xworm | 511434d4178f6b01f150cf3afab9fdbc062a177d78469fb6bd27b3c87fc98c67

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
Size

3.3MB
MD5

f24a4d5b6036a3de2eba88868bd771f2
SHA1

3048d822d2b80d66284d1446052da0ba2be27d9e
SHA256

2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2
SHA512

17a245a0c5e70982ea5f479319417864e122d3febbdf16d310d42b7f9acb8d7135fdf9c34082cd42858a4b98e696ec02d17b69deb249e8ed0cdfab26ec909bfc
SSDEEP

49152:rbAa/I9L1n4OjdXalpe85gqWa4CRFaMQRh/7hK+OWp7W+qYp9foZWHyeHxYMp5FN:ga/K1Fa71qrMFO3DgCjqWQZWSmeMTPH

Score

10^/10

xworm persistence rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2520-66-0x0000000000400000-0x000000000042E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	aspnet_compiler.exe

Executes dropped EXE 3 IoCs

pid	Process
2028	Botmaster 5.8 direct.exe
3940	XClient.exe
2504	XClient.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Local\\WinUpdate.exe"	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	aspnet_compiler.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 980 set thread context of 2520	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
3652	powershell.exe
3652	powershell.exe
3652	powershell.exe
980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	2520	aspnet_compiler.exe
Token: SeDebugPrivilege	2520	aspnet_compiler.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2028	Botmaster 5.8 direct.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 3252	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	100
PID 980 wrote to memory of 3252	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	100
PID 980 wrote to memory of 3252	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	100
PID 3252 wrote to memory of 3652	3252	cmd.exe	102
PID 3252 wrote to memory of 3652	3252	cmd.exe	102
PID 3252 wrote to memory of 3652	3252	cmd.exe	102
PID 980 wrote to memory of 2028	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	112
PID 980 wrote to memory of 2028	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	112
PID 980 wrote to memory of 2028	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	112
PID 980 wrote to memory of 2520	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	114
PID 980 wrote to memory of 2520	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	114
PID 980 wrote to memory of 2520	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	114
PID 980 wrote to memory of 2520	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	114
PID 980 wrote to memory of 2520	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	114
PID 980 wrote to memory of 2520	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	114
PID 980 wrote to memory of 2520	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	114
PID 980 wrote to memory of 2520	980	2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe	114
PID 2520 wrote to memory of 2360	2520	aspnet_compiler.exe	116
PID 2520 wrote to memory of 2360	2520	aspnet_compiler.exe	116
PID 2520 wrote to memory of 2360	2520	aspnet_compiler.exe	116

C:\Users\Admin\AppData\Local\Temp\2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
"C:\Users\Admin\AppData\Local\Temp\2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell set-mppreference -exclusionpath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- C:\Users\Admin\AppData\Local\Temp\Botmaster 5.8 direct.exe
  "C:\Users\Admin\AppData\Local\Temp\Botmaster 5.8 direct.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:1140

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XClient.exe.log

Filesize
311B

MD5
a5b27ca7965bea1b9725e341a94b8f47

SHA1
ce15fcb0f72efb064c81e763f161d1dbc2ccd3fc

SHA256
f84ffc18c89efcc91e3a1b1e369206c2a95ec27594e15a9e645544549e6aec38

SHA512
0fb054215fcbd0ec83ccd002ab10cfba14e061513dfb3a58c9988c611ddc4ee4a23df4cbb905b708478cf74c5f3c1af6dcbac6488ae9e7007ab4ac399494d8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Botmaster 5.8 direct.exe

Filesize
3.0MB

MD5
c9c01fdc7d3ad84ceeb43c6b099a8ad5

SHA1
2e7a67b2dd1a9bb2ad530a76868ec1636612c294

SHA256
f811dadcd0ec744b5927f4eb6b100bbec8c6f03c13218bdde25fa0f8a8fed056

SHA512
b58be960ef3219fb0e9ba3a533dd1b26861eb7300526fbd3761ee21cfbfa77b86ac969fff6eaaaf97b8b573ae684113e3deb39a8c4a85c6cd7ea4f67a8386836

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvvwgnxk.jcc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
55KB

MD5
fda8c8f2a4e100afb14c13dfcbcab2d2

SHA1
19dfd86294c4a525ba21c6af77681b2a9bbecb55

SHA256
99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

SHA512
94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

Download Submit
memory/980-1-0x00000000002C0000-0x000000000061E000-memory.dmp

Filesize
3.4MB

Download
memory/980-5-0x0000000007BC0000-0x0000000007EC8000-memory.dmp

Filesize
3.0MB

Download
memory/980-6-0x0000000004A90000-0x0000000004ADC000-memory.dmp

Filesize
304KB

Download
memory/980-64-0x0000000008ED0000-0x0000000009474000-memory.dmp

Filesize
5.6MB

Download
memory/980-4-0x0000000006530000-0x000000000684A000-memory.dmp

Filesize
3.1MB

Download
memory/980-3-0x00000000050E0000-0x00000000053F8000-memory.dmp

Filesize
3.1MB

Download
memory/980-2-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/980-70-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/980-26-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/980-0-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/980-20-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2504-107-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2504-108-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2520-94-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2520-76-0x00000000056F0000-0x000000000578C000-memory.dmp

Filesize
624KB

Download
memory/2520-95-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2520-96-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2520-69-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2520-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3652-13-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/3652-30-0x0000000006930000-0x0000000006962000-memory.dmp

Filesize
200KB

Download
memory/3652-42-0x00000000073E0000-0x0000000007483000-memory.dmp

Filesize
652KB

Download
memory/3652-43-0x0000000007D10000-0x000000000838A000-memory.dmp

Filesize
6.5MB

Download
memory/3652-44-0x0000000006A10000-0x0000000006A2A000-memory.dmp

Filesize
104KB

Download
memory/3652-45-0x00000000076E0000-0x00000000076EA000-memory.dmp

Filesize
40KB

Download
memory/3652-46-0x00000000078E0000-0x0000000007976000-memory.dmp

Filesize
600KB

Download
memory/3652-47-0x00000000078A0000-0x00000000078B1000-memory.dmp

Filesize
68KB

Download
memory/3652-48-0x00000000078C0000-0x00000000078CE000-memory.dmp

Filesize
56KB

Download
memory/3652-49-0x0000000007980000-0x0000000007994000-memory.dmp

Filesize
80KB

Download
memory/3652-50-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/3652-51-0x0000000007A30000-0x0000000007A38000-memory.dmp

Filesize
32KB

Download
memory/3652-52-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3652-55-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3652-31-0x00000000703F0000-0x000000007043C000-memory.dmp

Filesize
304KB

Download
memory/3652-41-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/3652-29-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/3652-28-0x00000000064C0000-0x000000000650C000-memory.dmp

Filesize
304KB

Download
memory/3652-27-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/3652-25-0x0000000005D10000-0x0000000006064000-memory.dmp

Filesize
3.3MB

Download
memory/3652-14-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/3652-12-0x0000000005390000-0x00000000053B2000-memory.dmp

Filesize
136KB

Download
memory/3652-11-0x00000000053C0000-0x00000000059E8000-memory.dmp

Filesize
6.2MB

Download
memory/3652-10-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/3652-7-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3652-8-0x0000000004D50000-0x0000000004D86000-memory.dmp

Filesize
216KB

Download
memory/3652-9-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/3940-103-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-101-0x0000000004F60000-0x000000000548C000-memory.dmp

Filesize
5.2MB

Download
memory/3940-100-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-99-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download