xworm | f1194a10e317ec32367972838854bbfedb6a8ed8d48785a225a6af635f744242

General

Target

PotatoCheats.exe
Size

69KB
MD5

382258b6d5178139f1972bbf1b06f6f4
SHA1

f42e85ac9f2775005817f6894c44f52331940784
SHA256

f1194a10e317ec32367972838854bbfedb6a8ed8d48785a225a6af635f744242
SHA512

8072b0607b05d82ccfaf8ad84a9fbab46c191026dbae323695d6a521620348c3c872260156a8dae72e8c18086128224e6e1efc2657002f7e70036210bcfa963c
SSDEEP

1536:WuYbI6lmB8Q9fTkaqb2tbRZ6WjbF8hx4BJCgE:rYbI6y8Q9cCtb+oSZgE

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

friday-thai.gl.at.ply.gg:33026

Mutex

AihLIMYIJUgLsYWn

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015689-14.dat	family_xworm
behavioral1/memory/2796-18-0x0000000000320000-0x0000000000330000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Deletes itself 1 IoCs

pid	Process
2244	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup_x86.lnk	setup_x86.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup_x86.lnk	setup_x86.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	setup_x86.exe

Loads dropped DLL 1 IoCs

pid	Process
2244	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PotatoCheats.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	PotatoCheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_XBOX&Prod_CD-ROM	PotatoCheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VBOX&Prod_HARDDISK	PotatoCheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD01	PotatoCheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_NVMe&Prod_VMware_Virtual_N	PotatoCheats.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2792	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup_x86.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup_x86.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2508	PotatoCheats.exe
2508	PotatoCheats.exe
2508	PotatoCheats.exe
2796	setup_x86.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	PotatoCheats.exe
Token: SeDebugPrivilege	2796	setup_x86.exe
Token: SeDebugPrivilege	2796	setup_x86.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2796	setup_x86.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2244	2508	PotatoCheats.exe	30
PID 2508 wrote to memory of 2244	2508	PotatoCheats.exe	30
PID 2508 wrote to memory of 2244	2508	PotatoCheats.exe	30
PID 2508 wrote to memory of 2244	2508	PotatoCheats.exe	30
PID 2244 wrote to memory of 2792	2244	cmd.exe	32
PID 2244 wrote to memory of 2792	2244	cmd.exe	32
PID 2244 wrote to memory of 2792	2244	cmd.exe	32
PID 2244 wrote to memory of 2792	2244	cmd.exe	32
PID 2244 wrote to memory of 2796	2244	cmd.exe	33
PID 2244 wrote to memory of 2796	2244	cmd.exe	33
PID 2244 wrote to memory of 2796	2244	cmd.exe	33
PID 2244 wrote to memory of 2796	2244	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\PotatoCheats.exe
"C:\Users\Admin\AppData\Local\Temp\PotatoCheats.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\melt.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2792
- - C:\Users\Admin\AppData\Roaming\setup_x86.exe
    "C:\Users\Admin\AppData\Roaming\setup_x86.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.bat

Filesize
145B

MD5
83afce63ce27c15cda0d728bccbb1438

SHA1
92b5c6303f720c20494f5a1fa976e33eeb3de31d

SHA256
ed0c07656197295add0fd750bb529aaa3153528ca572f77583a7e3bcfd02d841

SHA512
f569ff321acfb853578dc2ac2c8bf4146b96e43ba9b07084fa33602b79fa9875285a8b03f1df6d1b47f3581e5a3029384200b17186617c4584ef6864b605a330

Download Submit
\Users\Admin\AppData\Roaming\setup_x86.exe

Filesize
37KB

MD5
0fdd3bacb59bcf3cc43031b67694c91a

SHA1
8c4b5344105ebca60727e79298cd90cf78fc32a4

SHA256
2564e8641ccd32f9158cff02ec69c813489541194d2692cfbdd97b28cb6fba5e

SHA512
acfc2dc89bd5670ca31378df2c885385f7053ecb68faa119505a4df1569f391636e143e86ebe12ca479d0ee0dc7ce9ce9743a119e740fe86e2ba9de4438abc3a

Download Submit
memory/2508-0-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2508-2-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2508-12-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-17-0x000007FEF5483000-0x000007FEF5484000-memory.dmp

Filesize
4KB

Download
memory/2796-18-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/2796-23-0x000007FEF5483000-0x000007FEF5484000-memory.dmp

Filesize
4KB

Download
memory/2796-24-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing