xworm | eda0f45bf7e42ea80b3140d490ffcdd773f35d48bcb4ee9babc76f67afd7b8f6

General

Target

MoonCrypter/MoonCrypter1.exe
Size

582KB
MD5

fe33fb1a059475fe19f07437098c391c
SHA1

bf4a0cc782156a44a27c7e9ea1e4297be926a597
SHA256

fc70565765ef8ca0f63b63aab261ebff53d1f110bd8da460720099b779832283
SHA512

c8117a6cd0e956d2ff82143621a320ebf7ff38f67a4cb64f9e294c341806757a4a0549e869c16d90c0d48ebd6262befd62411af9cacc19121b25ee5532e6d079
SSDEEP

12288:2zvRCmaURtTLYscOOn37xZOSKrUwgQbBcg0Mp2egI:E0UtnYb3T5ONgwcg06DgI

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

193.123.88.61:4444

Mutex

1cAjmT6r87cbZXRe

Attributes

Install_directory
%AppData%
install_file
host.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral9/files/0x0007000000023cba-17.dat	family_xworm
behavioral9/memory/4884-29-0x0000000000690000-0x00000000006A0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4920	powershell.exe
2148	powershell.exe
1296	powershell.exe
456	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	MoonCrypter1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	moon.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	moon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	moon.exe

Executes dropped EXE 2 IoCs

pid	Process
1004	MoonCrypter.exe
4884	moon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\host = "C:\\Users\\Admin\\AppData\\Roaming\\host.exe"	moon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoonCrypter.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
852	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4920	powershell.exe
4920	powershell.exe
2148	powershell.exe
2148	powershell.exe
1296	powershell.exe
1296	powershell.exe
456	powershell.exe
456	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	MoonCrypter1.exe
Token: SeDebugPrivilege	4884	moon.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	4884	moon.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1004	4900	MoonCrypter1.exe	82
PID 4900 wrote to memory of 1004	4900	MoonCrypter1.exe	82
PID 4900 wrote to memory of 1004	4900	MoonCrypter1.exe	82
PID 4900 wrote to memory of 4884	4900	MoonCrypter1.exe	83
PID 4900 wrote to memory of 4884	4900	MoonCrypter1.exe	83
PID 4884 wrote to memory of 4920	4884	moon.exe	84
PID 4884 wrote to memory of 4920	4884	moon.exe	84
PID 4884 wrote to memory of 2148	4884	moon.exe	86
PID 4884 wrote to memory of 2148	4884	moon.exe	86
PID 4884 wrote to memory of 1296	4884	moon.exe	88
PID 4884 wrote to memory of 1296	4884	moon.exe	88
PID 4884 wrote to memory of 456	4884	moon.exe	90
PID 4884 wrote to memory of 456	4884	moon.exe	90
PID 4884 wrote to memory of 5096	4884	moon.exe	100
PID 4884 wrote to memory of 5096	4884	moon.exe	100
PID 5096 wrote to memory of 852	5096	cmd.exe	102
PID 5096 wrote to memory of 852	5096	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\MoonCrypter\MoonCrypter1.exe
"C:\Users\Admin\AppData\Local\Temp\MoonCrypter\MoonCrypter1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe
  "C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\moon.exe
  "C:\Users\Admin\AppData\Local\Temp\moon.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\moon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'moon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB25E.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01fff31a70e26012f37789b179059e32

SHA1
555b6f05cce7daf46920df1c01eb5c55dc62c9e6

SHA256
adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

SHA512
ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
871daa0605e2bf4f8259c6ed08922818

SHA1
8448225f10d502ce858e9f6818945bf7994d5963

SHA256
d0fe73c3319af4bb23a904483ac9af46406b0b559023809daac4ab4dba0fc3e7

SHA512
f97ce6108457836d2059d9ddf7272a811a3d332275f5bcc3887b18cb1b9a9e6f4359ca808302f13ef4245d4b39ac4636bd926f869cfa7851531457cf2db595ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe

Filesize
191KB

MD5
24bd0c210794c566995f58dd1ea5d542

SHA1
890f5936f00948e77d766b8e200d6a9a210b1032

SHA256
d60d3dfdc76f15f7891d8f437b07a20567f4face48ae22e4b816b2bd44f6a5ba

SHA512
978338f90d3ce30b64d1f745a1ba477b42285f0e3a5409d3537a174f7211751e8edb4c056226f4af27c44ad8cbc6e9c95289efabd1540f7b31605b91df952d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0xgsohm.5ny.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\moon.exe

Filesize
39KB

MD5
a980d2576c2540587333143dafc4fef4

SHA1
432352d8571bd6d345c8b931e19bef818f324cfe

SHA256
3ade47aed888d5099ba50ba655cbf909756367b12537b2fba6d0d7d3690e803a

SHA512
d7b67aa3ce5d5bddfb5929262ee3e64877600297cf423d90c101c8b7803687861b9668b112f17f4dee94d1701b0ee70ecf05972b810d37f8ca8a51a8055d19f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB25E.tmp.bat

Filesize
156B

MD5
4de3427651229819c2238b8acb615929

SHA1
0ae4e7beb6f1659f6c0c1fda0e4f6a5a680f644f

SHA256
bcbee46738f421ee62800ca3cedd5fdb76f500c3ed8838505bf0e03f5696887d

SHA512
0fd03f0495164998fd514b004947a99b2fca906f2b69a8bba8eb04a11094a0017bf47a9cc1a63519558596170db4261aab24a6aaa9f18f566db53657a7b25079

Download Submit
memory/1004-35-0x0000000005790000-0x00000000057E6000-memory.dmp

Filesize
344KB

Download
memory/1004-31-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/1004-33-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/1004-32-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/1004-30-0x0000000000BD0000-0x0000000000C06000-memory.dmp

Filesize
216KB

Download
memory/1004-34-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/1004-84-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1004-36-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1004-28-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/4884-29-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/4884-27-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-89-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4884-90-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-91-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4884-100-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/4900-26-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/4900-2-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/4900-0-0x00007FFA105F3000-0x00007FFA105F5000-memory.dmp

Filesize
8KB

Download
memory/4900-1-0x0000000000300000-0x0000000000398000-memory.dmp

Filesize
608KB

Download
memory/4920-39-0x00000211A75A0000-0x00000211A75C2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads