xworm | 193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16

General

Target

193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe
Size

57KB
MD5

ea2155a8336ee66cc394276af9df5a20
SHA1

2ab9a7e04d7b2b377f44b6edb7faa603be50f760
SHA256

193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16
SHA512

b86fdcbd8456d2c670860fe249ebe4d782b584f00fc7100f5e479b2904705226a1231b48b209d2e61561b30eb9caa6e9fd496410776a032d275dd198758ea067
SSDEEP

1536:zL4nvOCq2RCXkOlKHI6Or6kIIJ2vb/UEzsoO6LAJPxOsL:zL4o2kiUdWbcqrA1xOsL

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

192.168.10.71:1177

Attributes

Install_directory
%Public%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/452-1-0x0000000000070000-0x0000000000084000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
720	powershell.exe
2792	powershell.exe
2920	powershell.exe
516	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discordservices.lnk	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discordservices.lnk	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2792	powershell.exe
2792	powershell.exe
2920	powershell.exe
2920	powershell.exe
516	powershell.exe
516	powershell.exe
720	powershell.exe
720	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	452	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2792	452	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	85
PID 452 wrote to memory of 2792	452	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	85
PID 452 wrote to memory of 2920	452	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	87
PID 452 wrote to memory of 2920	452	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	87
PID 452 wrote to memory of 516	452	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	89
PID 452 wrote to memory of 516	452	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	89
PID 452 wrote to memory of 720	452	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	91
PID 452 wrote to memory of 720	452	193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe	91

C:\Users\Admin\AppData\Local\Temp\193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe
"C:\Users\Admin\AppData\Local\Temp\193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Discordservices'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discordservices'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
76692775e4781f0c9f0092f5804cfdb1

SHA1
6740e4e4110028c62282ee1e7eb8be576a2bc23a

SHA256
0c451ff3823450d544066237cbfb08556b7ca36c4a0ea085055f69ab35795b00

SHA512
6e0731e3736594d9e86da2fc33e08a663f29100074cc8d46e2716123c946b9eb150c804c7cf8428cac631e1cff984663d41ce3b5e1e77965bd8e2ecf0742af34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3minmlu.2p1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/452-1-0x0000000000070000-0x0000000000084000-memory.dmp

Filesize
80KB

Download
memory/452-2-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/452-0-0x00007FFB5BBD3000-0x00007FFB5BBD5000-memory.dmp

Filesize
8KB

Download
memory/452-57-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/452-56-0x00007FFB5BBD3000-0x00007FFB5BBD5000-memory.dmp

Filesize
8KB

Download
memory/2792-3-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/2792-18-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/2792-15-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/2792-14-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/2792-13-0x000001CA775B0000-0x000001CA775D2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing