xworm | 60aa1551d29da3fd64bcd365f40eabb8a565df3cdbe97c7f4f74ed181cd80785

General

Target

loader.exe
Size

92KB
MD5

8167096dc2cfe3130dd53f46e45a16ad
SHA1

6dd5a9607c2585bb023ae44c53d0445f45b147c1
SHA256

60aa1551d29da3fd64bcd365f40eabb8a565df3cdbe97c7f4f74ed181cd80785
SHA512

a2f9c68f197123926599eb056c036a5b709896dc510f3e72bf3de56fa85b49e0b77dd5563ca9ae4f4d42effe050202b50f4ed388b5aaded1797694d5732815dd
SSDEEP

1536:4FwxKDFTMC5Q8lV3aRTriFfRTzMJCeRLkLZi5qTKaPpb5NQOiDXavlKuDbNSKft6:RxKD5Q8v3YcZTzMweRgLL3dOKv0usKfk

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

ring-cj.gl.at.ply.gg:28371

Attributes

Install_directory
%AppData%
install_file
keyauth.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0027000000016d2c-5.dat	family_xworm
behavioral1/memory/2880-7-0x0000000000C80000-0x0000000000C9A000-memory.dmp	family_xworm
behavioral1/memory/560-43-0x0000000000F50000-0x0000000000F6A000-memory.dmp	family_xworm
behavioral1/memory/1660-46-0x00000000002E0000-0x00000000002FA000-memory.dmp	family_xworm
behavioral1/memory/2408-48-0x0000000001210000-0x000000000122A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2852	powershell.exe
2596	powershell.exe
2412	powershell.exe
1888	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\keyauth.lnk	loaderr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\keyauth.lnk	loaderr.exe

Executes dropped EXE 4 IoCs

pid	Process
2880	loaderr.exe
560	keyauth.exe
1660	keyauth.exe
2408	keyauth.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keyauth = "C:\\Users\\Admin\\AppData\\Roaming\\keyauth.exe"	loaderr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2028	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2880	loaderr.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2852	powershell.exe
2596	powershell.exe
2412	powershell.exe
1888	powershell.exe
2880	loaderr.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	loaderr.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2880	loaderr.exe
Token: SeDebugPrivilege	560	keyauth.exe
Token: SeDebugPrivilege	1660	keyauth.exe
Token: SeDebugPrivilege	2408	keyauth.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2880	loaderr.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2880	2932	loader.exe	30
PID 2932 wrote to memory of 2880	2932	loader.exe	30
PID 2932 wrote to memory of 2880	2932	loader.exe	30
PID 2880 wrote to memory of 2852	2880	loaderr.exe	32
PID 2880 wrote to memory of 2852	2880	loaderr.exe	32
PID 2880 wrote to memory of 2852	2880	loaderr.exe	32
PID 2880 wrote to memory of 2596	2880	loaderr.exe	34
PID 2880 wrote to memory of 2596	2880	loaderr.exe	34
PID 2880 wrote to memory of 2596	2880	loaderr.exe	34
PID 2880 wrote to memory of 2412	2880	loaderr.exe	36
PID 2880 wrote to memory of 2412	2880	loaderr.exe	36
PID 2880 wrote to memory of 2412	2880	loaderr.exe	36
PID 2880 wrote to memory of 1888	2880	loaderr.exe	38
PID 2880 wrote to memory of 1888	2880	loaderr.exe	38
PID 2880 wrote to memory of 1888	2880	loaderr.exe	38
PID 2880 wrote to memory of 2028	2880	loaderr.exe	40
PID 2880 wrote to memory of 2028	2880	loaderr.exe	40
PID 2880 wrote to memory of 2028	2880	loaderr.exe	40
PID 2568 wrote to memory of 560	2568	taskeng.exe	43
PID 2568 wrote to memory of 560	2568	taskeng.exe	43
PID 2568 wrote to memory of 560	2568	taskeng.exe	43
PID 2568 wrote to memory of 1660	2568	taskeng.exe	44
PID 2568 wrote to memory of 1660	2568	taskeng.exe	44
PID 2568 wrote to memory of 1660	2568	taskeng.exe	44
PID 2568 wrote to memory of 2408	2568	taskeng.exe	45
PID 2568 wrote to memory of 2408	2568	taskeng.exe	45
PID 2568 wrote to memory of 2408	2568	taskeng.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\loaderr.exe
  "C:\Users\Admin\AppData\Roaming\loaderr.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\loaderr.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\keyauth.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'keyauth.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "keyauth" /tr "C:\Users\Admin\AppData\Roaming\keyauth.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2028

C:\Windows\system32\taskeng.exe
taskeng.exe {3A5B1EDA-EB48-4F9F-ABE8-9EE68117927B} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Roaming\keyauth.exe
  C:\Users\Admin\AppData\Roaming\keyauth.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Users\Admin\AppData\Roaming\keyauth.exe
  C:\Users\Admin\AppData\Roaming\keyauth.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Users\Admin\AppData\Roaming\keyauth.exe
  C:\Users\Admin\AppData\Roaming\keyauth.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
833f21c8bc9739c01c657dcec08172e5

SHA1
1cd27602ee9e44e031ef4f43d1edc590d3eca83e

SHA256
d333b461e7d96366266c099c5370a0e5e87666ecaa22b4bf28d53e7b324e70ff

SHA512
4cace04bb8e5e93e8a6042598e0aa0b5b39483c8dd7407f9b4ee6c7a1ccc74321106887d943edaa782198751a06ea8b90fd8c87cf9acbf828c56d80ec9551b76

Download Submit
C:\Users\Admin\AppData\Roaming\loaderr.exe

Filesize
79KB

MD5
1d09928c4fd6cba5e6d0e7bd0c16e108

SHA1
284031725d2f177fe4d71b5e5c51a3f5b582c804

SHA256
30ed1de652205d86db65846b5623f1cd0472e671670e8f7b97760cd6a8320088

SHA512
d0b70facd3c250eeca077aaff1bf494c165b33a0b91426020435300c5dd3ad43bf167956fc8d8eb26522183b1287e9ccaaf130007cc40a0dfb43434071ebf2fb

Download Submit
memory/560-43-0x0000000000F50000-0x0000000000F6A000-memory.dmp

Filesize
104KB

Download
memory/1660-46-0x00000000002E0000-0x00000000002FA000-memory.dmp

Filesize
104KB

Download
memory/2408-48-0x0000000001210000-0x000000000122A000-memory.dmp

Filesize
104KB

Download
memory/2596-22-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2596-23-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2852-14-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2852-15-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2880-8-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-16-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-34-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-9-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-7-0x0000000000C80000-0x0000000000C9A000-memory.dmp

Filesize
104KB

Download
memory/2932-0-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/2932-1-0x0000000000F80000-0x0000000000F9E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads