xworm | 4fea20fe413398e2d8db3ff8ad61c02cfeae0df6044b39fb01d3c56f45df2994

Analysis

max time kernel
376s
max time network
377s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
02/05/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XClient.exe
Size

305KB
MD5

aa86049b23de9ca25639df01e72ce4c3
SHA1

fe1e95c2983c448187dc401150621ff43a40b6f0
SHA256

4fea20fe413398e2d8db3ff8ad61c02cfeae0df6044b39fb01d3c56f45df2994
SHA512

2786ae00580698a79ff885f30fa2a87fee3e03d180fd1b42e7f4a3b4433e19451b614f2fd632b06ecebbfa577215e38bfd2276575d4ffddbbeeee8eb1b1ce732
SSDEEP

6144:BhYI9d+GIIIIIIIhIIIIIIIIIIIIIIIU:a

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:18657

5.tcp.eu.ngrok.io:18657

Mutex

abH6MtVFLvlMhC1I

Attributes

Install_directory
%AppData%
install_file
HumanFallFlat.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2140-66-0x000000001BB30000-0x000000001BB3E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2140-0-0x0000000000270000-0x00000000002C2000-memory.dmp	family_xworm
behavioral1/files/0x001900000002ab53-20.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HumanFallFlat.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HumanFallFlat.lnk	XClient.exe

Executes dropped EXE 6 IoCs

pid	Process
1240	HumanFallFlat.exe
4020	HumanFallFlat.exe
3856	HumanFallFlat.exe
2440	HumanFallFlat.exe
3620	HumanFallFlat.exe
2020	HumanFallFlat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\HumanFallFlat = "C:\\Users\\Admin\\AppData\\Roaming\\HumanFallFlat.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
1	5.tcp.eu.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3340	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "143"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe
2140	XClient.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	XClient.exe
Token: SeDebugPrivilege	2140	XClient.exe
Token: SeDebugPrivilege	1240	HumanFallFlat.exe
Token: SeDebugPrivilege	2648	XClient.exe
Token: SeDebugPrivilege	1544	XClient.exe
Token: SeDebugPrivilege	4020	HumanFallFlat.exe
Token: SeDebugPrivilege	3856	HumanFallFlat.exe
Token: SeDebugPrivilege	2440	HumanFallFlat.exe
Token: SeDebugPrivilege	3620	HumanFallFlat.exe
Token: SeDebugPrivilege	2020	HumanFallFlat.exe
Token: SeShutdownPrivilege	2036	shutdown.exe
Token: SeRemoteShutdownPrivilege	2036	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2140	XClient.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5052	MiniSearchHost.exe
2140	XClient.exe
2228	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3340	2140	XClient.exe	83
PID 2140 wrote to memory of 3340	2140	XClient.exe	83
PID 2140 wrote to memory of 2036	2140	XClient.exe	97
PID 2140 wrote to memory of 2036	2140	XClient.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "HumanFallFlat" /tr "C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3340
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5052

C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a25855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
18951ad4190ed728ba23e932e0c6e0db

SHA1
fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0

SHA256
66607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915

SHA512
a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
ee87a5df2cec41353233851e9956d539

SHA1
cdd287b4be58f5ee3464c31c9f073daad13f2eb7

SHA256
2c25ce8141d1e6e601907a4d54f367ba7f6032c9596d24b30a245d94b719c880

SHA512
3afe8451239bbfa4c7cd6ad4e123d8558aba43a570998ef76834dd12b8b0266a4c9dc7bf57dd9a903208a029f3a0ae54822f1ba1d29414615bdcea963b062379

Download Submit
C:\Users\Admin\AppData\Roaming\HumanFallFlat.exe

Filesize
305KB

MD5
aa86049b23de9ca25639df01e72ce4c3

SHA1
fe1e95c2983c448187dc401150621ff43a40b6f0

SHA256
4fea20fe413398e2d8db3ff8ad61c02cfeae0df6044b39fb01d3c56f45df2994

SHA512
2786ae00580698a79ff885f30fa2a87fee3e03d180fd1b42e7f4a3b4433e19451b614f2fd632b06ecebbfa577215e38bfd2276575d4ffddbbeeee8eb1b1ce732

Download Submit
memory/2140-11-0x00007FF94CB73000-0x00007FF94CB75000-memory.dmp

Filesize
8KB

Download
memory/2140-18-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp

Filesize
10.8MB

Download
memory/2140-2-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp

Filesize
10.8MB

Download
memory/2140-29-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/2140-0-0x0000000000270000-0x00000000002C2000-memory.dmp

Filesize
328KB

Download
memory/2140-1-0x00007FF94CB73000-0x00007FF94CB75000-memory.dmp

Filesize
8KB

Download
memory/2140-50-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/2140-64-0x00000000026F0000-0x00000000026FA000-memory.dmp

Filesize
40KB

Download
memory/2140-66-0x000000001BB30000-0x000000001BB3E000-memory.dmp

Filesize
56KB

Download
memory/2140-67-0x000000001BB40000-0x000000001BB4A000-memory.dmp

Filesize
40KB

Download
memory/2140-68-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads