xworm | 90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3

Analysis

max time kernel
929s
max time network
927s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

327KB
MD5

abba6345ea0fb09de3cded81bec289ef
SHA1

5ddf3b0d56f3dbd742b6473ab22b58a74730a4e0
SHA256

90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3
SHA512

8328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e
SSDEEP

6144:i1YD5ubbPMBX+GIIIIIIIhIIIIIIIIIIIIIIIU:15kPMBY

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

region-vip.gl.at.ply.gg:47649

increased-ted.gl.at.ply.gg:47649

Attributes

Install_directory
%ProgramData%
install_file
Steam.exe
telegram
https://api.telegram.org/bot7186793142:AAGFJjLyhOIBEPcbCbAu3hrbmYsgQ5hzhf4/sendMessage?chat_id=5288662132

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral3/memory/1196-1-0x0000000000990000-0x00000000009E8000-memory.dmp	family_xworm
behavioral3/files/0x000d00000001226d-31.dat	family_xworm
behavioral3/memory/1264-33-0x00000000009F0000-0x0000000000A48000-memory.dmp	family_xworm
behavioral3/memory/2904-35-0x0000000000380000-0x00000000003D8000-memory.dmp	family_xworm
behavioral3/memory/1048-37-0x0000000000AE0000-0x0000000000B38000-memory.dmp	family_xworm
behavioral3/memory/2148-39-0x0000000000200000-0x0000000000258000-memory.dmp	family_xworm
behavioral3/memory/840-41-0x0000000001260000-0x00000000012B8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2676	powershell.exe
1624	powershell.exe
2544	powershell.exe
2736	powershell.exe

Executes dropped EXE 15 IoCs

pid	Process
1264	Steam.exe
2904	Steam.exe
1048	Steam.exe
2148	Steam.exe
840	Steam.exe
2992	Steam.exe
3032	Steam.exe
2724	Steam.exe
2704	Steam.exe
2028	Steam.exe
340	Steam.exe
2164	Steam.exe
1044	Steam.exe
908	Steam.exe
2852	Steam.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\ProgramData\\Steam.exe"	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2544	powershell.exe
2736	powershell.exe
2676	powershell.exe
1624	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	Client.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1196	Client.exe
Token: SeDebugPrivilege	1264	Steam.exe
Token: SeDebugPrivilege	2904	Steam.exe
Token: SeDebugPrivilege	1048	Steam.exe
Token: SeDebugPrivilege	2148	Steam.exe
Token: SeDebugPrivilege	840	Steam.exe
Token: SeDebugPrivilege	2992	Steam.exe
Token: SeDebugPrivilege	3032	Steam.exe
Token: SeDebugPrivilege	2724	Steam.exe
Token: SeDebugPrivilege	2704	Steam.exe
Token: SeDebugPrivilege	2028	Steam.exe
Token: SeDebugPrivilege	340	Steam.exe
Token: SeDebugPrivilege	2164	Steam.exe
Token: SeDebugPrivilege	1044	Steam.exe
Token: SeDebugPrivilege	908	Steam.exe
Token: SeDebugPrivilege	2852	Steam.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2544	1196	Client.exe	28
PID 1196 wrote to memory of 2544	1196	Client.exe	28
PID 1196 wrote to memory of 2544	1196	Client.exe	28
PID 1196 wrote to memory of 2736	1196	Client.exe	30
PID 1196 wrote to memory of 2736	1196	Client.exe	30
PID 1196 wrote to memory of 2736	1196	Client.exe	30
PID 1196 wrote to memory of 2676	1196	Client.exe	32
PID 1196 wrote to memory of 2676	1196	Client.exe	32
PID 1196 wrote to memory of 2676	1196	Client.exe	32
PID 1196 wrote to memory of 1624	1196	Client.exe	34
PID 1196 wrote to memory of 1624	1196	Client.exe	34
PID 1196 wrote to memory of 1624	1196	Client.exe	34
PID 1196 wrote to memory of 2460	1196	Client.exe	36
PID 1196 wrote to memory of 2460	1196	Client.exe	36
PID 1196 wrote to memory of 2460	1196	Client.exe	36
PID 1268 wrote to memory of 1264	1268	taskeng.exe	40
PID 1268 wrote to memory of 1264	1268	taskeng.exe	40
PID 1268 wrote to memory of 1264	1268	taskeng.exe	40
PID 1268 wrote to memory of 2904	1268	taskeng.exe	43
PID 1268 wrote to memory of 2904	1268	taskeng.exe	43
PID 1268 wrote to memory of 2904	1268	taskeng.exe	43
PID 1268 wrote to memory of 1048	1268	taskeng.exe	44
PID 1268 wrote to memory of 1048	1268	taskeng.exe	44
PID 1268 wrote to memory of 1048	1268	taskeng.exe	44
PID 1268 wrote to memory of 2148	1268	taskeng.exe	45
PID 1268 wrote to memory of 2148	1268	taskeng.exe	45
PID 1268 wrote to memory of 2148	1268	taskeng.exe	45
PID 1268 wrote to memory of 840	1268	taskeng.exe	46
PID 1268 wrote to memory of 840	1268	taskeng.exe	46
PID 1268 wrote to memory of 840	1268	taskeng.exe	46
PID 1268 wrote to memory of 2992	1268	taskeng.exe	47
PID 1268 wrote to memory of 2992	1268	taskeng.exe	47
PID 1268 wrote to memory of 2992	1268	taskeng.exe	47
PID 1268 wrote to memory of 3032	1268	taskeng.exe	48
PID 1268 wrote to memory of 3032	1268	taskeng.exe	48
PID 1268 wrote to memory of 3032	1268	taskeng.exe	48
PID 1268 wrote to memory of 2724	1268	taskeng.exe	49
PID 1268 wrote to memory of 2724	1268	taskeng.exe	49
PID 1268 wrote to memory of 2724	1268	taskeng.exe	49
PID 1268 wrote to memory of 2704	1268	taskeng.exe	50
PID 1268 wrote to memory of 2704	1268	taskeng.exe	50
PID 1268 wrote to memory of 2704	1268	taskeng.exe	50
PID 1268 wrote to memory of 2028	1268	taskeng.exe	51
PID 1268 wrote to memory of 2028	1268	taskeng.exe	51
PID 1268 wrote to memory of 2028	1268	taskeng.exe	51
PID 1268 wrote to memory of 340	1268	taskeng.exe	53
PID 1268 wrote to memory of 340	1268	taskeng.exe	53
PID 1268 wrote to memory of 340	1268	taskeng.exe	53
PID 1268 wrote to memory of 2164	1268	taskeng.exe	55
PID 1268 wrote to memory of 2164	1268	taskeng.exe	55
PID 1268 wrote to memory of 2164	1268	taskeng.exe	55
PID 1268 wrote to memory of 1044	1268	taskeng.exe	56
PID 1268 wrote to memory of 1044	1268	taskeng.exe	56
PID 1268 wrote to memory of 1044	1268	taskeng.exe	56
PID 1268 wrote to memory of 908	1268	taskeng.exe	57
PID 1268 wrote to memory of 908	1268	taskeng.exe	57
PID 1268 wrote to memory of 908	1268	taskeng.exe	57
PID 1268 wrote to memory of 2852	1268	taskeng.exe	59
PID 1268 wrote to memory of 2852	1268	taskeng.exe	59
PID 1268 wrote to memory of 2852	1268	taskeng.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Steam.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\ProgramData\Steam.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2460

C:\Windows\system32\taskeng.exe
taskeng.exe {08F31A20-D637-4B6B-9628-82532BD91B09} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\ProgramData\Steam.exe
  C:\ProgramData\Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam.exe

Filesize
327KB

MD5
abba6345ea0fb09de3cded81bec289ef

SHA1
5ddf3b0d56f3dbd742b6473ab22b58a74730a4e0

SHA256
90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3

SHA512
8328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
838a8afde9625b37fe2438f395fad8a3

SHA1
5438b5ad52a647a9cbff183a0fb9f8e9ea8bfdd5

SHA256
3f257ac2bbd0ee7297c86f4db9a70e3a3967cb236ec3506376fe7051a10cf198

SHA512
ecc322c3d840054a720019612a97dbe1305ec94e039f685ef19a1c9006f744989116512260f95c6452a8a4ade7a4e1e0878b3536d7ec9a0c9bc517dd1cb1880f

Download Submit
memory/840-41-0x0000000001260000-0x00000000012B8000-memory.dmp

Filesize
352KB

Download
memory/1048-37-0x0000000000AE0000-0x0000000000B38000-memory.dmp

Filesize
352KB

Download
memory/1196-28-0x000007FEF5323000-0x000007FEF5324000-memory.dmp

Filesize
4KB

Download
memory/1196-1-0x0000000000990000-0x00000000009E8000-memory.dmp

Filesize
352KB

Download
memory/1196-0-0x000007FEF5323000-0x000007FEF5324000-memory.dmp

Filesize
4KB

Download
memory/1196-29-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/1196-27-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/1264-33-0x00000000009F0000-0x0000000000A48000-memory.dmp

Filesize
352KB

Download
memory/2148-39-0x0000000000200000-0x0000000000258000-memory.dmp

Filesize
352KB

Download
memory/2544-8-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2544-7-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2544-6-0x0000000002E70000-0x0000000002EF0000-memory.dmp

Filesize
512KB

Download
memory/2736-15-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2736-14-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2904-35-0x0000000000380000-0x00000000003D8000-memory.dmp

Filesize
352KB

Download