xworm | ca847cd0a27fd89fc04c1a7972b9d1dcfcf9e9a7be35b21c2d36b4c9f0195bea

General

Target

DSDDDD.exe
Size

69KB
MD5

fa699362343846cc0cef79e11c156718
SHA1

9dc34285424c208a76d7324d76f1643c398d10f5
SHA256

ca847cd0a27fd89fc04c1a7972b9d1dcfcf9e9a7be35b21c2d36b4c9f0195bea
SHA512

56355dfa64fab11bb8d39a73a81217672cbb7a3b408897bdade6b6438ca556ff20f8e0147dcda8d408ddd6c636335d995b2ff129134766eb62ba29c947f242ae
SSDEEP

1536:ML9bRckOzKJXx/FG+Lg+i7Rjazb5C3ECm6ME+dOcGdFfgIl:k/cextGeSjazb5ohUtdOhpVl

Score

10^/10

xworm execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

support-effectiveness.gl.at.ply.gg:49376

Attributes

Install_directory
%AppData%
install_file
fortnite.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3904-1-0x0000000000520000-0x0000000000538000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2228	powershell.exe
676	powershell.exe
964	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DSDDDD.lnk	DSDDDD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DSDDDD.lnk	DSDDDD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Run\DSDDDD = "C:\\Users\\Admin\\AppData\\Roaming\\DSDDDD.exe"	DSDDDD.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	DSDDDD.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	DSDDDD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4396	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\MuiCache	GameBar.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2287204051-441334380-1151193565-1000\{D8AA949C-0973-44D8-9FE7-F11B6D221696}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2228	powershell.exe
2228	powershell.exe
676	powershell.exe
676	powershell.exe
964	powershell.exe
964	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3904	DSDDDD.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	3904	DSDDDD.exe
Token: 33	2972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2972	AUDIODG.EXE
Token: SeDebugPrivilege	4396	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3904	DSDDDD.exe
3904	DSDDDD.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2152	GameBar.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 2228	3904	DSDDDD.exe	85
PID 3904 wrote to memory of 2228	3904	DSDDDD.exe	85
PID 3904 wrote to memory of 676	3904	DSDDDD.exe	88
PID 3904 wrote to memory of 676	3904	DSDDDD.exe	88
PID 3904 wrote to memory of 964	3904	DSDDDD.exe	90
PID 3904 wrote to memory of 964	3904	DSDDDD.exe	90
PID 3904 wrote to memory of 4396	3904	DSDDDD.exe	99
PID 3904 wrote to memory of 4396	3904	DSDDDD.exe	99
PID 3904 wrote to memory of 3992	3904	DSDDDD.exe	101
PID 3904 wrote to memory of 3992	3904	DSDDDD.exe	101

C:\Users\Admin\AppData\Local\Temp\DSDDDD.exe
"C:\Users\Admin\AppData\Local\Temp\DSDDDD.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DSDDDD.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DSDDDD.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DSDDDD.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=1036,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5168 /prefetch:14
1⤵
PID:2736

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:244

C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe
"C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe" -ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2152

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --always-read-main-dll --field-trial-handle=5376,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:1
1⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --always-read-main-dll --field-trial-handle=4400,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:1
1⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5728,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:1
1⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5788,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:14
1⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5796,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:14
1⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --always-read-main-dll --field-trial-handle=6384,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=6412 /prefetch:1
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8a7ab7bae6a69946da69507ee7ae7b0

SHA1
b367c72fa4948493819e1c32c32239aa6e78c252

SHA256
cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272

SHA512
89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7bee2d2a-f1e6-4094-b820-99814186e25b.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3deyv0o.yc4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
1bb6f9d8b88cb60cca5ed849aceb448e

SHA1
efd6ff439ad1edf8b113508cbea8fde1895e5ab4

SHA256
603169981a05995dc78efaa581bf6b8cbc36c52094db13997a8596056fef7fb1

SHA512
160cd3baa3c9f5f564554421a48261c8a0bf14bd1043b74581be470259954808e3140ed9f99923b908769a33075d24644e594b0929b0328b595988de94116903

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/676-31-0x000001D8EC020000-0x000001D8EC16F000-memory.dmp

Filesize
1.3MB

Download
memory/964-42-0x0000021E1CB10000-0x0000021E1CC5F000-memory.dmp

Filesize
1.3MB

Download
memory/2228-13-0x00007FFEEBCA0000-0x00007FFEEC762000-memory.dmp

Filesize
10.8MB

Download
memory/2228-11-0x00007FFEEBCA0000-0x00007FFEEC762000-memory.dmp

Filesize
10.8MB

Download
memory/2228-18-0x0000027A9B890000-0x0000027A9B9DF000-memory.dmp

Filesize
1.3MB

Download
memory/2228-15-0x00007FFEEBCA0000-0x00007FFEEC762000-memory.dmp

Filesize
10.8MB

Download
memory/2228-14-0x00007FFEEBCA0000-0x00007FFEEC762000-memory.dmp

Filesize
10.8MB

Download
memory/2228-2-0x0000027A9B690000-0x0000027A9B6B2000-memory.dmp

Filesize
136KB

Download
memory/2228-12-0x00007FFEEBCA0000-0x00007FFEEC762000-memory.dmp

Filesize
10.8MB

Download
memory/2228-19-0x00007FFEEBCA0000-0x00007FFEEC762000-memory.dmp

Filesize
10.8MB

Download
memory/3904-50-0x00007FFEEBCA0000-0x00007FFEEC762000-memory.dmp

Filesize
10.8MB

Download
memory/3904-51-0x000000001B2D0000-0x000000001B2DA000-memory.dmp

Filesize
40KB

Download
memory/3904-49-0x00007FFEEBCA0000-0x00007FFEEC762000-memory.dmp

Filesize
10.8MB

Download
memory/3904-0-0x00007FFEEBCA3000-0x00007FFEEBCA5000-memory.dmp

Filesize
8KB

Download
memory/3904-72-0x000000001B0A0000-0x000000001B0AA000-memory.dmp

Filesize
40KB

Download
memory/3904-77-0x000000001BB00000-0x000000001BB0C000-memory.dmp

Filesize
48KB

Download
memory/3904-1-0x0000000000520000-0x0000000000538000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads