xworm | d85a5c0fecaca2bea8850f166dd29dcbc4e007ab34ee7d8ec4a37d80368c1767

General

Target

XWorm_V5.6.rar
Size

22.7MB
MD5

0ba35875f8c027f4e5e2b3026d6e77f0
SHA1

94343c17f309dfe58424610cc3907213cfd75c65
SHA256

d85a5c0fecaca2bea8850f166dd29dcbc4e007ab34ee7d8ec4a37d80368c1767
SHA512

ff425f0f70dadf1ea52fcad7024c31e7e1f4504eb01e12aa3c7f7d73199b6c43ac09495bb4f9801d77eaf34ad14928d9cb30b25536d31a1221384e5f7e275225
SSDEEP

393216:XQF38cJlfLW9VdrlB09QCOJnyodRh8IGMryjJ28AeqzquS69S6Vr1M8h6vcQavYQ:XO38Kf6VdrqQCcCMryjJCe4quZE6VxYm

Score

10^/10

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ab69-58.dat	family_xworm
behavioral1/memory/824-59-0x0000000000460000-0x0000000000494000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
916	powershell.exe

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001c00000002ab53-4.dat	net_reactor
behavioral1/files/0x001a00000002ab69-58.dat	net_reactor
behavioral1/memory/824-59-0x0000000000460000-0x0000000000494000-memory.dmp	net_reactor

Executes dropped EXE 3 IoCs

pid	Process
972	XwormLoader.exe
3412	Xworm V5.6.exe
824	taskhostw.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\taskhostw.exe	XwormLoader.exe
File opened for modification	C:\Windows\taskhostw.exe	XwormLoader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3328	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
824	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
916	powershell.exe
916	powershell.exe
3464	7zFM.exe
3464	7zFM.exe
824	taskhostw.exe
3464	7zFM.exe
3464	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3464	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3464	7zFM.exe
Token: 35	3464	7zFM.exe
Token: SeSecurityPrivilege	3464	7zFM.exe
Token: SeDebugPrivilege	972	XwormLoader.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	824	taskhostw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3464	7zFM.exe
3464	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
824	taskhostw.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 972	3464	7zFM.exe	77
PID 3464 wrote to memory of 972	3464	7zFM.exe	77
PID 972 wrote to memory of 3412	972	XwormLoader.exe	81
PID 972 wrote to memory of 3412	972	XwormLoader.exe	81
PID 972 wrote to memory of 916	972	XwormLoader.exe	82
PID 972 wrote to memory of 916	972	XwormLoader.exe	82
PID 972 wrote to memory of 3328	972	XwormLoader.exe	84
PID 972 wrote to memory of 3328	972	XwormLoader.exe	84
PID 972 wrote to memory of 824	972	XwormLoader.exe	86
PID 972 wrote to memory of 824	972	XwormLoader.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm_V5.6.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\7zO88D74D97\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO88D74D97\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\7zO88D74D97\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO88D74D97\Xworm V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:3412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "taskhostw" /SC ONLOGON /TR "C:\Windows\taskhostw.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3328
- - C:\Windows\taskhostw.exe
    "C:\Windows\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO88D74D97\Xworm V5.6.exe

Filesize
14.9MB

MD5
cac67604904dce94d230953f170d4391

SHA1
9ea639f23a5699bb66ca5da55b2458347aed6f13

SHA256
64e5b7463d340b9a8b9d911860b4d635b0cf68afbe3593ed3cc6cbb13db0b27b

SHA512
af358008abb47a345a53dab222a01ab6c0ed10185fca8d2be9af2892161f150c8cc8a7f75272d1eb1acd17b49f32d3531adbc1cfdd153cc7c3e90841cabe766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO88D74D97\XwormLoader.exe

Filesize
7.9MB

MD5
004c566cb64a9b99f4422a767c072a22

SHA1
ab709644ce1f58b4a1874351a7971dd3fb9466a6

SHA256
d0c67ff5fa0ac161777a95d150fa523e0b26ea106144f99c32de8716a880236e

SHA512
9c0d2fa2bb5137e2d5934ff985c710a371c8f74d67f92a914da0ece44c2660d8abca5d90188ac5088e885d7e197c4ebb3488faf01516435e9e781c367f6bcc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtzuylqz.jzt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\taskhostw.exe

Filesize
183KB

MD5
31207a3ec25c1530f368a0298d108a09

SHA1
e80b4ef16a1f3df9764e6e9ae92a5372276a3a83

SHA256
7063531cc8e3c206a2f5c23c033d382dd1f2296650196179f8c64d68588288c8

SHA512
861538173fed16fbadd131659bc4289cd72f0a716d2d84bd9918a2b8c565e1cfdd4656cc40463d4c17356d6b9ab290f5fb0d323bfce9f3ed194993fc7f4fc523

Download Submit
memory/824-59-0x0000000000460000-0x0000000000494000-memory.dmp

Filesize
208KB

Download
memory/916-34-0x00000187732B0000-0x00000187732D2000-memory.dmp

Filesize
136KB

Download
memory/972-16-0x000000001C000000-0x000000001C0A6000-memory.dmp

Filesize
664KB

Download
memory/972-18-0x00007FF894940000-0x00007FF8952E1000-memory.dmp

Filesize
9.6MB

Download
memory/972-19-0x00007FF894940000-0x00007FF8952E1000-memory.dmp

Filesize
9.6MB

Download
memory/972-20-0x00007FF894940000-0x00007FF8952E1000-memory.dmp

Filesize
9.6MB

Download
memory/972-17-0x00007FF894940000-0x00007FF8952E1000-memory.dmp

Filesize
9.6MB

Download
memory/972-15-0x000000001B9C0000-0x000000001BA22000-memory.dmp

Filesize
392KB

Download
memory/972-14-0x00007FF894940000-0x00007FF8952E1000-memory.dmp

Filesize
9.6MB

Download
memory/972-13-0x00007FF894940000-0x00007FF8952E1000-memory.dmp

Filesize
9.6MB

Download
memory/972-12-0x00007FF894BF5000-0x00007FF894BF6000-memory.dmp

Filesize
4KB

Download
memory/972-60-0x00007FF894940000-0x00007FF8952E1000-memory.dmp

Filesize
9.6MB

Download
memory/3412-38-0x0000025C5EC10000-0x0000025C5FAF8000-memory.dmp

Filesize
14.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads