xworm | 90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3

General

Target

Client.exe
Size

327KB
MD5

abba6345ea0fb09de3cded81bec289ef
SHA1

5ddf3b0d56f3dbd742b6473ab22b58a74730a4e0
SHA256

90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3
SHA512

8328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e
SSDEEP

6144:i1YD5ubbPMBX+GIIIIIIIhIIIIIIIIIIIIIIIU:15kPMBY

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

region-vip.gl.at.ply.gg:47649

increased-ted.gl.at.ply.gg:47649

Attributes

Install_directory
%ProgramData%
install_file
Steam.exe
telegram
https://api.telegram.org/bot7186793142:AAGFJjLyhOIBEPcbCbAu3hrbmYsgQ5hzhf4/sendMessage?chat_id=5288662132

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1992-1-0x0000000000C30000-0x0000000000C88000-memory.dmp	family_xworm
behavioral1/files/0x000e000000023396-55.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2088	powershell.exe
3476	powershell.exe
3272	powershell.exe
4644	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
3612	Steam.exe
4364	Steam.exe
4880	Steam.exe
4848	Steam.exe
1584	Steam.exe
3364	Steam.exe
4484	Steam.exe
4672	Steam.exe
3300	Steam.exe
3504	Steam.exe
1568	Steam.exe
4364	Steam.exe
4064	Steam.exe
3328	Steam.exe
4880	Steam.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\ProgramData\\Steam.exe"	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2088	powershell.exe
2088	powershell.exe
3476	powershell.exe
3476	powershell.exe
3272	powershell.exe
3272	powershell.exe
4644	powershell.exe
4644	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	Client.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	1992	Client.exe
Token: SeDebugPrivilege	3612	Steam.exe
Token: SeDebugPrivilege	4364	Steam.exe
Token: SeDebugPrivilege	4880	Steam.exe
Token: SeDebugPrivilege	4848	Steam.exe
Token: SeDebugPrivilege	1584	Steam.exe
Token: SeDebugPrivilege	3364	Steam.exe
Token: SeDebugPrivilege	4484	Steam.exe
Token: SeDebugPrivilege	4672	Steam.exe
Token: SeDebugPrivilege	3300	Steam.exe
Token: SeDebugPrivilege	3504	Steam.exe
Token: SeDebugPrivilege	1568	Steam.exe
Token: SeDebugPrivilege	4364	Steam.exe
Token: SeDebugPrivilege	4064	Steam.exe
Token: SeDebugPrivilege	3328	Steam.exe
Token: SeDebugPrivilege	4880	Steam.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2088	1992	Client.exe	88
PID 1992 wrote to memory of 2088	1992	Client.exe	88
PID 1992 wrote to memory of 3476	1992	Client.exe	90
PID 1992 wrote to memory of 3476	1992	Client.exe	90
PID 1992 wrote to memory of 3272	1992	Client.exe	92
PID 1992 wrote to memory of 3272	1992	Client.exe	92
PID 1992 wrote to memory of 4644	1992	Client.exe	94
PID 1992 wrote to memory of 4644	1992	Client.exe	94
PID 1992 wrote to memory of 1820	1992	Client.exe	96
PID 1992 wrote to memory of 1820	1992	Client.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Steam.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\ProgramData\Steam.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1820

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam.exe

Filesize
327KB

MD5
abba6345ea0fb09de3cded81bec289ef

SHA1
5ddf3b0d56f3dbd742b6473ab22b58a74730a4e0

SHA256
90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3

SHA512
8328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Steam.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5975b5468bc0f725030e72a3533f91ea

SHA1
249a8198bfe39199ec7741708e5436604f035328

SHA256
322dbe57f25e9f49c83fbb27ccb175f2cfcadb56593aeb19d6906051f0af5dd2

SHA512
ee56afaada20e8cc2e1014f807325eddcb9d2401eb6c38df7d46998cd559e697292661c120057daf47f097e0bf6b6fc318979b07143b5c101809391d533717e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwv1z2bb.jed.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1992-52-0x00007FFE7B8E3000-0x00007FFE7B8E5000-memory.dmp

Filesize
8KB

Download
memory/1992-51-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp

Filesize
10.8MB

Download
memory/1992-0-0x00007FFE7B8E3000-0x00007FFE7B8E5000-memory.dmp

Filesize
8KB

Download
memory/1992-53-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp

Filesize
10.8MB

Download
memory/1992-1-0x0000000000C30000-0x0000000000C88000-memory.dmp

Filesize
352KB

Download
memory/2088-16-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-14-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-13-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-12-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-2-0x0000017AF6380000-0x0000017AF63A2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads