xworm | 511434d4178f6b01f150cf3afab9fdbc062a177d78469fb6bd27b3c87fc98c67

Analysis

max time kernel
133s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
Size

3.3MB
MD5

f24a4d5b6036a3de2eba88868bd771f2
SHA1

3048d822d2b80d66284d1446052da0ba2be27d9e
SHA256

2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2
SHA512

17a245a0c5e70982ea5f479319417864e122d3febbdf16d310d42b7f9acb8d7135fdf9c34082cd42858a4b98e696ec02d17b69deb249e8ed0cdfab26ec909bfc
SSDEEP

49152:rbAa/I9L1n4OjdXalpe85gqWa4CRFaMQRh/7hK+OWp7W+qYp9foZWHyeHxYMp5FN:ga/K1Fa71qrMFO3DgCjqWQZWSmeMTPH

Score

10^/10

xworm persistence rat trojan

Malware Config

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/memory/2776-51-0x0000000000400000-0x000000000042E000-memory.dmp	family_xworm
behavioral1/memory/2776-53-0x0000000000400000-0x000000000042E000-memory.dmp	family_xworm
behavioral1/memory/2776-48-0x0000000000400000-0x000000000042E000-memory.dmp	family_xworm
behavioral1/memory/2776-47-0x0000000000400000-0x000000000042E000-memory.dmp	family_xworm
behavioral1/memory/2776-56-0x0000000000400000-0x000000000042E000-memory.dmp	family_xworm
behavioral1/memory/2776-63-0x0000000004830000-0x0000000004870000-memory.dmp	family_xworm
behavioral1/memory/2776-65-0x0000000004830000-0x0000000004870000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	aspnet_compiler.exe

Executes dropped EXE 2 IoCs

pid	Process
380	Botmaster 5.8 direct.exe
764	XClient.exe

Loads dropped DLL 2 IoCs

pid	Process
3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
2776	aspnet_compiler.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Local\\WinUpdate.exe"	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	aspnet_compiler.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 2776	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
2548	powershell.exe
3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
380	Botmaster 5.8 direct.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2776	aspnet_compiler.exe
Token: SeDebugPrivilege	2776	aspnet_compiler.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
380	Botmaster 5.8 direct.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1988	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	28
PID 3068 wrote to memory of 1988	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	28
PID 3068 wrote to memory of 1988	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	28
PID 3068 wrote to memory of 1988	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	28
PID 1988 wrote to memory of 2548	1988	cmd.exe	30
PID 1988 wrote to memory of 2548	1988	cmd.exe	30
PID 1988 wrote to memory of 2548	1988	cmd.exe	30
PID 1988 wrote to memory of 2548	1988	cmd.exe	30
PID 3068 wrote to memory of 380	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	31
PID 3068 wrote to memory of 380	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	31
PID 3068 wrote to memory of 380	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	31
PID 3068 wrote to memory of 380	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	31
PID 3068 wrote to memory of 2776	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	32
PID 3068 wrote to memory of 2776	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	32
PID 3068 wrote to memory of 2776	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	32
PID 3068 wrote to memory of 2776	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	32
PID 3068 wrote to memory of 2776	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	32
PID 3068 wrote to memory of 2776	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	32
PID 3068 wrote to memory of 2776	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	32
PID 3068 wrote to memory of 2776	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	32
PID 3068 wrote to memory of 2776	3068	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	32
PID 2776 wrote to memory of 1532	2776	aspnet_compiler.exe	33
PID 2776 wrote to memory of 1532	2776	aspnet_compiler.exe	33
PID 2776 wrote to memory of 1532	2776	aspnet_compiler.exe	33
PID 2776 wrote to memory of 1532	2776	aspnet_compiler.exe	33
PID 1888 wrote to memory of 764	1888	taskeng.exe	38
PID 1888 wrote to memory of 764	1888	taskeng.exe	38
PID 1888 wrote to memory of 764	1888	taskeng.exe	38
PID 1888 wrote to memory of 764	1888	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
"C:\Users\Admin\AppData\Local\Temp\2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell set-mppreference -exclusionpath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- C:\Users\Admin\AppData\Local\Temp\Botmaster 5.8 direct.exe
  "C:\Users\Admin\AppData\Local\Temp\Botmaster 5.8 direct.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1532

C:\Windows\system32\taskeng.exe
taskeng.exe {30683E54-D939-4D4E-9E30-C49791DD8570} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Botmaster 5.8 direct.exe

Filesize
3.0MB

MD5
0f94790857e477ac8a7d4b89616941b7

SHA1
0cf3333067a465ff640db423fe377ebc2aaa9883

SHA256
a52b4a2fec3d53e539ee6c6c88a0cf6aa412699f6a61a53fa1ec353fdc784068

SHA512
81234ea90523047f3f1720286088cbbd0d130f9e4b8d15a7db6eea31338cf9cd6a05d6b31bf8f080df40a5ef5dcda64dd77332b216787c93a306c0dd8fdac9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Botmaster 5.8 direct.exe

Filesize
2.8MB

MD5
661040a9b83e6551fbf90eca6995282b

SHA1
3c5f6e974a6be4498fe5e07e7c099a3925f2705e

SHA256
49339e5c9871551d1c5b0b40cba1241ec13b684e8a1d4522b045dc9eaf9c1816

SHA512
d3c8cea3cd57ec2fef90bf4fe4fb3f82d1eb206fff45d8e3fa134db57340f993973a2ed6b9981f822ac789b067bb629b330fc55ea6cda2de0f8ad1c65fed2c92

Download Submit
\Users\Admin\AppData\Local\Temp\Botmaster 5.8 direct.exe

Filesize
2.9MB

MD5
afa244e736b4a0fa87b7eb5fca763092

SHA1
9b2fef90604978dfd49849a366d42a7e0856e42a

SHA256
a71b54f9bcd852931ad10209e4cd970629ec469870bd48a0acce680f8ed5ae66

SHA512
54e40cdea314c23c9af774e7220d013df335838f7f20d1f8cec07c38fa7e2ce5a9e71ce3bfcdc29082f0a94bd32a845f14a854241c62a58f1247da5fdf594408

Download Submit
\Users\Admin\AppData\Roaming\XClient.exe

Filesize
54KB

MD5
1e98e92a982af948ee18ee819a2d8ad1

SHA1
6cb0bd87815118351e5e32c50b434079dfba255c

SHA256
235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778

SHA512
6711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f

Download Submit
memory/764-71-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/764-70-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/764-69-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/2548-11-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2548-10-0x0000000070C20000-0x00000000711CB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-12-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2548-9-0x0000000070C20000-0x00000000711CB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-13-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2548-14-0x0000000070C20000-0x00000000711CB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-56-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-47-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-65-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/2776-64-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-63-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/2776-44-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-51-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-53-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-57-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-48-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-46-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3068-16-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/3068-1-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/3068-55-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/3068-4-0x00000000054B0000-0x00000000057CA000-memory.dmp

Filesize
3.1MB

Download
memory/3068-6-0x0000000000450000-0x000000000049C000-memory.dmp

Filesize
304KB

Download
memory/3068-5-0x00000000067D0000-0x0000000006AD8000-memory.dmp

Filesize
3.0MB

Download
memory/3068-15-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/3068-3-0x0000000005190000-0x00000000054A8000-memory.dmp

Filesize
3.1MB

Download
memory/3068-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/3068-0-0x0000000000BB0000-0x0000000000F0E000-memory.dmp

Filesize
3.4MB

Download