xworm | eda0f45bf7e42ea80b3140d490ffcdd773f35d48bcb4ee9babc76f67afd7b8f6

General

Target

MoonCrypter/MoonCrypter1.exe
Size

582KB
MD5

fe33fb1a059475fe19f07437098c391c
SHA1

bf4a0cc782156a44a27c7e9ea1e4297be926a597
SHA256

fc70565765ef8ca0f63b63aab261ebff53d1f110bd8da460720099b779832283
SHA512

c8117a6cd0e956d2ff82143621a320ebf7ff38f67a4cb64f9e294c341806757a4a0549e869c16d90c0d48ebd6262befd62411af9cacc19121b25ee5532e6d079
SSDEEP

12288:2zvRCmaURtTLYscOOn37xZOSKrUwgQbBcg0Mp2egI:E0UtnYb3T5ONgwcg06DgI

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

193.123.88.61:4444

Mutex

1cAjmT6r87cbZXRe

Attributes

Install_directory
%AppData%
install_file
host.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral8/memory/2676-14-0x0000000000020000-0x0000000000030000-memory.dmp	family_xworm
behavioral8/files/0x0034000000017429-12.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1472	powershell.exe
2556	powershell.exe
3044	powershell.exe
444	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	moon.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	moon.exe

Executes dropped EXE 2 IoCs

pid	Process
2684	MoonCrypter.exe
2676	moon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\host = "C:\\Users\\Admin\\AppData\\Roaming\\host.exe"	moon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoonCrypter.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2260	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2556	powershell.exe
3044	powershell.exe
444	powershell.exe
1472	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	MoonCrypter1.exe
Token: SeDebugPrivilege	2676	moon.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2676	moon.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2684	2708	MoonCrypter1.exe	30
PID 2708 wrote to memory of 2684	2708	MoonCrypter1.exe	30
PID 2708 wrote to memory of 2684	2708	MoonCrypter1.exe	30
PID 2708 wrote to memory of 2684	2708	MoonCrypter1.exe	30
PID 2708 wrote to memory of 2676	2708	MoonCrypter1.exe	31
PID 2708 wrote to memory of 2676	2708	MoonCrypter1.exe	31
PID 2708 wrote to memory of 2676	2708	MoonCrypter1.exe	31
PID 2676 wrote to memory of 2556	2676	moon.exe	32
PID 2676 wrote to memory of 2556	2676	moon.exe	32
PID 2676 wrote to memory of 2556	2676	moon.exe	32
PID 2676 wrote to memory of 3044	2676	moon.exe	34
PID 2676 wrote to memory of 3044	2676	moon.exe	34
PID 2676 wrote to memory of 3044	2676	moon.exe	34
PID 2676 wrote to memory of 444	2676	moon.exe	36
PID 2676 wrote to memory of 444	2676	moon.exe	36
PID 2676 wrote to memory of 444	2676	moon.exe	36
PID 2676 wrote to memory of 1472	2676	moon.exe	38
PID 2676 wrote to memory of 1472	2676	moon.exe	38
PID 2676 wrote to memory of 1472	2676	moon.exe	38
PID 2676 wrote to memory of 2076	2676	moon.exe	41
PID 2676 wrote to memory of 2076	2676	moon.exe	41
PID 2676 wrote to memory of 2076	2676	moon.exe	41
PID 2076 wrote to memory of 2260	2076	cmd.exe	43
PID 2076 wrote to memory of 2260	2076	cmd.exe	43
PID 2076 wrote to memory of 2260	2076	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\MoonCrypter\MoonCrypter1.exe
"C:\Users\Admin\AppData\Local\Temp\MoonCrypter\MoonCrypter1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe
  "C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\moon.exe
  "C:\Users\Admin\AppData\Local\Temp\moon.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\moon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'moon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1F92.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe

Filesize
191KB

MD5
24bd0c210794c566995f58dd1ea5d542

SHA1
890f5936f00948e77d766b8e200d6a9a210b1032

SHA256
d60d3dfdc76f15f7891d8f437b07a20567f4face48ae22e4b816b2bd44f6a5ba

SHA512
978338f90d3ce30b64d1f745a1ba477b42285f0e3a5409d3537a174f7211751e8edb4c056226f4af27c44ad8cbc6e9c95289efabd1540f7b31605b91df952d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\moon.exe

Filesize
39KB

MD5
a980d2576c2540587333143dafc4fef4

SHA1
432352d8571bd6d345c8b931e19bef818f324cfe

SHA256
3ade47aed888d5099ba50ba655cbf909756367b12537b2fba6d0d7d3690e803a

SHA512
d7b67aa3ce5d5bddfb5929262ee3e64877600297cf423d90c101c8b7803687861b9668b112f17f4dee94d1701b0ee70ecf05972b810d37f8ca8a51a8055d19f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F92.tmp.bat

Filesize
156B

MD5
f5d89ae58ab487110c3c3479a6331ebc

SHA1
b912dd820a8941948f0361808f38e1a01bb8237d

SHA256
d3919b3b7dbaf2383d7950889b7eedc6967ee54f5de3f91cb774907a796ec84c

SHA512
7f947e55f6ae605d382846685ef088c1a8f319bf64fe1fe5deda06a64b40be40c181e49777c2bcb44413a43d03da260450bce0d944d4cbef45b4f5962149459b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
de2ba09fb83c186cdf451e6fe50b7aba

SHA1
a49d74c701631cb34d19e08ca531beed311dd501

SHA256
f86a85daf412310e732d232b4de93aae2d454b3943c15228c1f5f5980b0cfa6e

SHA512
f8691d82db301190fb29e0299af3d6e1e123ff45b4a1e58ea464e7ac31b6458b99043dc115962b3899f1f029789893e4b56ffb5973fbd4880264ee50d44bb93b

Download Submit
memory/2556-22-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2556-23-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2676-61-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-14-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2676-16-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-48-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/2676-47-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-17-0x00000000009F0000-0x0000000000A26000-memory.dmp

Filesize
216KB

Download
memory/2708-0-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

Filesize
4KB

Download
memory/2708-15-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2708-2-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2708-1-0x0000000000A40000-0x0000000000AD8000-memory.dmp

Filesize
608KB

Download
memory/3044-30-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/3044-29-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads