xworm | 1b1611bfa2f8c3e714cb95a98bf4f565fe197432703993de521152208da6cd01

General

Target

22222222.exe
Size

43KB
MD5

28bcf32fcb318339dd64c8ffbda36b92
SHA1

6d1f7481ab5c4bd19df3ad2d36912e1e42bb1e6c
SHA256

1b1611bfa2f8c3e714cb95a98bf4f565fe197432703993de521152208da6cd01
SHA512

23ed60a39b347e375e5ebb47a4dc5bca725772c8ecb3b5986ef71a7523be23f4bc5f05351583430475d5af8515d306b162ec1fd44d06bf1d2286b0eff20d2cbb
SSDEEP

768:SJ3a5ocRaQStXXq72sa+B0FFRPM9Wq6ZOChLvubWaT:Ca5orrda9GF69Wq6ZOCN2qaT

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

16.ip.gl.ply.gg:59701

Mutex

xtdPQVbeoiyzoNhe

Attributes

Install_directory
%LocalAppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/3608-0-0x0000000000F70000-0x0000000000F82000-memory.dmp	family_xworm
behavioral1/files/0x000d000000022cc4-75.dat	family_xworm
behavioral1/files/0x000d000000022cc4-76.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	22222222.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	22222222.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	22222222.exe

Executes dropped EXE 1 IoCs

pid	Process
3408	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\XClient.exe"	22222222.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3048	powershell.exe
3048	powershell.exe
2160	powershell.exe
2160	powershell.exe
4668	powershell.exe
4668	powershell.exe
4084	powershell.exe
4084	powershell.exe
3608	22222222.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	22222222.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	3608	22222222.exe
Token: SeDebugPrivilege	3408	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3608	22222222.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 3048	3608	22222222.exe	89
PID 3608 wrote to memory of 3048	3608	22222222.exe	89
PID 3608 wrote to memory of 2160	3608	22222222.exe	93
PID 3608 wrote to memory of 2160	3608	22222222.exe	93
PID 3608 wrote to memory of 4668	3608	22222222.exe	96
PID 3608 wrote to memory of 4668	3608	22222222.exe	96
PID 3608 wrote to memory of 4084	3608	22222222.exe	98
PID 3608 wrote to memory of 4084	3608	22222222.exe	98
PID 3608 wrote to memory of 1964	3608	22222222.exe	102
PID 3608 wrote to memory of 1964	3608	22222222.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\22222222.exe
"C:\Users\Admin\AppData\Local\Temp\22222222.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22222222.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '22222222.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Local\XClient.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1964

C:\Users\Admin\AppData\Local\XClient.exe
C:\Users\Admin\AppData\Local\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
caae66b2d6030f85188e48e4ea3a9fa6

SHA1
108425bd97144fa0f92ff7b2109fec293d14a461

SHA256
a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d

SHA512
189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7e6fb773ca334f5d3ec171e50780b590

SHA1
8c6b533415de54e4b71282f94a3ac40bdb0ce166

SHA256
997512026c7564ea7cea6451277db3b8e70699faae8e6b06a022448f80e8cd0f

SHA512
7e1340bd1ad2574ca34d4f0d92a80d93b31b9e70146911490188c36b4a3b2d7305f05e059fa7571b0b9fb5ed6ec5d98f4ab9532454048ec3fec387654977cc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jqiqvga5.dsr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\XClient.exe

Filesize
43KB

MD5
28bcf32fcb318339dd64c8ffbda36b92

SHA1
6d1f7481ab5c4bd19df3ad2d36912e1e42bb1e6c

SHA256
1b1611bfa2f8c3e714cb95a98bf4f565fe197432703993de521152208da6cd01

SHA512
23ed60a39b347e375e5ebb47a4dc5bca725772c8ecb3b5986ef71a7523be23f4bc5f05351583430475d5af8515d306b162ec1fd44d06bf1d2286b0eff20d2cbb

Download Submit
C:\Users\Admin\AppData\Local\XClient.exe

Filesize
43KB

MD5
28bcf32fcb318339dd64c8ffbda36b92

SHA1
6d1f7481ab5c4bd19df3ad2d36912e1e42bb1e6c

SHA256
1b1611bfa2f8c3e714cb95a98bf4f565fe197432703993de521152208da6cd01

SHA512
23ed60a39b347e375e5ebb47a4dc5bca725772c8ecb3b5986ef71a7523be23f4bc5f05351583430475d5af8515d306b162ec1fd44d06bf1d2286b0eff20d2cbb

Download Submit
memory/2160-37-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/2160-35-0x000001CE1A290000-0x000001CE1A2A0000-memory.dmp

Filesize
64KB

Download
memory/2160-33-0x000001CE1A290000-0x000001CE1A2A0000-memory.dmp

Filesize
64KB

Download
memory/2160-20-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/2160-21-0x000001CE1A290000-0x000001CE1A2A0000-memory.dmp

Filesize
64KB

Download
memory/2160-22-0x000001CE1A290000-0x000001CE1A2A0000-memory.dmp

Filesize
64KB

Download
memory/3048-18-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/3048-10-0x000002A920D70000-0x000002A920D92000-memory.dmp

Filesize
136KB

Download
memory/3048-15-0x000002A9066F0000-0x000002A906700000-memory.dmp

Filesize
64KB

Download
memory/3048-3-0x000002A9066F0000-0x000002A906700000-memory.dmp

Filesize
64KB

Download
memory/3048-14-0x000002A9066F0000-0x000002A906700000-memory.dmp

Filesize
64KB

Download
memory/3048-2-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/3408-79-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/3408-77-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/3608-34-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/3608-1-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/3608-0-0x0000000000F70000-0x0000000000F82000-memory.dmp

Filesize
72KB

Download
memory/4084-68-0x000001A3F00A0000-0x000001A3F00B0000-memory.dmp

Filesize
64KB

Download
memory/4084-55-0x000001A3F00A0000-0x000001A3F00B0000-memory.dmp

Filesize
64KB

Download
memory/4084-56-0x000001A3F00A0000-0x000001A3F00B0000-memory.dmp

Filesize
64KB

Download
memory/4084-54-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/4084-67-0x000001A3F00A0000-0x000001A3F00B0000-memory.dmp

Filesize
64KB

Download
memory/4084-70-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/4668-53-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download
memory/4668-51-0x000001D5A16F0000-0x000001D5A1700000-memory.dmp

Filesize
64KB

Download
memory/4668-45-0x000001D5A16F0000-0x000001D5A1700000-memory.dmp

Filesize
64KB

Download
memory/4668-39-0x000001D5A16F0000-0x000001D5A1700000-memory.dmp

Filesize
64KB

Download
memory/4668-38-0x00007FFE05DB0000-0x00007FFE06871000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads