xworm | 7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac

General

Target

7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe
Size

57KB
MD5

72798272d12c892963ba1520331a7ba7
SHA1

475c8c703fec75656132242746445a496c8bbfb2
SHA256

7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac
SHA512

fc59d55df3f527024986dbef62acaea8910a383d772402e8a96c45c07346685ef81b880aaf7caf451642797dece0386ea121048b7ca11d1a3fe3c6fe95338a42
SSDEEP

1536:zL4nvOCq2RCXkOlKHI6Or6kIIJ2vb/UEzsoO6LAJPxOsL6:zL4o2kiUdWbcqrA1xOsL6

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

192.168.10.71:1177

Attributes

Install_directory
%Public%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2844-1-0x0000000001250000-0x0000000001264000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2704	powershell.exe
264	powershell.exe
1860	powershell.exe
2068	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discordservices.lnk	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discordservices.lnk	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	powershell.exe
264	powershell.exe
1860	powershell.exe
2068	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2704	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	31
PID 2844 wrote to memory of 2704	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	31
PID 2844 wrote to memory of 2704	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	31
PID 2844 wrote to memory of 264	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	33
PID 2844 wrote to memory of 264	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	33
PID 2844 wrote to memory of 264	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	33
PID 2844 wrote to memory of 1860	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	35
PID 2844 wrote to memory of 1860	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	35
PID 2844 wrote to memory of 1860	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	35
PID 2844 wrote to memory of 2068	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	37
PID 2844 wrote to memory of 2068	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	37
PID 2844 wrote to memory of 2068	2844	7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe	37

C:\Users\Admin\AppData\Local\Temp\7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe
"C:\Users\Admin\AppData\Local\Temp\7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7f6351ccdc13e55801877c661b590bd574725c3380ca45a43c66dbb7ee0bf7ac.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Discordservices'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discordservices'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f34f14541e84fb024536675be8e05567

SHA1
fcc7fe8ae0a1d8c0ce310ae2e7fba5275c724a1b

SHA256
4fd555bf9d43157c7e4789f2da1f704c802e7eeb5003b29e395a28adc436d9e9

SHA512
a7168ef3e6fe19c23a6c08993fb497c2348e3920e48091b8ad6c1041f7ea13f0026d7b6e9314feea0a9837b6606ebeb7a475410dea0c4c699b046f6842a62e2f

Download Submit
memory/264-15-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/264-16-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2704-7-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/2704-8-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2704-9-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2844-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/2844-1-0x0000000001250000-0x0000000001264000-memory.dmp

Filesize
80KB

Download
memory/2844-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-23-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/2844-32-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing