xworm | bb6ebd1e6609ffd3ca442aa965cebdab07071715abef65b46e145ad1f700a2d6

General

Target

GXK5E_fsdjgfsdhnfgsd.bat
Size

65KB
MD5

e6ee7aca370346191e07ae542b95cb8c
SHA1

0a2376a42bd1639cab1909e22ad423a4cefab293
SHA256

bb6ebd1e6609ffd3ca442aa965cebdab07071715abef65b46e145ad1f700a2d6
SHA512

7583d3b036ed7bd23f480772fb6f2f70acca8f01be0b6a2a45eb1d7887d38060c2e49435a1e04db8a3a6f06d5200b794bd604559576b6310618607837614cf4a
SSDEEP

1536:ypDhvQgdHQgXro4uFtnqK00ZVrKt1ag2pN7Gop:yXE4uFkKLkanNSop

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.144.212.242:7000

Mutex

GHrcTVoc3c8G04bh

Attributes

Install_directory
%AppData%
install_file
SubDir.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015d76-5.dat	family_xworm
behavioral1/memory/1224-7-0x00000000001A0000-0x00000000001B2000-memory.dmp	family_xworm
behavioral1/memory/2240-42-0x0000000000180000-0x0000000000192000-memory.dmp	family_xworm
behavioral1/memory/2996-45-0x0000000000CC0000-0x0000000000CD2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1708	powershell.exe
2416	powershell.exe
2128	powershell.exe
2752	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SubDir.lnk	embedded.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SubDir.lnk	embedded.exe

Executes dropped EXE 3 IoCs

pid	Process
1224	embedded.exe
2240	SubDir.exe
2996	SubDir.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SubDir = "C:\\Users\\Admin\\AppData\\Roaming\\SubDir.exe"	embedded.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2560	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1708	powershell.exe
2416	powershell.exe
2128	powershell.exe
2752	powershell.exe
1224	embedded.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	embedded.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	1224	embedded.exe
Token: SeDebugPrivilege	2240	SubDir.exe
Token: SeDebugPrivilege	2996	SubDir.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1224	embedded.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2560	2908	cmd.exe	29
PID 2908 wrote to memory of 2560	2908	cmd.exe	29
PID 2908 wrote to memory of 2560	2908	cmd.exe	29
PID 2908 wrote to memory of 1224	2908	cmd.exe	30
PID 2908 wrote to memory of 1224	2908	cmd.exe	30
PID 2908 wrote to memory of 1224	2908	cmd.exe	30
PID 1224 wrote to memory of 1708	1224	embedded.exe	31
PID 1224 wrote to memory of 1708	1224	embedded.exe	31
PID 1224 wrote to memory of 1708	1224	embedded.exe	31
PID 1224 wrote to memory of 2416	1224	embedded.exe	33
PID 1224 wrote to memory of 2416	1224	embedded.exe	33
PID 1224 wrote to memory of 2416	1224	embedded.exe	33
PID 1224 wrote to memory of 2128	1224	embedded.exe	35
PID 1224 wrote to memory of 2128	1224	embedded.exe	35
PID 1224 wrote to memory of 2128	1224	embedded.exe	35
PID 1224 wrote to memory of 2752	1224	embedded.exe	37
PID 1224 wrote to memory of 2752	1224	embedded.exe	37
PID 1224 wrote to memory of 2752	1224	embedded.exe	37
PID 1224 wrote to memory of 2640	1224	embedded.exe	39
PID 1224 wrote to memory of 2640	1224	embedded.exe	39
PID 1224 wrote to memory of 2640	1224	embedded.exe	39
PID 1056 wrote to memory of 2240	1056	taskeng.exe	45
PID 1056 wrote to memory of 2240	1056	taskeng.exe	45
PID 1056 wrote to memory of 2240	1056	taskeng.exe	45
PID 1056 wrote to memory of 2996	1056	taskeng.exe	46
PID 1056 wrote to memory of 2996	1056	taskeng.exe	46
PID 1056 wrote to memory of 2996	1056	taskeng.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\GXK5E_fsdjgfsdhnfgsd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\system32\certutil.exe
  certutil -decode "C:\Users\Admin\AppData\Local\Temp\embedded.b64" "C:\Users\Admin\AppData\Local\Temp\embedded.exe"
  2⤵
  - Deobfuscate/Decode Files or Information
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\embedded.exe
  "C:\Users\Admin\AppData\Local\Temp\embedded.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\embedded.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'embedded.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SubDir.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SubDir.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SubDir" /tr "C:\Users\Admin\AppData\Roaming\SubDir.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2640

C:\Windows\system32\taskeng.exe
taskeng.exe {2DCF27B3-C33C-4456-B14C-BFECBF6D6421} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Roaming\SubDir.exe
  C:\Users\Admin\AppData\Roaming\SubDir.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Users\Admin\AppData\Roaming\SubDir.exe
  C:\Users\Admin\AppData\Roaming\SubDir.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\embedded.b64

Filesize
59KB

MD5
476b3a0d11e655cba521f65a6fb7ccf5

SHA1
ac7f49b99763623d027c1304a49e1e45919d3f4b

SHA256
38d8568e0998d1d0c7e2db397e789e47b2a23ff5aad08997bfa07c467b19653e

SHA512
5d0b9ae14ffaa6adcc5be48abc42cdf02b7f46a90233f4b5993ff986bec7998b51a6ff0132b780e12a907c031a03661a59ee44649d32e79f17b3d8697e64f849

Download Submit
C:\Users\Admin\AppData\Local\Temp\embedded.exe

Filesize
43KB

MD5
f730dc4b0cebd71d388820cfa959cc25

SHA1
4a9513caec0e605309770c20e983d400e0246d51

SHA256
24472004e0e2f6bd1e9205c4d16138bb5bf8e482e91400dcb137db4099e582ea

SHA512
b5bbdc24b8c4a984b069cceaee04beb6441891ba9723ad0af5e2fd93abaa320dda385f67844d6827c186bd9594fe04b93cfa2a9aa1a4ed6ff61969875a273deb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OAVZVZCWM2RCZ406M3C8.temp

Filesize
7KB

MD5
89c2cc5d128d896caf564bfb1a93be27

SHA1
6860c7cddc8dc4d62738206d56a3f7016f319426

SHA256
018c7d7acc84252b275b7494e4b3778e23947412855d62605b55d8897fff4db4

SHA512
32758ffe92a0034276fea4c17d01ccc7c438c2d178db32eb57be1b67769aef35cedde5b1a042c09b6c642bd86b3c3a4c21ad23edb343aed8f2fa16316e7166bb

Download Submit
memory/1224-7-0x00000000001A0000-0x00000000001B2000-memory.dmp

Filesize
72KB

Download
memory/1224-6-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

Filesize
4KB

Download
memory/1224-36-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1224-37-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

Filesize
4KB

Download
memory/1224-38-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1708-12-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/1708-13-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2240-42-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/2416-19-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2416-20-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/2996-45-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads