xworm | e4604c8555fd9ac08b00a5c51795657b9a339fa07ef5e6c64e9f54fe79d28b42

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 07:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

136KB
MD5

d02127c12495b6295f74bdd2a1c06da0
SHA1

c6bccc80a5ca3d2a803e1df5163343042266700a
SHA256

e4604c8555fd9ac08b00a5c51795657b9a339fa07ef5e6c64e9f54fe79d28b42
SHA512

c0b1a266ed3d6327aa827b0ed430f75bfd9a38642688e9fa231ace5d98556fb7e7d0705000f7391b57e2d9334961fffc7cc3759f05af3ce7c18424da05de5fb9
SSDEEP

768:6DZXbbMjFrGU/VHPa7N/ZFY9ybOjhI/R4Eo0jaf6mFSyT5rp7:6DZXbqFaU/VHynFY9ybOjuJ4ERafjV7

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

147.185.221.17:65030

Mutex

67tPpoR2GxMoXLhl

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4144-0-0x0000000000B60000-0x0000000000B88000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4144-0-0x0000000000B60000-0x0000000000B88000-memory.dmp

Filesize
160KB

Download
memory/4144-1-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/4144-8-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/4144-9-0x0000000002DB0000-0x0000000002DBA000-memory.dmp

Filesize
40KB

Download
memory/4144-10-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/4144-11-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads