xworm | 8fd825863687566693df92add60bc259abe5436238e8b99369fad09b17aa5aaf

General

Target

SPOOFER TREY.exe
Size

76KB
MD5

fff2d0ea19905c9a8f6c6fca38f64b15
SHA1

deb5dec4ca7de9ba0795f441ccda2683317341a9
SHA256

8fd825863687566693df92add60bc259abe5436238e8b99369fad09b17aa5aaf
SHA512

aa8f6e5cb2e2fdc505ffa67246bd5539d853c2a22221911a7f2bb84749d11b10a29fbf7fb9d5244a84d082c5f387a5861c34b71e96f57b720a34c6216d8f1558
SSDEEP

1536:ho2cR9MCrmWPDjC0hIgQLCap5BzGd0B/JUT4l7A9EkNof:2hCuF7aftGO3Tc+f

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

exchange-syndicate.gl.at.ply.gg:22530

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/776-18-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/776-16-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/776-14-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/776-11-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/776-10-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1616	powershell.exe
2688	powershell.exe
1664	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM = "C:\\Users\\Admin\\AppData\\Roaming\\spoofer\\spoofer.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1868 set thread context of 776	1868	SPOOFER TREY.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOFER TREY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1616	powershell.exe
2688	powershell.exe
1664	powershell.exe
776	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	776	RegAsm.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	776	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
776	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1616	1868	SPOOFER TREY.exe	31
PID 1868 wrote to memory of 1616	1868	SPOOFER TREY.exe	31
PID 1868 wrote to memory of 1616	1868	SPOOFER TREY.exe	31
PID 1868 wrote to memory of 1616	1868	SPOOFER TREY.exe	31
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 1868 wrote to memory of 776	1868	SPOOFER TREY.exe	33
PID 776 wrote to memory of 2688	776	RegAsm.exe	35
PID 776 wrote to memory of 2688	776	RegAsm.exe	35
PID 776 wrote to memory of 2688	776	RegAsm.exe	35
PID 776 wrote to memory of 2688	776	RegAsm.exe	35
PID 776 wrote to memory of 1664	776	RegAsm.exe	37
PID 776 wrote to memory of 1664	776	RegAsm.exe	37
PID 776 wrote to memory of 1664	776	RegAsm.exe	37
PID 776 wrote to memory of 1664	776	RegAsm.exe	37

C:\Users\Admin\AppData\Local\Temp\SPOOFER TREY.exe
"C:\Users\Admin\AppData\Local\Temp\SPOOFER TREY.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SYSTEM';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SYSTEM' -Value '"C:\Users\Admin\AppData\Roaming\spoofer\spoofer.exe"' -PropertyType 'String'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5e5d60e84351c770225603fed6b33024

SHA1
060d3823ecbb734030cd758f73ad436bd4ae4c65

SHA256
8120275e6ea6fbde1e003f83a02a525655e1e0b231e3e6b72aeed69dca369a3b

SHA512
aff8cb62255abf93c1141a24abcc07543dba08124ac88a1845efc0a054daa92f667dcf729c61c11e1f289a00933a0be77e4b9057e618031b6e256b39c6317615

Download Submit
memory/776-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/776-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/776-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/776-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/776-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/776-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/776-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/776-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1616-19-0x000000006F041000-0x000000006F042000-memory.dmp

Filesize
4KB

Download
memory/1616-21-0x000000006F040000-0x000000006F5EB000-memory.dmp

Filesize
5.7MB

Download
memory/1616-22-0x000000006F040000-0x000000006F5EB000-memory.dmp

Filesize
5.7MB

Download
memory/1868-3-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-0-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/1868-4-0x0000000000380000-0x0000000000398000-memory.dmp

Filesize
96KB

Download
memory/1868-20-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-2-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-1-0x0000000000DE0000-0x0000000000DFA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads