xworm | ff7efaae950c46e62c7c47a36c2678d1411acf80b92dec3be5c5fe53c6f74874

General

Target

X4346Client.exe
Size

324KB
MD5

69a723ed4cebb6e779ab62ab7bab37d3
SHA1

9e8f497fcf03dbd293c518557f6f503015c62276
SHA256

ff7efaae950c46e62c7c47a36c2678d1411acf80b92dec3be5c5fe53c6f74874
SHA512

084b89f8318a85642917982d661530ac7c67d45ed48725e52040d7ce204025f1099688985fb34e65844d4deda0db6e62b01f46cfe486f9587a231559e14210b8
SSDEEP

6144:Sjyrvh/bjV/5iZcBCqYg9HF0VRlQCvcL8qz00AGiULo+vRZ7qm+DJrOHMy:SjyxVB0g9l0VRlQD7zqGi0RZ1+DwHM

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

primary-sections.gl.at.ply.gg:22675

Attributes

Install_directory
%Temp%
install_file
dllhostPDF.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1724-0-0x0000000000170000-0x00000000001C8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhostPDF.lnk	X4346Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhostPDF.lnk	X4346Client.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2740	powershell.exe
2516	powershell.exe
1796	powershell.exe
564	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	X4346Client.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1724	X4346Client.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2740	1724	X4346Client.exe	29
PID 1724 wrote to memory of 2740	1724	X4346Client.exe	29
PID 1724 wrote to memory of 2740	1724	X4346Client.exe	29
PID 1724 wrote to memory of 2516	1724	X4346Client.exe	31
PID 1724 wrote to memory of 2516	1724	X4346Client.exe	31
PID 1724 wrote to memory of 2516	1724	X4346Client.exe	31
PID 1724 wrote to memory of 1796	1724	X4346Client.exe	33
PID 1724 wrote to memory of 1796	1724	X4346Client.exe	33
PID 1724 wrote to memory of 1796	1724	X4346Client.exe	33
PID 1724 wrote to memory of 564	1724	X4346Client.exe	35
PID 1724 wrote to memory of 564	1724	X4346Client.exe	35
PID 1724 wrote to memory of 564	1724	X4346Client.exe	35

C:\Users\Admin\AppData\Local\Temp\X4346Client.exe
"C:\Users\Admin\AppData\Local\Temp\X4346Client.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X4346Client.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X4346Client.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dllhostPDF.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhostPDF.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
61fa6c4b1ebfe1ada74ccc1180f66790

SHA1
b5c445e4dbf168dd98e8afa866418504e8d3f01b

SHA256
f23d3b8409b56b20e91165ce34123704078524949fb0804fa18482e61f27bebc

SHA512
59327313b5e56658e971f92120421bfe481092ac2073c247cee6477b7e7b1b7f6d2b65f6360a6633fc639bb1de66c12be3a7d972257dcf4c160d1091cf44e0f0

Download Submit
memory/564-48-0x000007FEEE4C0000-0x000007FEEEE5D000-memory.dmp

Filesize
9.6MB

Download
memory/564-53-0x000007FEEE4C0000-0x000007FEEEE5D000-memory.dmp

Filesize
9.6MB

Download
memory/564-52-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/564-51-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/564-50-0x000007FEEE4C0000-0x000007FEEEE5D000-memory.dmp

Filesize
9.6MB

Download
memory/564-49-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1724-1-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-47-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/1724-2-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/1724-38-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-0-0x0000000000170000-0x00000000001C8000-memory.dmp

Filesize
352KB

Download
memory/1796-41-0x000007FEEEE60000-0x000007FEEF7FD000-memory.dmp

Filesize
9.6MB

Download
memory/1796-40-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1796-39-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1796-37-0x000007FEEEE60000-0x000007FEEF7FD000-memory.dmp

Filesize
9.6MB

Download
memory/1796-36-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1796-35-0x000007FEEEE60000-0x000007FEEF7FD000-memory.dmp

Filesize
9.6MB

Download
memory/2516-26-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2516-28-0x000007FEEE4C0000-0x000007FEEEE5D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-27-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2516-25-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2516-24-0x000007FEEE4C0000-0x000007FEEEE5D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-20-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2516-22-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2516-23-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2516-21-0x000007FEEE4C0000-0x000007FEEEE5D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-14-0x000007FEEEE60000-0x000007FEEF7FD000-memory.dmp

Filesize
9.6MB

Download
memory/2740-11-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/2740-13-0x000000000262B000-0x0000000002692000-memory.dmp

Filesize
412KB

Download
memory/2740-12-0x000007FEEEE60000-0x000007FEEF7FD000-memory.dmp

Filesize
9.6MB

Download
memory/2740-10-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2740-9-0x000007FEEEE60000-0x000007FEEF7FD000-memory.dmp

Filesize
9.6MB

Download
memory/2740-8-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2740-7-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing