xworm | 54126a6703276127b5748d2a38fa05330405cca356069571ee10350f655890bb

General

Target

XClient.exe
Size

137KB
MD5

e09d49a6363409dceb37e1a4eb46c337
SHA1

3ea58317e91173b2a0d933f1a62096a469669049
SHA256

54126a6703276127b5748d2a38fa05330405cca356069571ee10350f655890bb
SHA512

a8fc0c70c13ee6ce01411659986daabe2106a4685e404ee63ef02283928cb9b1a94f79da386896a2d9b8218bce60bebd6d53f249697da9422e7393ec6329d2cd
SSDEEP

768:fjydtdHSpeUGDEqb1Fu9XoOfhEDL2NODfzkeoTpGB:y9UGIqpFu9XoOfnsfkHIB

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

hydraww.ddns.net:80

Mutex

vjdvm5kiFTVTTlzT

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2768-35-0x0000000001170000-0x000000000117C000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2768-0-0x0000000000AF0000-0x0000000000B18000-memory.dmp	family_xworm
behavioral1/files/0x000800000001ab57-12.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 6 IoCs

pid	Process
3900	XClient.exe
3160	mmdyau.exe
2140	XClient.exe
4812	XClient.exe
2816	XClient.exe
2620	XClient.exe

Loads dropped DLL 1 IoCs

pid	Process
2768	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2672	schtasks.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	XClient.exe
Token: SeDebugPrivilege	3900	XClient.exe
Token: 33	4592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4592	AUDIODG.EXE
Token: SeDebugPrivilege	2140	XClient.exe
Token: SeDebugPrivilege	4812	XClient.exe
Token: SeDebugPrivilege	2816	XClient.exe
Token: SeDebugPrivilege	2620	XClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2672	2768	XClient.exe	72
PID 2768 wrote to memory of 2672	2768	XClient.exe	72
PID 2768 wrote to memory of 3160	2768	XClient.exe	75
PID 2768 wrote to memory of 3160	2768	XClient.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\XClient.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\mmdyau.exe
  "C:\Users\Admin\AppData\Local\Temp\mmdyau.exe"
  2⤵
  - Executes dropped EXE
  PID:3160

C:\Users\Admin\XClient.exe
C:\Users\Admin\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\XClient.exe
C:\Users\Admin\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Users\Admin\XClient.exe
C:\Users\Admin\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Users\Admin\XClient.exe
C:\Users\Admin\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Users\Admin\XClient.exe
C:\Users\Admin\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmdyau.exe

Filesize
76KB

MD5
00dd91a5ca7b11c2e46d96d9dd9f5343

SHA1
1dbaa06cb9dadd27b8fca176f2b3e6571cc74b5b

SHA256
d765cf255d4c6cce3a40844ce56c3d0410a6cc8657dc553d04e7f08d40217c0d

SHA512
fcb26b13f6092def715e59b26d9dad6931918eddb56ccd278af29c4e07380ccc86bb28569942d869c5b25dc7931af57216e8c851c59a1773ab7143682e1d9b73

Download Submit
C:\Users\Admin\XClient.exe

Filesize
137KB

MD5
e09d49a6363409dceb37e1a4eb46c337

SHA1
3ea58317e91173b2a0d933f1a62096a469669049

SHA256
54126a6703276127b5748d2a38fa05330405cca356069571ee10350f655890bb

SHA512
a8fc0c70c13ee6ce01411659986daabe2106a4685e404ee63ef02283928cb9b1a94f79da386896a2d9b8218bce60bebd6d53f249697da9422e7393ec6329d2cd

Download Submit
\Users\Admin\AppData\Local\Temp\tmp89AD.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/2140-34-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/2140-33-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-44-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-43-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/2768-2-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

Filesize
64KB

Download
memory/2768-4-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/2768-5-0x000000001C6A0000-0x000000001C6AA000-memory.dmp

Filesize
40KB

Download
memory/2768-1-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/2768-35-0x0000000001170000-0x000000000117C000-memory.dmp

Filesize
48KB

Download
memory/2768-0-0x0000000000AF0000-0x0000000000B18000-memory.dmp

Filesize
160KB

Download
memory/2768-7-0x000000001CE90000-0x000000001CECA000-memory.dmp

Filesize
232KB

Download
memory/2768-6-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

Filesize
64KB

Download
memory/2816-41-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/2816-40-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/3160-29-0x00007FF8295D0000-0x00007FF829F70000-memory.dmp

Filesize
9.6MB

Download
memory/3160-30-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/3160-26-0x000000001BC30000-0x000000001BCCC000-memory.dmp

Filesize
624KB

Download
memory/3160-25-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/3160-24-0x00007FF8295D0000-0x00007FF829F70000-memory.dmp

Filesize
9.6MB

Download
memory/3160-22-0x00007FF8295D0000-0x00007FF829F70000-memory.dmp

Filesize
9.6MB

Download
memory/3160-23-0x000000001B6C0000-0x000000001BB8E000-memory.dmp

Filesize
4.8MB

Download
memory/3900-16-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/3900-14-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/4812-37-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download
memory/4812-38-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads