xworm | 90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3

General

Target

Client.exe
Size

327KB
MD5

abba6345ea0fb09de3cded81bec289ef
SHA1

5ddf3b0d56f3dbd742b6473ab22b58a74730a4e0
SHA256

90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3
SHA512

8328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e
SSDEEP

6144:i1YD5ubbPMBX+GIIIIIIIhIIIIIIIIIIIIIIIU:15kPMBY

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

region-vip.gl.at.ply.gg:47649

increased-ted.gl.at.ply.gg:47649

Attributes

Install_directory
%ProgramData%
install_file
Steam.exe
telegram
https://api.telegram.org/bot7186793142:AAGFJjLyhOIBEPcbCbAu3hrbmYsgQ5hzhf4/sendMessage?chat_id=5288662132

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/memory/5068-0-0x0000000000E40000-0x0000000000E98000-memory.dmp	family_xworm
behavioral4/files/0x000900000002326f-54.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1456	powershell.exe
3976	powershell.exe
1556	powershell.exe
4600	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
1792	Steam.exe
4760	Steam.exe
1212	Steam.exe
1152	Steam.exe
4824	Steam.exe
4504	Steam.exe
1504	Steam.exe
2464	Steam.exe
1612	Steam.exe
3752	Steam.exe
2812	Steam.exe
1216	Steam.exe
2412	Steam.exe
2124	Steam.exe
1244	Steam.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\ProgramData\\Steam.exe"	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1456	powershell.exe
1456	powershell.exe
3976	powershell.exe
3976	powershell.exe
1556	powershell.exe
1556	powershell.exe
4600	powershell.exe
4600	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	Client.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	5068	Client.exe
Token: SeDebugPrivilege	1792	Steam.exe
Token: SeDebugPrivilege	4760	Steam.exe
Token: SeDebugPrivilege	1212	Steam.exe
Token: SeDebugPrivilege	1152	Steam.exe
Token: SeDebugPrivilege	4824	Steam.exe
Token: SeDebugPrivilege	4504	Steam.exe
Token: SeDebugPrivilege	1504	Steam.exe
Token: SeDebugPrivilege	2464	Steam.exe
Token: SeDebugPrivilege	1612	Steam.exe
Token: SeDebugPrivilege	3752	Steam.exe
Token: SeDebugPrivilege	2812	Steam.exe
Token: SeDebugPrivilege	1216	Steam.exe
Token: SeDebugPrivilege	2412	Steam.exe
Token: SeDebugPrivilege	2124	Steam.exe
Token: SeDebugPrivilege	1244	Steam.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 1456	5068	Client.exe	83
PID 5068 wrote to memory of 1456	5068	Client.exe	83
PID 5068 wrote to memory of 3976	5068	Client.exe	85
PID 5068 wrote to memory of 3976	5068	Client.exe	85
PID 5068 wrote to memory of 1556	5068	Client.exe	87
PID 5068 wrote to memory of 1556	5068	Client.exe	87
PID 5068 wrote to memory of 4600	5068	Client.exe	89
PID 5068 wrote to memory of 4600	5068	Client.exe	89
PID 5068 wrote to memory of 4696	5068	Client.exe	91
PID 5068 wrote to memory of 4696	5068	Client.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Steam.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\ProgramData\Steam.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4696

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\ProgramData\Steam.exe
C:\ProgramData\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam.exe

Filesize
327KB

MD5
abba6345ea0fb09de3cded81bec289ef

SHA1
5ddf3b0d56f3dbd742b6473ab22b58a74730a4e0

SHA256
90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3

SHA512
8328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Steam.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8dac4777b9089771af95cf4dc23694a2

SHA1
9f3a7731544d03dd478508ef35006157095a6cea

SHA256
d0ce909277782d4fee87ca55f35f42b4c2aac6375146314915138dbdc48857f1

SHA512
746b78acde30253b4fe2ca55cbb061a9e08b7f8ccf3f2ef8bab18f173a9112b82f955a844d02e914e4ebaf43fdb7c9a2f7ecfc111cac669690fd3c6a6889a625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dt1i5wdy.qff.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1456-12-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/1456-16-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/1456-14-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/1456-13-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/1456-2-0x000001AB1C290000-0x000001AB1C2B2000-memory.dmp

Filesize
136KB

Download
memory/5068-0-0x0000000000E40000-0x0000000000E98000-memory.dmp

Filesize
352KB

Download
memory/5068-51-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/5068-52-0x00007FF9FFBA3000-0x00007FF9FFBA5000-memory.dmp

Filesize
8KB

Download
memory/5068-53-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/5068-1-0x00007FF9FFBA3000-0x00007FF9FFBA5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads