xworm | 153d02c6e6df5dfa39291f0d1ff049f6ff523c4f1328dc1663ff5eefbddf69cb

General

Target

rsht5tnjrym.exe
Size

55KB
MD5

0fa53d14194aef9688ed160ed379af46
SHA1

9b8106d23cb02e8e0592bbe16b26583552509c9d
SHA256

153d02c6e6df5dfa39291f0d1ff049f6ff523c4f1328dc1663ff5eefbddf69cb
SHA512

575767a2edb1d709b544b46ada6bde1d27b433c1eca921c59ccfdf4598b4124e2eac50b39b5359c7ca075d7d2cd505573d8ed18c5641f3756b1405f52a068e5b
SSDEEP

1536:QT/JFTbei0RcAIEKZkbpd5dqdy961SOOgSVKXgNl:erARcADKZkbL5rqOgSKgN

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

funut-24924.portmap.io:19312

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/924-0-0x0000000000320000-0x0000000000334000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	rsht5tnjrym.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	rsht5tnjrym.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	rsht5tnjrym.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
744	powershell.exe
744	powershell.exe
2588	powershell.exe
2588	powershell.exe
4640	powershell.exe
4640	powershell.exe
728	powershell.exe
728	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	rsht5tnjrym.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	924	rsht5tnjrym.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 744	924	rsht5tnjrym.exe	89
PID 924 wrote to memory of 744	924	rsht5tnjrym.exe	89
PID 924 wrote to memory of 2588	924	rsht5tnjrym.exe	92
PID 924 wrote to memory of 2588	924	rsht5tnjrym.exe	92
PID 924 wrote to memory of 4640	924	rsht5tnjrym.exe	94
PID 924 wrote to memory of 4640	924	rsht5tnjrym.exe	94
PID 924 wrote to memory of 728	924	rsht5tnjrym.exe	96
PID 924 wrote to memory of 728	924	rsht5tnjrym.exe	96

C:\Users\Admin\AppData\Local\Temp\rsht5tnjrym.exe
"C:\Users\Admin\AppData\Local\Temp\rsht5tnjrym.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rsht5tnjrym.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rsht5tnjrym.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a154efa7af25bb8b94d0d9c7b4f15cd

SHA1
5e0e04103e4eef1bc7ef242b730aed1958f98e1f

SHA256
c216eda372556eb78e680bde247c2fd2085642ee33031905a213c6bec502ccce

SHA512
fc4678133318fe1952947be74e244246336c7faacc9b9ae32336d57b106ec8f044e5db41dd98e8f3a54270ddacab2fc84a66d5d67deeadc3056ea5213bcbbba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ithufnrx.wal.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/728-58-0x00007FF949920000-0x00007FF94A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/728-61-0x000001ABBF160000-0x000001ABBF170000-memory.dmp

Filesize
64KB

Download
memory/728-63-0x00007FF949920000-0x00007FF94A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/728-59-0x000001ABBF160000-0x000001ABBF170000-memory.dmp

Filesize
64KB

Download
memory/744-11-0x000001ECBED80000-0x000001ECBEDA2000-memory.dmp

Filesize
136KB

Download
memory/744-16-0x00007FF949920000-0x00007FF94A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/744-13-0x000001ECBEE70000-0x000001ECBEE80000-memory.dmp

Filesize
64KB

Download
memory/744-12-0x00007FF949920000-0x00007FF94A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/924-70-0x000000001AEC0000-0x000000001AED0000-memory.dmp

Filesize
64KB

Download
memory/924-0-0x0000000000320000-0x0000000000334000-memory.dmp

Filesize
80KB

Download
memory/924-68-0x000000001AEC0000-0x000000001AED0000-memory.dmp

Filesize
64KB

Download
memory/924-69-0x00007FF949920000-0x00007FF94A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/924-1-0x00007FF949920000-0x00007FF94A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-31-0x0000017C1E6B0000-0x0000017C1E6C0000-memory.dmp

Filesize
64KB

Download
memory/2588-33-0x00007FF949920000-0x00007FF94A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-19-0x0000017C1E6B0000-0x0000017C1E6C0000-memory.dmp

Filesize
64KB

Download
memory/2588-25-0x0000017C1E6B0000-0x0000017C1E6C0000-memory.dmp

Filesize
64KB

Download
memory/2588-18-0x00007FF949920000-0x00007FF94A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4640-48-0x00007FF949920000-0x00007FF94A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4640-36-0x0000018134C60000-0x0000018134C70000-memory.dmp

Filesize
64KB

Download
memory/4640-35-0x0000018134C60000-0x0000018134C70000-memory.dmp

Filesize
64KB

Download
memory/4640-34-0x00007FF949920000-0x00007FF94A3E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing