xworm | fabc467aee7674695a0e55e90f4d7136835d9876fddeac5a9af3e4a071772af5

General

Target

Client1.exe
Size

57KB
MD5

1e0aa64bead9e0338618646b79e4a77b
SHA1

8c3985be98bbfbbc02a0ec6d2d5801483251cf84
SHA256

fabc467aee7674695a0e55e90f4d7136835d9876fddeac5a9af3e4a071772af5
SHA512

eef3fc34edf692ef633080f3fc8ae84c3c60ade77774d994186337a25b9bc26c0a7b0b011d9b03fffbe26c5c3516b3befe4d4fb843d3350d97abdd33b8dcdf83
SSDEEP

768:HBywQrCTMMHowDEBB1MlaXe18di8Zkbkjyh16HUdWVgOLIh6mpN:HE5MIBlQaX68HkbkjyhiUsVgOLID

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

park-meetup.gl.at.ply.gg:62592

Attributes

Install_directory
%AppData%
install_file
test.exe
telegram
https://api.telegram.org/bot7562309856:AAFIj99L-jF0g413E29-ASuHw7g8dapP63M/sendMessage?chat_id=7880028202

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4424-1-0x0000000000300000-0x0000000000314000-memory.dmp	family_xworm
behavioral2/files/0x00080000000281aa-11.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	Client1.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.lnk	Client1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.lnk	Client1.exe

Executes dropped EXE 2 IoCs

pid	Process
5796	test.exe
1588	test.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe"	Client1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3108	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1632	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	Client1.exe
Token: SeDebugPrivilege	5796	test.exe
Token: SeDebugPrivilege	1588	test.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 1632	4424	Client1.exe	86
PID 4424 wrote to memory of 1632	4424	Client1.exe	86
PID 4424 wrote to memory of 4084	4424	Client1.exe	94
PID 4424 wrote to memory of 4084	4424	Client1.exe	94
PID 4424 wrote to memory of 8	4424	Client1.exe	96
PID 4424 wrote to memory of 8	4424	Client1.exe	96
PID 8 wrote to memory of 3108	8	cmd.exe	98
PID 8 wrote to memory of 3108	8	cmd.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client1.exe
"C:\Users\Admin\AppData\Local\Temp\Client1.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "test" /tr "C:\Users\Admin\AppData\Roaming\test.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1632
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "test"
  2⤵
  PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpED35.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3108

C:\Users\Admin\AppData\Roaming\test.exe
"C:\Users\Admin\AppData\Roaming\test.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5796

C:\Users\Admin\AppData\Roaming\test.exe
"C:\Users\Admin\AppData\Roaming\test.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\test.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED35.tmp.bat

Filesize
159B

MD5
f992081faf753219c06631cae1c91449

SHA1
61952dadeb5ba8d7a39909750074a938ff2a055b

SHA256
5272ed2e2792fc651b319da8082eb495fb553edd9f3fb3b6ce9af575815b19b8

SHA512
fe103b371d7bfbd309d44f4d15466fc2c6738ce82789abaf666df3c995bb6e1edfd5343927eae00bff7ebafaa52f1e6d1eea43ea7172b3ae7bcf1c1b05c16d9b

Download Submit
C:\Users\Admin\AppData\Roaming\test.exe

Filesize
57KB

MD5
1e0aa64bead9e0338618646b79e4a77b

SHA1
8c3985be98bbfbbc02a0ec6d2d5801483251cf84

SHA256
fabc467aee7674695a0e55e90f4d7136835d9876fddeac5a9af3e4a071772af5

SHA512
eef3fc34edf692ef633080f3fc8ae84c3c60ade77774d994186337a25b9bc26c0a7b0b011d9b03fffbe26c5c3516b3befe4d4fb843d3350d97abdd33b8dcdf83

Download Submit
memory/4424-0-0x00007FFC63DB3000-0x00007FFC63DB5000-memory.dmp

Filesize
8KB

Download
memory/4424-1-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/4424-6-0x00007FFC63DB0000-0x00007FFC64872000-memory.dmp

Filesize
10.8MB

Download
memory/4424-7-0x000000001BC40000-0x000000001BD44000-memory.dmp

Filesize
1.0MB

Download
memory/4424-8-0x00007FFC63DB3000-0x00007FFC63DB5000-memory.dmp

Filesize
8KB

Download
memory/4424-9-0x00007FFC63DB0000-0x00007FFC64872000-memory.dmp

Filesize
10.8MB

Download
memory/4424-23-0x00007FFC63DB0000-0x00007FFC64872000-memory.dmp

Filesize
10.8MB

Download
memory/5796-13-0x00007FFC63DB0000-0x00007FFC64872000-memory.dmp

Filesize
10.8MB

Download
memory/5796-15-0x00007FFC63DB0000-0x00007FFC64872000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads