exe
2604	powershell.exe
3068	powershell.exe
2500	xcclienttt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	xcclienttt.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2500	xcclienttt.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2500	xcclienttt.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2500	2072	Solara.exe	31
PID 2072 wrote to memory of 2500	2072	Solara.exe	31
PID 2072 wrote to memory of 2500	2072	Solara.exe	31
PID 2072 wrote to memory of 2500	2072	Solara.exe	31
PID 2500 wrote to memory of 2300	2500	xcclienttt.exe	33
PID 2500 wrote to memory of 2300	2500	xcclienttt.exe	33
PID 2500 wrote to memory of 2300	2500	xcclienttt.exe	33
PID 2500 wrote to memory of 2940	2500	xcclienttt.exe	35
PID 2500 wrote to memory of 2940	2500	xcclienttt.exe	35
PID 2500 wrote to memory of 2940	2500	xcclienttt.exe	35
PID 2500 wrote to memory of 2604	2500	xcclienttt.exe	37
PID 2500 wrote to memory of 2604	2500	xcclienttt.exe	37
PID 2500 wrote to memory of 2604	2500	xcclienttt.exe	37
PID 2500 wrote to memory of 3068	2500	xcclienttt.exe	39
PID 2500 wrote to memory of 3068	2500	xcclienttt.exe	39
PID 2500 wrote to memory of 3068	2500	xcclienttt.exe	39

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\xcclienttt.exe
  "C:\Users\Admin\AppData\Local\Temp\xcclienttt.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\xcclienttt.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'xcclienttt.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svhost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7589651fd7a3eecbe938afc9787805f5

SHA1
a329624058d3a55b78b40fc0679bddce67ff8e30

SHA256
942f97aa4161bc97b842b7cd1525cbe49efc43a891efe594db0948c0da46b726

SHA512
e8fd3f8da25bfae7bda28d4d0a58cadec0d3b0b545c9ccbc89bac1ee24804bef5540f7e56630b81fcd7bc9c53356953a5259dc68d19dfed91406be400cfb9085

Download Submit
\Users\Admin\AppData\Local\Temp\xcclienttt.exe

Filesize
74KB

MD5
e2f51c1dcd3817d78cd48d3e277e8b57

SHA1
4cf550105fb4ebe4cf44eac5ca4c4f0cf9ac4c76

SHA256
9e67e09788d64c5b287ea2f2f35293d772dff653b10c0a86249eaf3d234f50ed

SHA512
303ff909e5d17fa5dd3689fa92d6220593fe27e692fb910e0b5f9af0bf51118d0e5aede8d35762f401dc0f17f0d8b8a794f54fabf391663ea7dd0f9ea0cb1c5b

Download Submit
memory/2072-7-0x0000000000400000-0x0000000003909000-memory.dmp

Filesize
53.0MB

Download
memory/2300-12-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2300-13-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2500-6-0x0000000000AB0000-0x0000000000AC8000-memory.dmp

Filesize
96KB

Download
memory/2940-19-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2940-20-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads