xworm | 3078fd49e34b13f710f0b4d15b48f412ca8e5bbd7e6f9b9266cb29af0e0c37b9

General

Target

fatality-password-123 (123).zip
Size

29.2MB
MD5

2d41ff52dc1e52d1cd699ca40a167b53
SHA1

66d124bff088f410081c80e127562f3f811c745d
SHA256

3078fd49e34b13f710f0b4d15b48f412ca8e5bbd7e6f9b9266cb29af0e0c37b9
SHA512

8fea200e6104e181138c4d5678adad53c6c92bbf02961470c05e9d9d50533462811a246cbb0e8a64174d6077059bcb99896d1d1fae9a62fb026890a20b914753
SSDEEP

786432:NkwzyLl3US+vSuB80vutpvHxTQXcF3T8QhjavVMNn7gJCtm9n:Nke2l3iSe800PewhuvKn0JCSn

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

22.ip.gl.ply.gg:35699

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7993755657:AAFO640EjOsY8e2cOR8daPzBSHn1uGW4C9s/sendMessage?chat_id=6749074492

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000001e72d-24.dat	family_xworm
behavioral1/memory/2864-26-0x0000000000A60000-0x0000000000A7A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3556	powershell.exe
5104	powershell.exe
3460	powershell.exe
724	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Fatality.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	Fatality.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	Fatality.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
5104	powershell.exe
5104	powershell.exe
5104	powershell.exe
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe
724	powershell.exe
724	powershell.exe
724	powershell.exe
2864	Fatality.exe
2864	Fatality.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	848	7zFM.exe
Token: 35	848	7zFM.exe
Token: SeSecurityPrivilege	848	7zFM.exe
Token: SeDebugPrivilege	2864	Fatality.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	724	powershell.exe
Token: SeDebugPrivilege	2864	Fatality.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
848	7zFM.exe
848	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2864	Fatality.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 3556	2864	Fatality.exe	100
PID 2864 wrote to memory of 3556	2864	Fatality.exe	100
PID 2864 wrote to memory of 5104	2864	Fatality.exe	102
PID 2864 wrote to memory of 5104	2864	Fatality.exe	102
PID 2864 wrote to memory of 3460	2864	Fatality.exe	104
PID 2864 wrote to memory of 3460	2864	Fatality.exe	104
PID 2864 wrote to memory of 724	2864	Fatality.exe	106
PID 2864 wrote to memory of 724	2864	Fatality.exe	106

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\fatality-password-123 (123).zip"
1⤵
PID:3012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1292

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\fatality-password-123 (123).zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:848

C:\Users\Admin\Desktop\fatality-password-123\Fatality.exe
"C:\Users\Admin\Desktop\fatality-password-123\Fatality.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\fatality-password-123\Fatality.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Fatality.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pn0scvvm.4zb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\fatality-password-123\Fatality.exe

Filesize
85KB

MD5
c0a944ab6b43f26e5f99ed3482a170f9

SHA1
25f39bbb15ba301a8306acc34ee80b86c1dd4981

SHA256
e3db628bdb796e69d1fae92c3bfff56fafe90402b338b1162409df800fd22c25

SHA512
e888f911ee7ef71f5e9cabb064ec283ff78436c43a5c88f86d55ec194f5cc0da3c7eb7d4c561280608bbba3f2077633097bf88f4e3adf2837d86477a60934e76

Download Submit
memory/2864-26-0x0000000000A60000-0x0000000000A7A000-memory.dmp

Filesize
104KB

Download
memory/3556-32-0x000002A9DFF70000-0x000002A9DFF92000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads