xworm | 3deb344fc0246d67387ea87a62c8478175311e3acec3d8b68f9308f1aa9e46b9

Analysis

max time kernel
19s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NET.exe
Size

5.9MB
MD5

abfa67de8ffc03e93b7d85ddd918c0e0
SHA1

0efd55c1a2b7ad3d2a2ea32c182b9d431e6b341b
SHA256

3deb344fc0246d67387ea87a62c8478175311e3acec3d8b68f9308f1aa9e46b9
SHA512

47fe3be7c951dcb5afd875d7d8ed9b68575eb099d97a7d25fafef91f009ba6f2aa14318dc2a5fa685111835985eb4e432c49b7406cd7187c740d245c607f8db8
SSDEEP

98304:l+kHlBByxLJmWOKHJjzeWUZIJ1bbyPPR9rbAzhDYMRBusV2qG+JXd8NwMRMwT:llB0t/eUzb2OhD/LuswqG+JXGNkw

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

94.6.233.124:1707

Attributes

Install_directory
%AppData%
install_file
GG.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023342-7.dat	family_xworm
behavioral2/memory/3588-14-0x0000000000B80000-0x0000000000B96000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	NET.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GG.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GG.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
3588	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GG = "C:\\Users\\Admin\\AppData\\Roaming\\GG.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	XClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 3588	436	NET.exe	95
PID 436 wrote to memory of 3588	436	NET.exe	95
PID 436 wrote to memory of 2076	436	NET.exe	96
PID 436 wrote to memory of 2076	436	NET.exe	96

C:\Users\Admin\AppData\Local\Temp\NET.exe
"C:\Users\Admin\AppData\Local\Temp\NET.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- C:\Users\Admin\AppData\Local\Temp\NET.exe
  "C:\Users\Admin\AppData\Local\Temp\NET.exe"
  2⤵
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NET.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
62KB

MD5
b77a034711b61a6a1662db4c18221774

SHA1
035706bf2b94b52848a997e96c23d48e22f50df1

SHA256
82df9974f824f9cab5311bfd5d20e53b72eed979b31e269dee89cc5a6cb6dd5c

SHA512
97775afa06454fd9ffe7c9e28c2b5b999003d4f4f137ebc0af056f19c91334d2c9062d22ef808724040284161a8fd5fe6107733ffc77ba710721857a63d3c6c3

Download Submit
memory/436-0-0x0000000000E70000-0x0000000001458000-memory.dmp

Filesize
5.9MB

Download
memory/436-1-0x00007FFED29F0000-0x00007FFED34B1000-memory.dmp

Filesize
10.8MB

Download
memory/436-3-0x00000000035C0000-0x00000000035D0000-memory.dmp

Filesize
64KB

Download
memory/436-25-0x00007FFED29F0000-0x00007FFED34B1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-16-0x00007FFED29F0000-0x00007FFED34B1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-18-0x00007FFED29F0000-0x00007FFED34B1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-14-0x0000000000B80000-0x0000000000B96000-memory.dmp

Filesize
88KB

Download
memory/3588-15-0x00007FFED29F0000-0x00007FFED34B1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-23-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads