xworm | 4aa0a2cb031cd492650016770e1483b3756211c63cda0702cbd42513d9d95b58

General

Target

2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe
Size

320KB
MD5

10bb93eec2a765c88fb550db7148804b
SHA1

611b67285e9a47587a0bba088c8bf5de0c5ed1ba
SHA256

4aa0a2cb031cd492650016770e1483b3756211c63cda0702cbd42513d9d95b58
SHA512

da1f004749606976dac9ad2fbf26e4748458ec09c2aa144a08f4b457775848199c9c4887c0c207ca9e0b52e1fa875d5ae9baeef7cb3f7be45569430306fd1f1d
SSDEEP

3072:ONg5n8T+2Ir9vdk9M2VtRe685A9PM+lmsolAIrRuw+mqv9j1MWLQTXfdzA8Tq:Ohi2QWf3Rer5A90+lDAA+fdz

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

91.211.250.177:7000

Attributes

Install_directory
%Temp%
install_file
Ex4 To MQL.exe
telegram
https://api.telegram.org/bot8007089982:AAGd-ZTUSnm0zdt-l-kH17pJMcMaCnS_VgI/sendMessage?chat_id=7832105812

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0027000000016d2c-6.dat	family_xworm
behavioral1/memory/2872-8-0x0000000000FF0000-0x0000000001032000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1200	powershell.exe
1744	powershell.exe
2484	powershell.exe
2472	powershell.exe

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ex4 To MQL.lnk	Ex4ToMql.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ex4 To MQL.lnk	Ex4ToMql.exe

Executes dropped EXE 1 IoCs

pid	Process
2872	Ex4ToMql.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ex4 To MQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ex4 To MQL.exe"	Ex4ToMql.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2744	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2820	2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe
1744	powershell.exe
2484	powershell.exe
2472	powershell.exe
1200	powershell.exe
2872	Ex4ToMql.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe
Token: SeDebugPrivilege	2872	Ex4ToMql.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2872	Ex4ToMql.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2872	Ex4ToMql.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2872	2820	2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe	31
PID 2820 wrote to memory of 2872	2820	2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe	31
PID 2820 wrote to memory of 2872	2820	2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe	31
PID 2820 wrote to memory of 2912	2820	2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe	32
PID 2820 wrote to memory of 2912	2820	2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe	32
PID 2820 wrote to memory of 2912	2820	2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe	32
PID 2912 wrote to memory of 2744	2912	cmd.exe	34
PID 2912 wrote to memory of 2744	2912	cmd.exe	34
PID 2912 wrote to memory of 2744	2912	cmd.exe	34
PID 2872 wrote to memory of 1744	2872	Ex4ToMql.exe	35
PID 2872 wrote to memory of 1744	2872	Ex4ToMql.exe	35
PID 2872 wrote to memory of 1744	2872	Ex4ToMql.exe	35
PID 2872 wrote to memory of 2484	2872	Ex4ToMql.exe	37
PID 2872 wrote to memory of 2484	2872	Ex4ToMql.exe	37
PID 2872 wrote to memory of 2484	2872	Ex4ToMql.exe	37
PID 2872 wrote to memory of 2472	2872	Ex4ToMql.exe	39
PID 2872 wrote to memory of 2472	2872	Ex4ToMql.exe	39
PID 2872 wrote to memory of 2472	2872	Ex4ToMql.exe	39
PID 2872 wrote to memory of 1200	2872	Ex4ToMql.exe	41
PID 2872 wrote to memory of 1200	2872	Ex4ToMql.exe	41
PID 2872 wrote to memory of 1200	2872	Ex4ToMql.exe	41
PID 2872 wrote to memory of 2468	2872	Ex4ToMql.exe	43
PID 2872 wrote to memory of 2468	2872	Ex4ToMql.exe	43
PID 2872 wrote to memory of 2468	2872	Ex4ToMql.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_10bb93eec2a765c88fb550db7148804b_hiddentear.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\Ex4ToMql.exe
  "C:\Users\Admin\AppData\Local\Temp\Ex4ToMql.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ex4ToMql.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ex4ToMql.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ex4 To MQL.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ex4 To MQL.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ex4 To MQL" /tr "C:\Users\Admin\AppData\Local\Temp\Ex4 To MQL.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2468
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFA.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2744

C:\Windows\system32\taskeng.exe
taskeng.exe {B02EEDD5-5B93-494B-B4F5-9579746B8AA0} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ex4ToMql.exe

Filesize
243KB

MD5
4e145169529ec9046b4a2ef0c84420a0

SHA1
0b2ea5f7bf699bfac2f902edb1b6b1e7af16f2bd

SHA256
bfa09032e71647fcd224a530107c5e2b1840a6e0a6f9ed7c9915d69156cb7e79

SHA512
4e7046c519d6dcea6f129eb482c92262a72e8bd6776e57d4af15852a9690ad03445bc20e620bcf8fc2b5441069916dde7e44233d947924792796b3cb4238aa1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA.tmp.bat

Filesize
204B

MD5
774763a302bae2816eba1e751d9de819

SHA1
017840ce451b6a0834622977ee5ffdab8e2f943a

SHA256
483785b37c176fe06fdf72a2bf7768da364c3593a79559a333eb28c293f5d921

SHA512
1869623ef7ac4bf61278dc31fff77d9be62df0933439b26f43d8412c67eb89fe0d2150e91ddf8e685079b7e94c4f9d685ddd9f7ad3bb468d1cd335b89af71db6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1601881bf31bf6fd40e0a2a6aafd3a35

SHA1
b7937e895f656ac7ed0d07b18b8193a2b6c7f7e0

SHA256
f3f396e262a76d30def1554501cf70a4d1e80590e9bae5c97c141385a67d471e

SHA512
6cf4cecca781023f86ac787bece228d6be6e48328da44a6d148c4a1498eb9641306acfa42125e5e7870c3f6b6ae611b26bda49a6305a3de82e749601ad4bf50f

Download Submit
memory/1744-26-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/1744-27-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2484-34-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2484-33-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-19-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-0-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/2820-10-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/2820-2-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-1-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download
memory/2872-20-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-21-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-9-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-8-0x0000000000FF0000-0x0000000001032000-memory.dmp

Filesize
264KB

Download
memory/2872-50-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads