xworm | dda2cfe82f91fe2b329ca75917fcc21f39049608ec0b3058cebb86b0d1c8198b

General

Target

XWorm.exe
Size

140KB
MD5

ce59cf3857c092e27de6dabceb157d09
SHA1

04b60381eec2a1f90eac81607c6467274b4b5d9a
SHA256

dda2cfe82f91fe2b329ca75917fcc21f39049608ec0b3058cebb86b0d1c8198b
SHA512

6d727f5587350cd6d9823feaf870ee32883b6cfefcb35d36dc8fd198e4a87069cf4e51d4c9e793d86d255d21724cdba9239986512edfa69149c796f5580b233e
SSDEEP

1536:PcGNovtlF8/iEJIkOPwl02biqfbZWq1baS9moy6gcmgOYY08TsEEqmyVttdGFQer:0GNyjWZ99bZZT9ufgOz08TLEqmyBer

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:37915

5.39.43.50:37915

de-engines.gl.at.ply.gg:37915

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2368-0-0x0000000000FA0000-0x0000000000FC8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

XWorm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XWorm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XWorm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XWorm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XWorm.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXWorm.exe

pid process

2588 powershell.exe
2736 powershell.exe
2580 powershell.exe
2720 powershell.exe
2368 XWorm.exe

flow	ioc
4	ip-api.com

pid	process
2588	powershell.exe
2736	powershell.exe
2580	powershell.exe
2720	powershell.exe
2368	XWorm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

XWorm.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2368	XWorm.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2368	XWorm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XWorm.exe

pid process

2368 XWorm.exe

pid	process
2368	XWorm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

XWorm.exe

description	pid	process	target process
PID 2368 wrote to memory of 2588	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2588	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2588	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2736	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2736	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2736	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2580	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2580	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2580	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2720	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2720	2368	XWorm.exe	powershell.exe
PID 2368 wrote to memory of 2720	2368	XWorm.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T0FD16UKBFS6JA5JMPKN.temp

Filesize
7KB

MD5
312dcae80092f9ac0f86a9b608e88444

SHA1
95b2df1e10a9485f46326bd7d2420eb633d1f037

SHA256
6cc195fcbc530c695025a7e86dc51bddbc5d3850e30120e9f6a235ba01e26098

SHA512
635790befab55baae20aa3bdcad2eb250228f103c58bccea7ad76752d5dbfd01b248d2cbb99cea2a464f3b6d7ad661491b727498d26f3c1c0730a956a6918c2c

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2368-0-0x0000000000FA0000-0x0000000000FC8000-memory.dmp

Filesize
160KB

Download
memory/2368-1-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-2-0x000000001AE60000-0x000000001AEE0000-memory.dmp

Filesize
512KB

Download
memory/2368-33-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-7-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2588-8-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2588-9-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2736-16-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download
memory/2736-15-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads