xworm | c81ae973db641e3c60912166be8979a60b95253ae290c145b9a2133ad7a2ebb8

General

Target

StupidMonkey.exe
Size

70KB
MD5

4c785ba0487bfec51faf4788d564ee9f
SHA1

786fdc994a71d7e02a556e3f720b41a096a789f5
SHA256

c81ae973db641e3c60912166be8979a60b95253ae290c145b9a2133ad7a2ebb8
SHA512

b6b7fbd58e1c3657a81d17a974fc609c1af29dab6489685d2eea5e1397e12853c17086a537f7607aef6833f358965788adc961b44eeff21530ff89f9776eee06
SSDEEP

1536:X7eLuJn1XH70d76kbDD0k2jF16K7HmTzOt5YP:X79hpb0YkbDLE57HmTzOts

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

wood-matches.gl.at.ply.gg:23086

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2084-1-0x00000000002F0000-0x0000000000308000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2584	powershell.exe
2564	powershell.exe
1888	powershell.exe
2872	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client Server Runtime Process.lnk	StupidMonkey.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client Server Runtime Process.lnk	StupidMonkey.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\ProgramData\\Client Server Runtime Process"	StupidMonkey.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2584	powershell.exe
2564	powershell.exe
1888	powershell.exe
2872	powershell.exe
2084	StupidMonkey.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	StupidMonkey.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2084	StupidMonkey.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2584	2084	StupidMonkey.exe	32
PID 2084 wrote to memory of 2584	2084	StupidMonkey.exe	32
PID 2084 wrote to memory of 2584	2084	StupidMonkey.exe	32
PID 2084 wrote to memory of 2564	2084	StupidMonkey.exe	34
PID 2084 wrote to memory of 2564	2084	StupidMonkey.exe	34
PID 2084 wrote to memory of 2564	2084	StupidMonkey.exe	34
PID 2084 wrote to memory of 1888	2084	StupidMonkey.exe	36
PID 2084 wrote to memory of 1888	2084	StupidMonkey.exe	36
PID 2084 wrote to memory of 1888	2084	StupidMonkey.exe	36
PID 2084 wrote to memory of 2872	2084	StupidMonkey.exe	38
PID 2084 wrote to memory of 2872	2084	StupidMonkey.exe	38
PID 2084 wrote to memory of 2872	2084	StupidMonkey.exe	38
PID 2084 wrote to memory of 2716	2084	StupidMonkey.exe	40
PID 2084 wrote to memory of 2716	2084	StupidMonkey.exe	40
PID 2084 wrote to memory of 2716	2084	StupidMonkey.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\StupidMonkey.exe
"C:\Users\Admin\AppData\Local\Temp\StupidMonkey.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\StupidMonkey.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'StupidMonkey.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Client Server Runtime Process'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client Server Runtime Process" /tr "C:\ProgramData\Client Server Runtime Process"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3e8a3eb9cf291f6bd80b921348ba20c5

SHA1
e3da2500226af790600ad0ffa3c5486262a15d3f

SHA256
89f371191ca1563ae4e99e7df8b17e1159b9412e91dd71285c013c2f61c15038

SHA512
e5d9a773879e0f079f8220a87b328a0b7e1ccf788882a4a5273e9fba6fa6c25755f1d38fdac662c75ed9fbe2347f39a4dcbc91fc3257082c3fab4b72bd8762d6

Download Submit
memory/2084-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x00000000002F0000-0x0000000000308000-memory.dmp

Filesize
96KB

Download
memory/2084-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2084-28-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2084-33-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-15-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2564-16-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2584-7-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2584-8-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2584-9-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads