xworm | 71cc081cbe5e67b32b6b07ca8e63211610e6a52d477f8afc32521a0b1cfd1f45

General

Target

BloxstrapModded.exe
Size

10.0MB
MD5

d4823d25c86c905b29ff3cd42127d5b3
SHA1

4380e4416b419f1bde9ee98c45b14fc7f29e8876
SHA256

71cc081cbe5e67b32b6b07ca8e63211610e6a52d477f8afc32521a0b1cfd1f45
SHA512

e9d12f0e1c4c2a434c6ec8a004d85141a6f6bc6a81179d7f9200d387a8f7031554615a39e33384694c2e8291ebab533c3c703d927498480078a87b6f49520152
SSDEEP

1536:EctSNh5dMtrBDrqiYQ92Zxlc9lQPykplbTqr:Z8NhviV/qcwc9+aQby

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

million-houston.gl.at.ply.gg:27705

Attributes

Install_directory
%AppData%
install_file
BloxstrapModded.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\XClient.exe	family_xworm
behavioral1/memory/1256-9-0x0000000000270000-0x000000000028A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Executes dropped EXE 1 IoCs

Processes:

XClient.exe

pid process

1256 XClient.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1696 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

XClient.exe

description pid process

Token: SeDebugPrivilege 1256 XClient.exe

pid	process
1256	XClient.exe

flow	ioc
4	ip-api.com

pid	process
1696	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	1256	XClient.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

BloxstrapModded.exeXClient.exe

description	pid	process	target process
PID 2372 wrote to memory of 1256	2372	BloxstrapModded.exe	XClient.exe
PID 2372 wrote to memory of 1256	2372	BloxstrapModded.exe	XClient.exe
PID 2372 wrote to memory of 1256	2372	BloxstrapModded.exe	XClient.exe
PID 2372 wrote to memory of 1696	2372	BloxstrapModded.exe	NOTEPAD.EXE
PID 2372 wrote to memory of 1696	2372	BloxstrapModded.exe	NOTEPAD.EXE
PID 2372 wrote to memory of 1696	2372	BloxstrapModded.exe	NOTEPAD.EXE
PID 1256 wrote to memory of 2468	1256	XClient.exe	powershell.exe
PID 1256 wrote to memory of 2468	1256	XClient.exe	powershell.exe
PID 1256 wrote to memory of 2468	1256	XClient.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exe
"C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
3⤵
PID:2468

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\README.txt
Filesize
438B

MD5
659061a5689cae197b49f62be53bcf40

SHA1
6467f2252645e7ce87932aad37e24a6eed3fefeb

SHA256
0ca739b146beb166072cb199c8090f98140b88c5a7c251cf4ed730487507936c

SHA512
f5933100e6ce6a030cb7ee36213308cfa4b05859b903564c4d711e60433079dd8182922ea45f25ec8b8defca90c5aa56a94bce031e5aa0e35e11ae19fb858567

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe
Filesize
80KB

MD5
cfeb71480542c9b6d6aec88f02e6d820

SHA1
4fcf90f5f8e16dcee2fa5ee1611394533f7ff740

SHA256
ebabe3ead25f28d4fe0a3ab1a592d7160065995da465ec549ebe8f27ba5eeee9

SHA512
e5d1a95fe948e295f0f7cc55f88464136e088b0c7f531a132eab76025885f2de93d101981fc3dedc4bd7ed271b58578bcab235fc9d2bedca6e209fb3f7d594bd

Download Submit
memory/1256-13-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/1256-9-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/1256-10-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-2-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2372-1-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-12-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-0-0x0000000000EA0000-0x0000000000EB4000-memory.dmp

Filesize
80KB

Download
memory/2468-19-0x000007FEEE4C0000-0x000007FEEEE5D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-18-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2468-21-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2468-20-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2468-22-0x000007FEEE4C0000-0x000007FEEEE5D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-23-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2468-24-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2468-25-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing