xworm | 5d3302a1cec976301d4ba48e0541eea0e76623517a5b6f2c1b913cfe2ebaa8a7

Resubmissions

21/04/2024, 08:48

240421-kqlncsfg7s 10

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClent.exe
Size

183KB
MD5

0e69783c0f4cd6d63fe44ab4ee689a0c
SHA1

70407440413d2ee26f0398e486ddbd6e8ea7c6ac
SHA256

5d3302a1cec976301d4ba48e0541eea0e76623517a5b6f2c1b913cfe2ebaa8a7
SHA512

95c9100bdee8ce3104be40daca0088f484ca2aa3407e7a997fb472259b3d604993cb53e2f011da4299105566285874f1534df8d22a5a2e15e1e9130943b6423e
SSDEEP

3072:wfOE6EtuXq/btJOrGOnPRUGKXs+S++7KFSbxeY+qDDrM47I:fE4Xq/bv7GqStKEbxI

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

safe-towers.gl.at.ply.gg:30351

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2732-0-0x0000000000E00000-0x0000000000E32000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2528	powershell.exe
2428	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	XClent.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2732	XClent.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2528	2732	XClent.exe	29
PID 2732 wrote to memory of 2528	2732	XClent.exe	29
PID 2732 wrote to memory of 2528	2732	XClent.exe	29
PID 2732 wrote to memory of 2428	2732	XClent.exe	31
PID 2732 wrote to memory of 2428	2732	XClent.exe	31
PID 2732 wrote to memory of 2428	2732	XClent.exe	31

C:\Users\Admin\AppData\Local\Temp\XClent.exe
"C:\Users\Admin\AppData\Local\Temp\XClent.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClent.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClent.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0ab8bb991f5575e1eb58eb305cc11614

SHA1
5e2bcaad9db9438c4ceb2a731f2d934885c1f011

SHA256
70a04267928aa8ceb95be7be530f8ab465e444c48233e9c7ae899b2ea0e730f9

SHA512
6fa92aa7364247f253aa169b3b20e605efc24f295f91737b36df1b14e64543ab07fadf0c0b67a0b806ab8fb432bc98a733b05aa5df0edf708078abcfe15d7cfb

Download Submit
memory/2428-26-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2428-22-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2428-30-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/2428-29-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2428-27-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2428-25-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/2428-24-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2428-21-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2428-23-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/2528-11-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2528-10-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2528-13-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2528-12-0x000007FEEE900000-0x000007FEEF29D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-14-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2528-7-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2528-15-0x000007FEEE900000-0x000007FEEF29D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-8-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2528-9-0x000007FEEE900000-0x000007FEEF29D000-memory.dmp

Filesize
9.6MB

Download
memory/2732-0-0x0000000000E00000-0x0000000000E32000-memory.dmp

Filesize
200KB

Download
memory/2732-28-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-2-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2732-1-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-31-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download