xworm | 57583fbcfce7c62cfc880b35bc19d2bcb3d34e14423ab725674f9f1eefcbd038

Reason

Machine shutdown

General

Target

MoonCrypter/MoonCrypter.exe
Size

268KB
MD5

b32cf72bcf05b3df1967624c18792bfc
SHA1

da6bb03499739c473d34cf65bba5a68c3248ba1a
SHA256

2b2e23b302667a243ddf8250f5c654ffc7033f7000375df534348aff2f18871d
SHA512

1772753364652881db88595a4bc9e0e96a3cded522723c21a287c8675286c89e8790286334b177ab96403a1d63bd483c20ec3ed69631f1dc590e0c36b96eb54f
SSDEEP

3072:nsMbkPKSqyLcThkq0zl0rUS3g8NUYLpGfR/cM4kKKL9000XrcND2kbQExBQK:JbKqcg0zSrUwgLup2R/UgwP

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

193.123.88.61:4444

Mutex

1cAjmT6r87cbZXRe

Attributes

Install_directory
%AppData%
install_file
host.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral7/memory/1120-90-0x000000001B0B0000-0x000000001B0BE000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral7/files/0x001b00000002aad0-17.dat	family_xworm
behavioral7/memory/1120-27-0x00000000001E0000-0x00000000001F0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
244	powershell.exe
1152	powershell.exe
4192	powershell.exe
332	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	moon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	moon.exe

Executes dropped EXE 2 IoCs

pid	Process
4532	MoonCrypter.exe
1120	moon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\host = "C:\\Users\\Admin\\AppData\\Roaming\\host.exe"	moon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoonCrypter.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4192	powershell.exe
4192	powershell.exe
332	powershell.exe
332	powershell.exe
244	powershell.exe
244	powershell.exe
1152	powershell.exe
1152	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	moon.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1120	moon.exe
Token: SeShutdownPrivilege	1120	moon.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 4532	1124	MoonCrypter.exe	78
PID 1124 wrote to memory of 4532	1124	MoonCrypter.exe	78
PID 1124 wrote to memory of 4532	1124	MoonCrypter.exe	78
PID 1124 wrote to memory of 1120	1124	MoonCrypter.exe	79
PID 1124 wrote to memory of 1120	1124	MoonCrypter.exe	79
PID 1120 wrote to memory of 4192	1120	moon.exe	80
PID 1120 wrote to memory of 4192	1120	moon.exe	80
PID 1120 wrote to memory of 332	1120	moon.exe	82
PID 1120 wrote to memory of 332	1120	moon.exe	82
PID 1120 wrote to memory of 244	1120	moon.exe	84
PID 1120 wrote to memory of 244	1120	moon.exe	84
PID 1120 wrote to memory of 1152	1120	moon.exe	86
PID 1120 wrote to memory of 1152	1120	moon.exe	86

C:\Users\Admin\AppData\Local\Temp\MoonCrypter\MoonCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\MoonCrypter\MoonCrypter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe
  "C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\moon.exe
  "C:\Users\Admin\AppData\Local\Temp\moon.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\moon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'moon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe

Filesize
191KB

MD5
24bd0c210794c566995f58dd1ea5d542

SHA1
890f5936f00948e77d766b8e200d6a9a210b1032

SHA256
d60d3dfdc76f15f7891d8f437b07a20567f4face48ae22e4b816b2bd44f6a5ba

SHA512
978338f90d3ce30b64d1f745a1ba477b42285f0e3a5409d3537a174f7211751e8edb4c056226f4af27c44ad8cbc6e9c95289efabd1540f7b31605b91df952d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rqpgiy3p.vy1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\moon.exe

Filesize
39KB

MD5
a980d2576c2540587333143dafc4fef4

SHA1
432352d8571bd6d345c8b931e19bef818f324cfe

SHA256
3ade47aed888d5099ba50ba655cbf909756367b12537b2fba6d0d7d3690e803a

SHA512
d7b67aa3ce5d5bddfb5929262ee3e64877600297cf423d90c101c8b7803687861b9668b112f17f4dee94d1701b0ee70ecf05972b810d37f8ca8a51a8055d19f9

Download Submit
memory/1120-86-0x00007FFC2BA50000-0x00007FFC2C512000-memory.dmp

Filesize
10.8MB

Download
memory/1120-90-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

Filesize
56KB

Download
memory/1120-89-0x000000001AEE0000-0x000000001AEEC000-memory.dmp

Filesize
48KB

Download
memory/1120-87-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/1120-83-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/1120-27-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/1120-28-0x00007FFC2BA50000-0x00007FFC2C512000-memory.dmp

Filesize
10.8MB

Download
memory/1124-26-0x00007FFC2BA50000-0x00007FFC2C512000-memory.dmp

Filesize
10.8MB

Download
memory/1124-0-0x00007FFC2BA53000-0x00007FFC2BA55000-memory.dmp

Filesize
8KB

Download
memory/1124-10-0x00007FFC2BA50000-0x00007FFC2C512000-memory.dmp

Filesize
10.8MB

Download
memory/1124-1-0x0000000000030000-0x000000000007A000-memory.dmp

Filesize
296KB

Download
memory/4192-37-0x0000021E4EB90000-0x0000021E4EBB2000-memory.dmp

Filesize
136KB

Download
memory/4532-29-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/4532-36-0x00000000745A0000-0x0000000074D51000-memory.dmp

Filesize
7.7MB

Download
memory/4532-35-0x0000000004D00000-0x0000000004D56000-memory.dmp

Filesize
344KB

Download
memory/4532-34-0x0000000004A40000-0x0000000004A4A000-memory.dmp

Filesize
40KB

Download
memory/4532-85-0x00000000745A0000-0x0000000074D51000-memory.dmp

Filesize
7.7MB

Download
memory/4532-33-0x0000000004B70000-0x0000000004C02000-memory.dmp

Filesize
584KB

Download
memory/4532-32-0x0000000005120000-0x00000000056C6000-memory.dmp

Filesize
5.6MB

Download
memory/4532-31-0x0000000004AD0000-0x0000000004B6C000-memory.dmp

Filesize
624KB

Download
memory/4532-30-0x00000000000B0000-0x00000000000E6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads