xworm | c750a86768228dbb5143efaf9bf1fc980129ed2b51be5bb40ef1db2dd41e9c05

General

Target

shootingtheoops.exe
Size

39KB
MD5

c9bd74622a8a1531b93a03ac9c3ba67d
SHA1

b0354cf79ae41e2320d888a38d1c62915bb79445
SHA256

c750a86768228dbb5143efaf9bf1fc980129ed2b51be5bb40ef1db2dd41e9c05
SHA512

6bacb2e43ac5c3d8d2922091f1e263ccfaae3317b0eaae80f973e1344fcb3ce07091712edaa5ab0f9518d08b963c39b13ef085592dc6410509a21fefcab52263
SSDEEP

768:vifC8qTvhE58LEIDPiKuukR7LH3tTfFWPt9eE56cOMh+alE:viTqTvhOeEIbiKuumnNFe9eE56cOME3

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

M6KBt08Rxl7gnMQb

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1964-1-0x0000000000060000-0x0000000000070000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4896	powershell.exe
4772	powershell.exe
4968	powershell.exe
4916	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	shootingtheoops.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\THE BLACKS.lnk	shootingtheoops.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\THE BLACKS.lnk	shootingtheoops.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\THE BLACKS = "C:\\Users\\Admin\\AppData\\Roaming\\THE BLACKS"	shootingtheoops.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4772	powershell.exe
4772	powershell.exe
4968	powershell.exe
4968	powershell.exe
4916	powershell.exe
4916	powershell.exe
4896	powershell.exe
4896	powershell.exe
1964	shootingtheoops.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	shootingtheoops.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	1964	shootingtheoops.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1964	shootingtheoops.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4772	1964	shootingtheoops.exe	89
PID 1964 wrote to memory of 4772	1964	shootingtheoops.exe	89
PID 1964 wrote to memory of 4968	1964	shootingtheoops.exe	93
PID 1964 wrote to memory of 4968	1964	shootingtheoops.exe	93
PID 1964 wrote to memory of 4916	1964	shootingtheoops.exe	95
PID 1964 wrote to memory of 4916	1964	shootingtheoops.exe	95
PID 1964 wrote to memory of 4896	1964	shootingtheoops.exe	97
PID 1964 wrote to memory of 4896	1964	shootingtheoops.exe	97

C:\Users\Admin\AppData\Local\Temp\shootingtheoops.exe
"C:\Users\Admin\AppData\Local\Temp\shootingtheoops.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\shootingtheoops.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'shootingtheoops.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\THE BLACKS'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'THE BLACKS'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
20ded99aaae0f053d8e281c66f754d3b

SHA1
330c58bef8b0e74a0bb7af793632c6b5e26993ee

SHA256
3b574cecd60edbe127171f2a0b5aa3f6531218d9894541d3b8b2ac84715430f4

SHA512
a7fee871aeb6234aab44e08b5817c2a5670d4c8e06f666b5ecd56bcc716432e7fd8484a8d07e6b92b9dea197ac2dc3f825c3539a34b98c1b17ae1487a5db92a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2s4zyzqd.4y0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1964-1-0x0000000000060000-0x0000000000070000-memory.dmp

Filesize
64KB

Download
memory/1964-0-0x00007FFE35CE3000-0x00007FFE35CE5000-memory.dmp

Filesize
8KB

Download
memory/1964-57-0x00007FFE35CE0000-0x00007FFE367A1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-56-0x00007FFE35CE3000-0x00007FFE35CE5000-memory.dmp

Filesize
8KB

Download
memory/1964-55-0x00007FFE35CE0000-0x00007FFE367A1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-11-0x0000025758680000-0x00000257586A2000-memory.dmp

Filesize
136KB

Download
memory/4772-17-0x00007FFE35CE0000-0x00007FFE367A1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-14-0x00007FFE35CE0000-0x00007FFE367A1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-13-0x00007FFE35CE0000-0x00007FFE367A1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-12-0x00007FFE35CE0000-0x00007FFE367A1000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads