xworm | e91102fdb8c1c17fc032db088a1fa697939db309b65bd73c08a960a460891aad

General

Target

hyper13124234.exe
Size

277KB
MD5

97cfccab13d3f907bc9afdd0c597009e
SHA1

bf0c12ef218162f8706447a9155c9cff4927999f
SHA256

e91102fdb8c1c17fc032db088a1fa697939db309b65bd73c08a960a460891aad
SHA512

0cfe4b383a4a7678523bdf2bdb4e1c8b15e9971a92aa2e21fc2bb04844621f08d965a6920e9cf9441ff9421e73b3f26a3926cbdfef64c6d7b8c37158e2af0ad0
SSDEEP

6144:EOxCsNqAdXt+jl2mveDLls89fur1Xac/n+O6j9Mn:hCs8Adog0eDyefur1XaGlV

Score

10^/10

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/840-3-0x000002CEC1050000-0x000002CEC1066000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3400	powershell.exe
4136	powershell.exe
4564	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	hyper13124234.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyper13124234 = "C:\\Users\\Admin\\AppData\\Roaming\\hyper13124234.exe"	hyper13124234.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3400	powershell.exe
3400	powershell.exe
4136	powershell.exe
4136	powershell.exe
4564	powershell.exe
4564	powershell.exe
840	hyper13124234.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	hyper13124234.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
840	hyper13124234.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3400	840	hyper13124234.exe	83
PID 840 wrote to memory of 3400	840	hyper13124234.exe	83
PID 840 wrote to memory of 4136	840	hyper13124234.exe	85
PID 840 wrote to memory of 4136	840	hyper13124234.exe	85
PID 840 wrote to memory of 4564	840	hyper13124234.exe	87
PID 840 wrote to memory of 4564	840	hyper13124234.exe	87

C:\Users\Admin\AppData\Local\Temp\hyper13124234.exe
"C:\Users\Admin\AppData\Local\Temp\hyper13124234.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hyper13124234.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'hyper13124234.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\hyper13124234.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
359d1e37a264703c99ebd01eed362de5

SHA1
a1122c8bf9848b3371cd191ba540864204d1d845

SHA256
5781f3046b0d978469415a059cf5ceae0e532869e69ab1dffb8ed878bd299b07

SHA512
ce3caa1d2205be8167b7cd48ebf538a9ce8c148643c26a20377894aa15cf00f90b2b5e2ebf35d40a0273c088abc11fe6f010e34691d7fbc4bef8d7e482f5087d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
36c1937644741dead48c1c090eeea972

SHA1
f795939bced5653be2c10e6850ba94c268fb6b42

SHA256
c9368ff7aa0e52a8f66081c343bd9e8e7827d9cb0acb25fe05bd4efb01813c68

SHA512
7af3c3d12de9f185c5fbdc7519d221f1fa91053056516e1d200561d553a39c22c1e8714b6c38c81a71f1f23e21e51380fb3359f877370a387dfe27aefea764c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aw0yud2q.dpi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/840-3-0x000002CEC1050000-0x000002CEC1066000-memory.dmp

Filesize
88KB

Download
memory/840-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/840-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/840-1-0x000002CEBF210000-0x000002CEBF25C000-memory.dmp

Filesize
304KB

Download
memory/840-44-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/840-45-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3400-5-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3400-4-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3400-11-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3400-16-0x0000028EDF490000-0x0000028EDF4B2000-memory.dmp

Filesize
136KB

Download
memory/3400-19-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads