xworm | c750a86768228dbb5143efaf9bf1fc980129ed2b51be5bb40ef1db2dd41e9c05

General

Target

shootingtheoops.exe
Size

39KB
MD5

c9bd74622a8a1531b93a03ac9c3ba67d
SHA1

b0354cf79ae41e2320d888a38d1c62915bb79445
SHA256

c750a86768228dbb5143efaf9bf1fc980129ed2b51be5bb40ef1db2dd41e9c05
SHA512

6bacb2e43ac5c3d8d2922091f1e263ccfaae3317b0eaae80f973e1344fcb3ce07091712edaa5ab0f9518d08b963c39b13ef085592dc6410509a21fefcab52263
SSDEEP

768:vifC8qTvhE58LEIDPiKuukR7LH3tTfFWPt9eE56cOMh+alE:viTqTvhOeEIbiKuumnNFe9eE56cOME3

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

M6KBt08Rxl7gnMQb

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2720-1-0x0000000000A00000-0x0000000000A10000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2828	powershell.exe
2572	powershell.exe
2416	powershell.exe
1096	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\THE BLACKS.lnk	shootingtheoops.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\THE BLACKS.lnk	shootingtheoops.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\THE BLACKS = "C:\\Users\\Admin\\AppData\\Roaming\\THE BLACKS"	shootingtheoops.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2828	powershell.exe
2572	powershell.exe
2416	powershell.exe
1096	powershell.exe
2720	shootingtheoops.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	shootingtheoops.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2720	shootingtheoops.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2720	shootingtheoops.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2828	2720	shootingtheoops.exe	30
PID 2720 wrote to memory of 2828	2720	shootingtheoops.exe	30
PID 2720 wrote to memory of 2828	2720	shootingtheoops.exe	30
PID 2720 wrote to memory of 2572	2720	shootingtheoops.exe	32
PID 2720 wrote to memory of 2572	2720	shootingtheoops.exe	32
PID 2720 wrote to memory of 2572	2720	shootingtheoops.exe	32
PID 2720 wrote to memory of 2416	2720	shootingtheoops.exe	34
PID 2720 wrote to memory of 2416	2720	shootingtheoops.exe	34
PID 2720 wrote to memory of 2416	2720	shootingtheoops.exe	34
PID 2720 wrote to memory of 1096	2720	shootingtheoops.exe	36
PID 2720 wrote to memory of 1096	2720	shootingtheoops.exe	36
PID 2720 wrote to memory of 1096	2720	shootingtheoops.exe	36

C:\Users\Admin\AppData\Local\Temp\shootingtheoops.exe
"C:\Users\Admin\AppData\Local\Temp\shootingtheoops.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\shootingtheoops.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'shootingtheoops.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\THE BLACKS'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'THE BLACKS'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b58421f512254c68ec32602dc4364b36

SHA1
4f079f3950ae7f4b102b7037a1daa24a6ac856d5

SHA256
3e24ebdb01b335ae61d4d85bacc6e8af92ca12714ae0ff741a1dbeec2199cd78

SHA512
4be12e3e7cb4f36ae7711dabd120a19ec6696bfcacf5abf1ed038b2e1948cf0164707a15304216aff7c366fbcb11d57c95f81b2730fa1f834f386441967d94b1

Download Submit
memory/2572-14-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2572-15-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2720-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

Filesize
4KB

Download
memory/2720-1-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/2720-30-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2720-31-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

Filesize
4KB

Download
memory/2720-32-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2828-6-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2828-7-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2828-8-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads