xworm | 6906f0586af2064fb11cd0e81fc09e6f87fa4e77580b43e79ead6242d6cc7469

Analysis

max time kernel
1191s
max time network
1204s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
24/02/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x.exe
Size

63KB
MD5

78e0d6b85721aec5404971862734be82
SHA1

b0f490a2d377670c62c294b9bb163cacf80c256c
SHA256

6906f0586af2064fb11cd0e81fc09e6f87fa4e77580b43e79ead6242d6cc7469
SHA512

e03ae3b43aee97ee21053c1174195b19388cc1fe403813afe63aa0da4c9418b47a0e2eb846082d5180264820572028085ded744bdd28e1e1cf9e090838020666
SSDEEP

1536:+Ed0d4ayDZpxSAb+hXSBni3dWY6AxtNOu65x+/kuC:+Bd4aYbAAba9WOPOr5iC

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

18.ip.gl.ply.gg:33725

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5092-0-0x0000000000CA0000-0x0000000000CB6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	x.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe
924	powershell.exe
924	powershell.exe
924	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	x.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeIncreaseQuotaPrivilege	3980	powershell.exe
Token: SeSecurityPrivilege	3980	powershell.exe
Token: SeTakeOwnershipPrivilege	3980	powershell.exe
Token: SeLoadDriverPrivilege	3980	powershell.exe
Token: SeSystemProfilePrivilege	3980	powershell.exe
Token: SeSystemtimePrivilege	3980	powershell.exe
Token: SeProfSingleProcessPrivilege	3980	powershell.exe
Token: SeIncBasePriorityPrivilege	3980	powershell.exe
Token: SeCreatePagefilePrivilege	3980	powershell.exe
Token: SeBackupPrivilege	3980	powershell.exe
Token: SeRestorePrivilege	3980	powershell.exe
Token: SeShutdownPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeSystemEnvironmentPrivilege	3980	powershell.exe
Token: SeRemoteShutdownPrivilege	3980	powershell.exe
Token: SeUndockPrivilege	3980	powershell.exe
Token: SeManageVolumePrivilege	3980	powershell.exe
Token: 33	3980	powershell.exe
Token: 34	3980	powershell.exe
Token: 35	3980	powershell.exe
Token: 36	3980	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeIncreaseQuotaPrivilege	3608	powershell.exe
Token: SeSecurityPrivilege	3608	powershell.exe
Token: SeTakeOwnershipPrivilege	3608	powershell.exe
Token: SeLoadDriverPrivilege	3608	powershell.exe
Token: SeSystemProfilePrivilege	3608	powershell.exe
Token: SeSystemtimePrivilege	3608	powershell.exe
Token: SeProfSingleProcessPrivilege	3608	powershell.exe
Token: SeIncBasePriorityPrivilege	3608	powershell.exe
Token: SeCreatePagefilePrivilege	3608	powershell.exe
Token: SeBackupPrivilege	3608	powershell.exe
Token: SeRestorePrivilege	3608	powershell.exe
Token: SeShutdownPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeSystemEnvironmentPrivilege	3608	powershell.exe
Token: SeRemoteShutdownPrivilege	3608	powershell.exe
Token: SeUndockPrivilege	3608	powershell.exe
Token: SeManageVolumePrivilege	3608	powershell.exe
Token: 33	3608	powershell.exe
Token: 34	3608	powershell.exe
Token: 35	3608	powershell.exe
Token: 36	3608	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeIncreaseQuotaPrivilege	924	powershell.exe
Token: SeSecurityPrivilege	924	powershell.exe
Token: SeTakeOwnershipPrivilege	924	powershell.exe
Token: SeLoadDriverPrivilege	924	powershell.exe
Token: SeSystemProfilePrivilege	924	powershell.exe
Token: SeSystemtimePrivilege	924	powershell.exe
Token: SeProfSingleProcessPrivilege	924	powershell.exe
Token: SeIncBasePriorityPrivilege	924	powershell.exe
Token: SeCreatePagefilePrivilege	924	powershell.exe
Token: SeBackupPrivilege	924	powershell.exe
Token: SeRestorePrivilege	924	powershell.exe
Token: SeShutdownPrivilege	924	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeSystemEnvironmentPrivilege	924	powershell.exe
Token: SeRemoteShutdownPrivilege	924	powershell.exe
Token: SeUndockPrivilege	924	powershell.exe
Token: SeManageVolumePrivilege	924	powershell.exe
Token: 33	924	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3980	5092	x.exe	74
PID 5092 wrote to memory of 3980	5092	x.exe	74
PID 5092 wrote to memory of 3608	5092	x.exe	77
PID 5092 wrote to memory of 3608	5092	x.exe	77
PID 5092 wrote to memory of 924	5092	x.exe	79
PID 5092 wrote to memory of 924	5092	x.exe	79
PID 5092 wrote to memory of 2464	5092	x.exe	81
PID 5092 wrote to memory of 2464	5092	x.exe	81

C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\x.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a40bab0004dff7dd8ce5833572e28b3

SHA1
756d4d6a8334e19e43e4e7a43c7982c72ea6af61

SHA256
4cec6f7123df12bd15b7c6407ccf555564ade3c1e47c1840565323365258efb9

SHA512
aa7a05086dafea32ce15cdaa4a05bf9099047bcac4068eb99dc54f7162714df3d7e7632c235250062ffdfed469eacfbb956bec258d8a89b9160e9b1b99c15234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d574bf7f249d8dc2ee796bcb64157292

SHA1
9b63ad64d11399a97cb7bfbeba52da511fd223c6

SHA256
deb103a856fd2138a228b3bdc28526e48239e37342c1e2718a332e6921ff4043

SHA512
2c94a4d785a743602da452115ec38160fc995cb6e387b7ea1d55f2ce6a592c4ccd9a9ce5fb4f0f2a3988328b88ad7915c40f4973869fe9c3057f5084de328f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
375a5136f25eb83f51334a04f76f143c

SHA1
d1efcdd72378d759f9ed2f31f6928cdbe07b3c29

SHA256
588e1772f8d3498d868c584e49e917074ad84d167309fa8c631853caa222c949

SHA512
d84ccc20958f00d10d9816922c24cebfb75f6c0d19bfd9728a5234e8a9cc1c106a2ef730db5d8ec9d117abf03d002943339f1ea6df670590bdda88e210c18c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3cixfykh.g14.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/924-126-0x000001A1D8830000-0x000001A1D8840000-memory.dmp

Filesize
64KB

Download
memory/924-152-0x00007FFF224C0000-0x00007FFF22EAC000-memory.dmp

Filesize
9.9MB

Download
memory/924-149-0x000001A1D8830000-0x000001A1D8840000-memory.dmp

Filesize
64KB

Download
memory/924-108-0x00007FFF224C0000-0x00007FFF22EAC000-memory.dmp

Filesize
9.9MB

Download
memory/924-110-0x000001A1D8830000-0x000001A1D8840000-memory.dmp

Filesize
64KB

Download
memory/924-109-0x000001A1D8830000-0x000001A1D8840000-memory.dmp

Filesize
64KB

Download
memory/2464-157-0x0000023445BF0000-0x0000023445C00000-memory.dmp

Filesize
64KB

Download
memory/2464-159-0x0000023445BF0000-0x0000023445C00000-memory.dmp

Filesize
64KB

Download
memory/2464-156-0x00007FFF224C0000-0x00007FFF22EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2464-175-0x0000023445BF0000-0x0000023445C00000-memory.dmp

Filesize
64KB

Download
memory/2464-198-0x0000023445BF0000-0x0000023445C00000-memory.dmp

Filesize
64KB

Download
memory/2464-201-0x00007FFF224C0000-0x00007FFF22EAC000-memory.dmp

Filesize
9.9MB

Download
memory/3608-102-0x00007FFF224C0000-0x00007FFF22EAC000-memory.dmp

Filesize
9.9MB

Download
memory/3608-59-0x00000224FA0D0000-0x00000224FA0E0000-memory.dmp

Filesize
64KB

Download
memory/3608-58-0x00007FFF224C0000-0x00007FFF22EAC000-memory.dmp

Filesize
9.9MB

Download
memory/3608-99-0x00000224FA0D0000-0x00000224FA0E0000-memory.dmp

Filesize
64KB

Download
memory/3608-76-0x00000224FA0D0000-0x00000224FA0E0000-memory.dmp

Filesize
64KB

Download
memory/3608-60-0x00000224FA0D0000-0x00000224FA0E0000-memory.dmp

Filesize
64KB

Download
memory/3980-48-0x0000027679320000-0x0000027679330000-memory.dmp

Filesize
64KB

Download
memory/3980-52-0x00007FFF224C0000-0x00007FFF22EAC000-memory.dmp

Filesize
9.9MB

Download
memory/3980-25-0x0000027679320000-0x0000027679330000-memory.dmp

Filesize
64KB

Download
memory/3980-12-0x00000276795B0000-0x0000027679626000-memory.dmp

Filesize
472KB

Download
memory/3980-9-0x00000276792E0000-0x0000027679302000-memory.dmp

Filesize
136KB

Download
memory/3980-7-0x0000027679320000-0x0000027679330000-memory.dmp

Filesize
64KB

Download
memory/3980-8-0x0000027679320000-0x0000027679330000-memory.dmp

Filesize
64KB

Download
memory/3980-6-0x00007FFF224C0000-0x00007FFF22EAC000-memory.dmp

Filesize
9.9MB

Download
memory/5092-106-0x00007FFF224C0000-0x00007FFF22EAC000-memory.dmp

Filesize
9.9MB

Download
memory/5092-0-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

Filesize
88KB

Download
memory/5092-1-0x00007FFF224C0000-0x00007FFF22EAC000-memory.dmp

Filesize
9.9MB

Download
memory/5092-206-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/5092-207-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download