xworm | b89f6b26295ea93ead52dbec7441967366ba1edb495570f28aa63b29817498c4

Reason

Machine shutdown

General

Target

XClient.exe
Size

188KB
MD5

06950fafb2ebce7778eb434a21e7c80c
SHA1

d0fec48dc1fdf9070e28eee9468fa8884407ed0c
SHA256

b89f6b26295ea93ead52dbec7441967366ba1edb495570f28aa63b29817498c4
SHA512

b6d231f24edd806bc8ab74f41ea9b1e1c0bc15fba11ee225ab02adfc59e4cf7fa31a5520218c7ab4c4082594cf30d778e8b18889c7fbb6593ccd2bdba84c6b03
SSDEEP

3072:7S19nA+bYl7OU264NpVq8BxFRzaqF+o2GQJ7/JzqVfGvp:7AhbcA6gVqwlL

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
Chrome.exe
pastebin_url
https://pastebin.com/raw/SskbLNL2
telegram
https://api.telegram.org/bot6908115126:AAFK7X8EwJCyolcIuYpa614_tJ0H4OcVQu8/sendMessage?chat_id=939716992

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/3632-86-0x000000001B930000-0x000000001B93E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3632-0-0x00000000006A0000-0x00000000006D6000-memory.dmp	family_xworm
C:\ProgramData\Chrome.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	XClient.exe

Executes dropped EXE 4 IoCs

Processes:

Chrome.exeChrome.exeChrome.exeChrome.exe

pid process

2260 Chrome.exe
3364 Chrome.exe
4964 Chrome.exe
3100 Chrome.exe
Loads dropped DLL 1 IoCs

Processes:

XClient.exe

pid process

3632 XClient.exe

pid	process
2260	Chrome.exe
3364	Chrome.exe
4964	Chrome.exe
3100	Chrome.exe

pid	process
3632	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 pastebin.com
1 2.tcp.eu.ngrok.io
2 pastebin.com
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

4816 sc.exe
2220 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3300 schtasks.exe

flow	ioc
1	pastebin.com
1	2.tcp.eu.ngrok.io
2	pastebin.com

pid	process
4816	sc.exe
2220	sc.exe

pid	process
3300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXClient.exe

pid	process
3576	powershell.exe
3576	powershell.exe
5072	powershell.exe
5072	powershell.exe
4684	powershell.exe
4684	powershell.exe
2032	powershell.exe
2032	powershell.exe
3632	XClient.exe
3632	XClient.exe
3632	XClient.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exeChrome.exeChrome.exeChrome.exevssvc.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	3632	XClient.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	3632	XClient.exe
Token: SeDebugPrivilege	2260	Chrome.exe
Token: SeDebugPrivilege	3364	Chrome.exe
Token: SeDebugPrivilege	4964	Chrome.exe
Token: SeBackupPrivilege	244	vssvc.exe
Token: SeRestorePrivilege	244	vssvc.exe
Token: SeAuditPrivilege	244	vssvc.exe
Token: SeDebugPrivilege	3100	Chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

3632 XClient.exe

pid	process
3632	XClient.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

XClient.exe

description	pid	process	target process
PID 3632 wrote to memory of 3576	3632	XClient.exe	powershell.exe
PID 3632 wrote to memory of 3576	3632	XClient.exe	powershell.exe
PID 3632 wrote to memory of 5072	3632	XClient.exe	powershell.exe
PID 3632 wrote to memory of 5072	3632	XClient.exe	powershell.exe
PID 3632 wrote to memory of 4684	3632	XClient.exe	powershell.exe
PID 3632 wrote to memory of 4684	3632	XClient.exe	powershell.exe
PID 3632 wrote to memory of 2032	3632	XClient.exe	powershell.exe
PID 3632 wrote to memory of 2032	3632	XClient.exe	powershell.exe
PID 3632 wrote to memory of 3300	3632	XClient.exe	schtasks.exe
PID 3632 wrote to memory of 3300	3632	XClient.exe	schtasks.exe
PID 3632 wrote to memory of 4816	3632	XClient.exe	sc.exe
PID 3632 wrote to memory of 4816	3632	XClient.exe	sc.exe
PID 3632 wrote to memory of 2220	3632	XClient.exe	sc.exe
PID 3632 wrote to memory of 2220	3632	XClient.exe	sc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\ProgramData\Chrome.exe"
2⤵
- Creates scheduled task(s)
PID:3300

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config wuauserv start=auto
2⤵
- Launches sc.exe
PID:4816

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start wuauserv
2⤵
- Launches sc.exe
PID:2220

C:\ProgramData\Chrome.exe
C:\ProgramData\Chrome.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\ProgramData\Chrome.exe
C:\ProgramData\Chrome.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\ProgramData\Chrome.exe
C:\ProgramData\Chrome.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\ProgramData\Chrome.exe
C:\ProgramData\Chrome.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Chrome.exe
Filesize
188KB

MD5
06950fafb2ebce7778eb434a21e7c80c

SHA1
d0fec48dc1fdf9070e28eee9468fa8884407ed0c

SHA256
b89f6b26295ea93ead52dbec7441967366ba1edb495570f28aa63b29817498c4

SHA512
b6d231f24edd806bc8ab74f41ea9b1e1c0bc15fba11ee225ab02adfc59e4cf7fa31a5520218c7ab4c4082594cf30d778e8b18889c7fbb6593ccd2bdba84c6b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Chrome.exe.log
Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmve42ke.slp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9A2.tmp
Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/2032-48-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/2032-49-0x000001ED77E40000-0x000001ED77E50000-memory.dmp

Filesize
64KB

Download
memory/2032-61-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/2032-59-0x000001ED77E40000-0x000001ED77E50000-memory.dmp

Filesize
64KB

Download
memory/2260-72-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/2260-69-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/3100-91-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/3100-92-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/3364-76-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/3364-77-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/3576-16-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/3576-10-0x000001A444950000-0x000001A444972000-memory.dmp

Filesize
136KB

Download
memory/3576-11-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/3576-13-0x000001A4427D0000-0x000001A4427E0000-memory.dmp

Filesize
64KB

Download
memory/3576-12-0x000001A4427D0000-0x000001A4427E0000-memory.dmp

Filesize
64KB

Download
memory/3576-14-0x000001A4427D0000-0x000001A4427E0000-memory.dmp

Filesize
64KB

Download
memory/3632-70-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/3632-78-0x000000001C040000-0x000000001C076000-memory.dmp

Filesize
216KB

Download
memory/3632-94-0x000000001B9D0000-0x000000001B9DA000-memory.dmp

Filesize
40KB

Download
memory/3632-1-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/3632-66-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/3632-89-0x000000001F840000-0x000000001FD68000-memory.dmp

Filesize
5.2MB

Download
memory/3632-88-0x000000001E290000-0x000000001E340000-memory.dmp

Filesize
704KB

Download
memory/3632-86-0x000000001B930000-0x000000001B93E000-memory.dmp

Filesize
56KB

Download
memory/3632-79-0x000000001B9F0000-0x000000001BA2A000-memory.dmp

Filesize
232KB

Download
memory/3632-45-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/3632-0-0x00000000006A0000-0x00000000006D6000-memory.dmp

Filesize
216KB

Download
memory/4684-44-0x000001D0DFF30000-0x000001D0DFF40000-memory.dmp

Filesize
64KB

Download
memory/4684-47-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/4684-43-0x000001D0DFF30000-0x000001D0DFF40000-memory.dmp

Filesize
64KB

Download
memory/4684-42-0x000001D0DFF30000-0x000001D0DFF40000-memory.dmp

Filesize
64KB

Download
memory/4684-41-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/4964-85-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/4964-87-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/5072-19-0x0000025DF9B50000-0x0000025DF9B60000-memory.dmp

Filesize
64KB

Download
memory/5072-31-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/5072-29-0x0000025DF9B50000-0x0000025DF9B60000-memory.dmp

Filesize
64KB

Download
memory/5072-17-0x00007FF84F700000-0x00007FF8501C2000-memory.dmp

Filesize
10.8MB

Download
memory/5072-18-0x0000025DF9B50000-0x0000025DF9B60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads