xworm | 193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16

General

Target

193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe
Size

57KB
MD5

ea2155a8336ee66cc394276af9df5a20
SHA1

2ab9a7e04d7b2b377f44b6edb7faa603be50f760
SHA256

193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16
SHA512

b86fdcbd8456d2c670860fe249ebe4d782b584f00fc7100f5e479b2904705226a1231b48b209d2e61561b30eb9caa6e9fd496410776a032d275dd198758ea067
SSDEEP

1536:zL4nvOCq2RCXkOlKHI6Or6kIIJ2vb/UEzsoO6LAJPxOsL:zL4o2kiUdWbcqrA1xOsL

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

192.168.10.71:1177

Attributes

Install_directory
%Public%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2176-1-0x0000000000010000-0x0000000000024000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
652	powershell.exe
2792	powershell.exe
2712	powershell.exe
2752	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discordservices.lnk	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discordservices.lnk	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
652	powershell.exe
2792	powershell.exe
2712	powershell.exe
2752	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 652	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	32
PID 2176 wrote to memory of 652	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	32
PID 2176 wrote to memory of 652	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	32
PID 2176 wrote to memory of 2792	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	34
PID 2176 wrote to memory of 2792	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	34
PID 2176 wrote to memory of 2792	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	34
PID 2176 wrote to memory of 2712	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	36
PID 2176 wrote to memory of 2712	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	36
PID 2176 wrote to memory of 2712	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	36
PID 2176 wrote to memory of 2752	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	38
PID 2176 wrote to memory of 2752	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	38
PID 2176 wrote to memory of 2752	2176	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	38

C:\Users\Admin\AppData\Local\Temp\193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe
"C:\Users\Admin\AppData\Local\Temp\193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Discordservices'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discordservices'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8018246cd5990e65cbd46f81e76dfc3e

SHA1
244204c585b4cde5221b9c94d4eb645bc3c7a139

SHA256
977cb777b9051f4e9c29e61b52431e3d8417e57f1b82f46f104ce280a0eabf72

SHA512
800affd2aa1c3d9ea3070fde7d7304cb59ff90252ef1c9057bfb67fcfe4da9b0117ab4768e098fd097d104556fcd84211be0ee0db60c876f64edff4d557c6dfc

Download Submit
memory/652-7-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/652-8-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/652-9-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2176-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x0000000000010000-0x0000000000024000-memory.dmp

Filesize
80KB

Download
memory/2176-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2176-27-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2176-31-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-15-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2792-16-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing