xworm | 3e29a57bde610ff61c422796b89fc4332f265cc50e966593fc2b00bb23a13a21

General

Target

SystemSettings.exe
Size

332KB
MD5

701a94f53d54d38a11f4e60bc4f95b18
SHA1

7413f5e4fc73eaf07d9d6cd67fc88fd40b70d9d0
SHA256

9233d5872258aa674b015b57a4f37ca43a22524a682382cd88969cef135dacdb
SHA512

4d63f155adbc5271fc82a263c4df29566ffbabb512ad2a7c73736969b29760bc0ae86e58f396907b8afa8791e8a8b042c895f94126a00da8c0b050e7ef343440
SSDEEP

6144:6qXq7egSKNNO3BLZsgd8+f0Pn95maRWFjt:6qapSKNNOpZsgdQbmamjt

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

uoqo0jDHykn623lG

Attributes

Install_directory
%Public%
install_file
SystemSettings.exe
pastebin_url
https://pastebin.com/raw/4zaiEtZS
telegram
https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendMessage?chat_id=7537927256

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2308-23-0x0000000000570000-0x000000000058E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1040	powershell.exe
624	powershell.exe
2780	powershell.exe
2944	powershell.exe
1984	powershell.exe
1580	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2308	SystemSettings.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 44 IoCs

Web Service

T1102

flow	ioc
29	pastebin.com
33	pastebin.com
40	pastebin.com
13	pastebin.com
18	pastebin.com
44	pastebin.com
11	pastebin.com
14	pastebin.com
43	pastebin.com
5	pastebin.com
7	pastebin.com
12	pastebin.com
15	pastebin.com
16	pastebin.com
19	pastebin.com
20	pastebin.com
36	pastebin.com
9	pastebin.com
10	pastebin.com
21	pastebin.com
26	pastebin.com
34	pastebin.com
35	pastebin.com
41	pastebin.com
47	pastebin.com
31	pastebin.com
4	pastebin.com
23	pastebin.com
25	pastebin.com
27	pastebin.com
30	pastebin.com
37	pastebin.com
39	pastebin.com
8	pastebin.com
28	pastebin.com
32	pastebin.com
38	pastebin.com
42	pastebin.com
45	pastebin.com
46	pastebin.com
6	pastebin.com
17	pastebin.com
22	pastebin.com
24	pastebin.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\SystemSettings.exe	SystemSettings.exe
File opened for modification	C:\Windows\System32\SystemSettings.exe	SystemSettings.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2780	powershell.exe
2944	powershell.exe
1984	powershell.exe
1580	powershell.exe
1040	powershell.exe
624	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	SystemSettings.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2308	SystemSettings.exe
Token: SeDebugPrivilege	2308	SystemSettings.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2780	2700	SystemSettings.exe	30
PID 2700 wrote to memory of 2780	2700	SystemSettings.exe	30
PID 2700 wrote to memory of 2780	2700	SystemSettings.exe	30
PID 2700 wrote to memory of 2944	2700	SystemSettings.exe	32
PID 2700 wrote to memory of 2944	2700	SystemSettings.exe	32
PID 2700 wrote to memory of 2944	2700	SystemSettings.exe	32
PID 2084 wrote to memory of 2308	2084	taskeng.exe	35
PID 2084 wrote to memory of 2308	2084	taskeng.exe	35
PID 2084 wrote to memory of 2308	2084	taskeng.exe	35
PID 2308 wrote to memory of 1984	2308	SystemSettings.exe	36
PID 2308 wrote to memory of 1984	2308	SystemSettings.exe	36
PID 2308 wrote to memory of 1984	2308	SystemSettings.exe	36
PID 2308 wrote to memory of 1580	2308	SystemSettings.exe	38
PID 2308 wrote to memory of 1580	2308	SystemSettings.exe	38
PID 2308 wrote to memory of 1580	2308	SystemSettings.exe	38
PID 2308 wrote to memory of 1040	2308	SystemSettings.exe	40
PID 2308 wrote to memory of 1040	2308	SystemSettings.exe	40
PID 2308 wrote to memory of 1040	2308	SystemSettings.exe	40
PID 2308 wrote to memory of 624	2308	SystemSettings.exe	42
PID 2308 wrote to memory of 624	2308	SystemSettings.exe	42
PID 2308 wrote to memory of 624	2308	SystemSettings.exe	42
PID 2308 wrote to memory of 2136	2308	SystemSettings.exe	44
PID 2308 wrote to memory of 2136	2308	SystemSettings.exe	44
PID 2308 wrote to memory of 2136	2308	SystemSettings.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SystemSettings.exe
"C:\Users\Admin\AppData\Local\Temp\SystemSettings.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SystemSettings.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSettings.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944

C:\Windows\system32\taskeng.exe
taskeng.exe {9039A619-C69F-4727-9E25-6B20BA52046F} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\SystemSettings.exe
  C:\Windows\System32\SystemSettings.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SystemSettings.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSettings.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\SystemSettings.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSettings.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemSettings" /tr "C:\Users\Public\SystemSettings.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ec5c35fa5bfaa3a712895c6ab20ccbce

SHA1
21934d233307f52b4159f01ee16f9b95e26c7608

SHA256
79357c895ac711b4c263a8ed40cf6e50c229c2db2a1657a94cd97dee00daf169

SHA512
c32212b2fbb56992175eb92c3d9513556d077dffa14527196cb1562c7a35518165801ca28465512aa3cc3ee6ee130f60928e132b9a66a60670d0fe9272762ff1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c7fd15716c6af94dd111865e1b98f7b

SHA1
623a1f99045ae36a70bc0772be20591b4887ca4b

SHA256
88ffdda72cd7c9a2d5013e57ca32a7d3d08e555d7226f6c949bacd05addcaea3

SHA512
6b6d43f67a9e3efe9e6643c60135df01325cc61ed3f4033aad4b274ef958a1ae38ab621e5e0e5a54181a20bf74c512e0ae23c157bfb3f9f215d53a8a86c2a6a8

Download Submit
C:\Windows\System32\SystemSettings.exe

Filesize
332KB

MD5
701a94f53d54d38a11f4e60bc4f95b18

SHA1
7413f5e4fc73eaf07d9d6cd67fc88fd40b70d9d0

SHA256
9233d5872258aa674b015b57a4f37ca43a22524a682382cd88969cef135dacdb

SHA512
4d63f155adbc5271fc82a263c4df29566ffbabb512ad2a7c73736969b29760bc0ae86e58f396907b8afa8791e8a8b042c895f94126a00da8c0b050e7ef343440

Download Submit
memory/2308-23-0x0000000000570000-0x000000000058E000-memory.dmp

Filesize
120KB

Download
memory/2308-22-0x00000000011B0000-0x000000000120A000-memory.dmp

Filesize
360KB

Download
memory/2700-18-0x00000000009E0000-0x0000000000A60000-memory.dmp

Filesize
512KB

Download
memory/2700-1-0x0000000000A80000-0x0000000000ADA000-memory.dmp

Filesize
360KB

Download
memory/2700-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/2780-7-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2780-8-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2780-6-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2944-15-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2944-14-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads