xworm | cbe5d8a26aff6afeef7f29f5488c28b7a7889b863247eabc8b8aea0cdb9795fe

Reason

Machine shutdown

General

Target

Output.exe
Size

1000KB
MD5

1eb331980c382323b15b2b3ff57a2a42
SHA1

c0252956194de18835ba962fb632f8684a6ba5bb
SHA256

cbe5d8a26aff6afeef7f29f5488c28b7a7889b863247eabc8b8aea0cdb9795fe
SHA512

c878567ecf82d8e2024ef62a7e4c91a59fd6819e18a02375db5f4e4884261e07a750a62c536098a30c95e4820af976d1fe36fec82db42902bb2f8cf07f72238e
SSDEEP

24576:TKUejpAyoSpAS1cVcfQ04EyV8WpzhjmPcVm8nH3+h:uUW5qScOfWBV8Wp2I5X

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:24707

modified-begun.gl.at.ply.gg:24707

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002aa76-6.dat	family_xworm
behavioral1/memory/2836-16-0x0000000000130000-0x0000000000148000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1988	powershell.exe
3068	powershell.exe
2140	powershell.exe
868	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smasmug.lnk	GtagLoaderbyslammy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smasmug.lnk	GtagLoaderbyslammy.exe

Executes dropped EXE 2 IoCs

pid	Process
2836	GtagLoaderbyslammy.exe
3276	Samsung_1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Smasmug = "C:\\Users\\Admin\\AppData\\Roaming\\Smasmug"	GtagLoaderbyslammy.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "183"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2140	powershell.exe
2140	powershell.exe
868	powershell.exe
868	powershell.exe
1988	powershell.exe
1988	powershell.exe
3068	powershell.exe
3068	powershell.exe
2836	GtagLoaderbyslammy.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	GtagLoaderbyslammy.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2836	GtagLoaderbyslammy.exe
Token: SeShutdownPrivilege	2420	shutdown.exe
Token: SeRemoteShutdownPrivilege	2420	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2836	GtagLoaderbyslammy.exe
4860	LogonUI.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 2836	3164	Output.exe	77
PID 3164 wrote to memory of 2836	3164	Output.exe	77
PID 3164 wrote to memory of 3276	3164	Output.exe	78
PID 3164 wrote to memory of 3276	3164	Output.exe	78
PID 3276 wrote to memory of 3084	3276	Samsung_1.exe	80
PID 3276 wrote to memory of 3084	3276	Samsung_1.exe	80
PID 3084 wrote to memory of 5012	3084	cmd.exe	81
PID 3084 wrote to memory of 5012	3084	cmd.exe	81
PID 3084 wrote to memory of 4208	3084	cmd.exe	82
PID 3084 wrote to memory of 4208	3084	cmd.exe	82
PID 3084 wrote to memory of 2996	3084	cmd.exe	83
PID 3084 wrote to memory of 2996	3084	cmd.exe	83
PID 3276 wrote to memory of 576	3276	Samsung_1.exe	84
PID 3276 wrote to memory of 576	3276	Samsung_1.exe	84
PID 3276 wrote to memory of 4644	3276	Samsung_1.exe	85
PID 3276 wrote to memory of 4644	3276	Samsung_1.exe	85
PID 2836 wrote to memory of 2140	2836	GtagLoaderbyslammy.exe	87
PID 2836 wrote to memory of 2140	2836	GtagLoaderbyslammy.exe	87
PID 2836 wrote to memory of 868	2836	GtagLoaderbyslammy.exe	89
PID 2836 wrote to memory of 868	2836	GtagLoaderbyslammy.exe	89
PID 2836 wrote to memory of 1988	2836	GtagLoaderbyslammy.exe	91
PID 2836 wrote to memory of 1988	2836	GtagLoaderbyslammy.exe	91
PID 2836 wrote to memory of 3068	2836	GtagLoaderbyslammy.exe	93
PID 2836 wrote to memory of 3068	2836	GtagLoaderbyslammy.exe	93
PID 2836 wrote to memory of 2420	2836	GtagLoaderbyslammy.exe	95
PID 2836 wrote to memory of 2420	2836	GtagLoaderbyslammy.exe	95

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\GtagLoaderbyslammy.exe
  "C:\Users\Admin\AppData\Local\Temp\GtagLoaderbyslammy.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GtagLoaderbyslammy.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GtagLoaderbyslammy.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Smasmug'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Smasmug'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\SYSTEM32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- C:\Users\Admin\AppData\Local\Temp\Samsung_1.exe
  "C:\Users\Admin\AppData\Local\Temp\Samsung_1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Samsung_1.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Samsung_1.exe" MD5
      4⤵
      PID:5012
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:4208
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d2055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21017c68eaf9461301de459f4f07e888

SHA1
41ff30fc8446508d4c3407c79e798cf6eaa5bb73

SHA256
03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

SHA512
956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GtagLoaderbyslammy.exe

Filesize
78KB

MD5
882cc018b9a32b7ef5d60f52e49424f4

SHA1
b99a52cd4abf0fff39019ad1b96a2f06e7f3ee12

SHA256
e52b384e3ffefff7a4e1ac68ba2c3aa7f42c550c4d225281fe19948bcb80d20e

SHA512
7be787c5064da6922d32f7ff8954cba813c95fc588bbf5a91848990050ac696addc9d9f0775bfba50f8428a92dd56174a1688745ba69205ae4bb04823eb845d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Samsung_1.exe

Filesize
790KB

MD5
6f9489600081bccf5717dcb574f4073e

SHA1
78e49dafbdce6adb78aa15f09c3755853ae0ff4d

SHA256
8b3a32cb76d717a0d6e549ab8bbd296e5ffcccfe1011758d6e3cae586c8c0fa6

SHA512
0fecd5ffcb7a0e3fdff970acc13f94dfc86b251e6ae4c135e966d2648b1787f26fc2f1d9831e9c5fc403bcf366fcad2383d199fef0fccb2df3c3b859129d744b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ed5us0gt.0zw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2140-25-0x0000024DAF0E0000-0x0000024DAF102000-memory.dmp

Filesize
136KB

Download
memory/2836-24-0x00007FFE74F70000-0x00007FFE75A32000-memory.dmp

Filesize
10.8MB

Download
memory/2836-23-0x00007FFE74F70000-0x00007FFE75A32000-memory.dmp

Filesize
10.8MB

Download
memory/2836-16-0x0000000000130000-0x0000000000148000-memory.dmp

Filesize
96KB

Download
memory/2836-70-0x00007FFE74F70000-0x00007FFE75A32000-memory.dmp

Filesize
10.8MB

Download
memory/2836-71-0x00007FFE74F70000-0x00007FFE75A32000-memory.dmp

Filesize
10.8MB

Download
memory/2836-72-0x00007FFE74F70000-0x00007FFE75A32000-memory.dmp

Filesize
10.8MB

Download
memory/3164-0-0x00007FFE74F73000-0x00007FFE74F75000-memory.dmp

Filesize
8KB

Download
memory/3164-1-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads