xworm | 73c6fa2e52043649f60d92324da6b3668553539f4c6b43f595e4e093f7883934

General

Target

PJsPp3e.exe
Size

43KB
MD5

ea69167000ca8cd93a6f327c19a1c7c9
SHA1

2af8e932bd1a6bf0c0074ef98e12bc34c26f8994
SHA256

73c6fa2e52043649f60d92324da6b3668553539f4c6b43f595e4e093f7883934
SHA512

5291d96024760668e525b2ef97b8b41f83d94d15911acbf1b82b970a1d5a8647fe78a779df46c83bac2a471b7fbd512942aa841d680447e63af8a4db0735d3c9
SSDEEP

768:tlqRZ9SFb+U89ORdtwDTUF59EWlOChlf9dTsL:tERZ9q1HtgQF59EWlOC7VlsL

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:6666

5.180.155.29:6666

Mutex

QPPP7ypX2vFWlxk3

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot8016176478:AAGVLtLncU8-ZLd-P86FqeQzAOXJybu2R9g/sendMessage?chat_id=5165347769

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2424-1-0x0000000000060000-0x0000000000072000-memory.dmp	family_xworm
behavioral1/files/0x0004000000026953-8.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	PJsPp3e.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssvchost.lnk	PJsPp3e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssvchost.lnk	PJsPp3e.exe

Executes dropped EXE 2 IoCs

pid	Process
5108	ssvchost
1480	ssvchost

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssvchost = "C:\\Users\\Admin\\AppData\\Roaming\\ssvchost"	PJsPp3e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2424	PJsPp3e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	PJsPp3e.exe
Token: SeDebugPrivilege	5108	ssvchost
Token: SeDebugPrivilege	1480	ssvchost

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2424	PJsPp3e.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2624	2424	PJsPp3e.exe	82
PID 2424 wrote to memory of 2624	2424	PJsPp3e.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PJsPp3e.exe
"C:\Users\Admin\AppData\Local\Temp\PJsPp3e.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ssvchost" /tr "C:\Users\Admin\AppData\Roaming\ssvchost"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ssvchost
1⤵
PID:3488

C:\Users\Admin\AppData\Roaming\ssvchost
"C:\Users\Admin\AppData\Roaming\ssvchost"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Users\Admin\AppData\Roaming\ssvchost
"C:\Users\Admin\AppData\Roaming\ssvchost"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ssvchost.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Roaming\ssvchost

Filesize
43KB

MD5
ea69167000ca8cd93a6f327c19a1c7c9

SHA1
2af8e932bd1a6bf0c0074ef98e12bc34c26f8994

SHA256
73c6fa2e52043649f60d92324da6b3668553539f4c6b43f595e4e093f7883934

SHA512
5291d96024760668e525b2ef97b8b41f83d94d15911acbf1b82b970a1d5a8647fe78a779df46c83bac2a471b7fbd512942aa841d680447e63af8a4db0735d3c9

Download Submit
memory/2424-0-0x00007FFA54103000-0x00007FFA54105000-memory.dmp

Filesize
8KB

Download
memory/2424-1-0x0000000000060000-0x0000000000072000-memory.dmp

Filesize
72KB

Download
memory/2424-5-0x00007FFA54100000-0x00007FFA54BC2000-memory.dmp

Filesize
10.8MB

Download
memory/2424-6-0x00007FFA54103000-0x00007FFA54105000-memory.dmp

Filesize
8KB

Download
memory/2424-7-0x00007FFA54100000-0x00007FFA54BC2000-memory.dmp

Filesize
10.8MB

Download
memory/5108-10-0x00007FFA54100000-0x00007FFA54BC2000-memory.dmp

Filesize
10.8MB

Download
memory/5108-12-0x00007FFA54100000-0x00007FFA54BC2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads