xworm | 9931bbbb3c1b0c11fdc4b302897d58fc3773ab89bc38e1df98e886397f2d57fb

General

Target

GTAGLagPatcher.exe
Size

41KB
MD5

8243bd2f8a56096532edc5e80bd8bc4f
SHA1

655d815f9db0263e2137d30541779d49a8c48f2e
SHA256

9931bbbb3c1b0c11fdc4b302897d58fc3773ab89bc38e1df98e886397f2d57fb
SHA512

9f8d7eb2e7e65e72a1535af4aeb75bf22d8787842abd48ce70f9205a6b0f8dac403aa185b92daf37fd8ed5ddc053bd436b68dbad86ce4d708f0a411f37e67eb2
SSDEEP

768:qyIOKKVKWC6eSXvgggULJF5PG9pmj6vOwh53Euzx:qzbKVKWLtXvvg+FI9Aj6vOwnFd

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:33292

corporation-ver.gl.at.ply.gg:33292

Mutex

OK6LMiI0RH1mZro8

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1416-0-0x0000000000FE0000-0x0000000000FF0000-memory.dmp	family_xworm
behavioral2/files/0x0013000000023a67-61.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe
2328	powershell.exe
2720	powershell.exe
3916	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	GTAGLagPatcher.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	GTAGLagPatcher.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	GTAGLagPatcher.exe

Executes dropped EXE 1 IoCs

pid	Process
1412	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	GTAGLagPatcher.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1908	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4704	timeout.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2196	powershell.exe
2196	powershell.exe
2328	powershell.exe
2328	powershell.exe
2720	powershell.exe
2720	powershell.exe
3916	powershell.exe
3916	powershell.exe
1416	GTAGLagPatcher.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	GTAGLagPatcher.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	1416	GTAGLagPatcher.exe
Token: SeDebugPrivilege	1412	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1416	GTAGLagPatcher.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 2196	1416	GTAGLagPatcher.exe	94
PID 1416 wrote to memory of 2196	1416	GTAGLagPatcher.exe	94
PID 1416 wrote to memory of 2328	1416	GTAGLagPatcher.exe	96
PID 1416 wrote to memory of 2328	1416	GTAGLagPatcher.exe	96
PID 1416 wrote to memory of 2720	1416	GTAGLagPatcher.exe	99
PID 1416 wrote to memory of 2720	1416	GTAGLagPatcher.exe	99
PID 1416 wrote to memory of 3916	1416	GTAGLagPatcher.exe	101
PID 1416 wrote to memory of 3916	1416	GTAGLagPatcher.exe	101
PID 1416 wrote to memory of 1908	1416	GTAGLagPatcher.exe	103
PID 1416 wrote to memory of 1908	1416	GTAGLagPatcher.exe	103
PID 1416 wrote to memory of 992	1416	GTAGLagPatcher.exe	114
PID 1416 wrote to memory of 992	1416	GTAGLagPatcher.exe	114
PID 1416 wrote to memory of 3488	1416	GTAGLagPatcher.exe	116
PID 1416 wrote to memory of 3488	1416	GTAGLagPatcher.exe	116
PID 3488 wrote to memory of 4704	3488	cmd.exe	118
PID 3488 wrote to memory of 4704	3488	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\GTAGLagPatcher.exe
"C:\Users\Admin\AppData\Local\Temp\GTAGLagPatcher.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GTAGLagPatcher.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GTAGLagPatcher.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1908
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
  2⤵
  PID:992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEA4B.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4704

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07ab6cc81c5230a598c0ad1711b6bd97

SHA1
de7e270e12d447dfc5896b7c96777eb32725778a

SHA256
900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3

SHA512
ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
435c8910a0029f956bd01a8e81a7e4e5

SHA1
7fafd3c6df185811aa84fd45a055a25a2fff8f66

SHA256
1786a6415accde5fa7f0c5c1a0c43622c1009a1337ee55fa93e878cf688abbc0

SHA512
0236c9e18c3bd360ea77f72248f39ec3a937566e0e198f1c1570ef7d93b0c77e8b1ae334ccd7f607a1daa5747d2cff7605d0adf5aa17d72cc1c964777a1f5ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxk2hgns.svz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA4B.tmp.bat

Filesize
166B

MD5
c453dfae728881a267bc92df53b50c03

SHA1
3dded65dda8086fceeeb9c97eff674111398a12e

SHA256
657cf4fdc09d225ecce6169ab0dbe797f069fb74df8ff61f20742eb810646753

SHA512
2d1447f39e5377eaedbf297f7ab883be5c560d04bdb1f33e33c33cc49a88b4aadb3f7dcd6ed71dff112872bcd9f6e6ecf19452c8557b50537a5a995a86a3bc23

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
41KB

MD5
8243bd2f8a56096532edc5e80bd8bc4f

SHA1
655d815f9db0263e2137d30541779d49a8c48f2e

SHA256
9931bbbb3c1b0c11fdc4b302897d58fc3773ab89bc38e1df98e886397f2d57fb

SHA512
9f8d7eb2e7e65e72a1535af4aeb75bf22d8787842abd48ce70f9205a6b0f8dac403aa185b92daf37fd8ed5ddc053bd436b68dbad86ce4d708f0a411f37e67eb2

Download Submit
memory/1416-69-0x00007FFFD2E50000-0x00007FFFD3911000-memory.dmp

Filesize
10.8MB

Download
memory/1416-63-0x00000000015D0000-0x00000000015DC000-memory.dmp

Filesize
48KB

Download
memory/1416-0-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/1416-58-0x00007FFFD2E50000-0x00007FFFD3911000-memory.dmp

Filesize
10.8MB

Download
memory/1416-2-0x00007FFFD2E50000-0x00007FFFD3911000-memory.dmp

Filesize
10.8MB

Download
memory/1416-1-0x00007FFFD2E53000-0x00007FFFD2E55000-memory.dmp

Filesize
8KB

Download
memory/1416-57-0x00007FFFD2E53000-0x00007FFFD2E55000-memory.dmp

Filesize
8KB

Download
memory/2196-13-0x00000140BFAC0000-0x00000140BFAE2000-memory.dmp

Filesize
136KB

Download
memory/2196-18-0x00007FFFD2E50000-0x00007FFFD3911000-memory.dmp

Filesize
10.8MB

Download
memory/2196-15-0x00007FFFD2E50000-0x00007FFFD3911000-memory.dmp

Filesize
10.8MB

Download
memory/2196-14-0x00007FFFD2E50000-0x00007FFFD3911000-memory.dmp

Filesize
10.8MB

Download
memory/2196-3-0x00007FFFD2E50000-0x00007FFFD3911000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads