xworm | 5da1772e67ac37571ed70b498e237cde750647607d4fe98fd8e7fd8668e0c0e0

General

Target

XClient.exe
Size

41KB
MD5

0658f349a11af82050212edf3f599342
SHA1

0fa5f0818a7e50fd312f5dab4b7150de7df9fa7e
SHA256

5da1772e67ac37571ed70b498e237cde750647607d4fe98fd8e7fd8668e0c0e0
SHA512

0c337cf6b38a2e2c7078813c61086a173c5761f4b90efdbee85fd7edb4f16731d66a9ea95bc4988340b64e37d75b4227b224a110bb0e64fc36e076511857c3f7
SSDEEP

768:TKr2/FPtKX7eRvIiWqyAuIzfjFSuDatF5PG9sJOwhU3ECN:The7EI3RAuwxSuDuFI9sJOwGlN

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

panel-slave.gl.at.ply.gg:57059

Mutex

kdrfWObdXWjh7iBF

Attributes

Install_directory
%AppData%
install_file
$77client.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4656-1-0x0000000000130000-0x0000000000140000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\$77client.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

XClient.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation XClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77client.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77client.lnk	XClient.exe

Executes dropped EXE 30 IoCs

Processes:

$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe

pid	process
4492	$77client.exe
2124	$77client.exe
224	$77client.exe
2828	$77client.exe
1052	$77client.exe
3952	$77client.exe
1552	$77client.exe
2164	$77client.exe
4896	$77client.exe
4124	$77client.exe
4468	$77client.exe
2696	$77client.exe
3368	$77client.exe
4332	$77client.exe
4572	$77client.exe
5060	$77client.exe
2640	$77client.exe
1872	$77client.exe
1552	$77client.exe
4736	$77client.exe
3688	$77client.exe
4292	$77client.exe
1244	$77client.exe
4968	$77client.exe
3704	$77client.exe
3988	$77client.exe
2104	$77client.exe
1324	$77client.exe
4032	$77client.exe
3872	$77client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77client = "C:\\Users\\Admin\\AppData\\Roaming\\$77client.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1940 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

XClient.exe

pid process

4656 XClient.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

XClient.exe

pid process

4656 XClient.exe

flow	ioc
13	ip-api.com

pid	process
1940	schtasks.exe

pid	process
4656	XClient.exe

pid	process
4656	XClient.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

XClient.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe$77client.exe

description	pid	process
Token: SeDebugPrivilege	4656	XClient.exe
Token: SeDebugPrivilege	4656	XClient.exe
Token: SeDebugPrivilege	4492	$77client.exe
Token: SeDebugPrivilege	2124	$77client.exe
Token: SeDebugPrivilege	224	$77client.exe
Token: SeDebugPrivilege	2828	$77client.exe
Token: SeDebugPrivilege	1052	$77client.exe
Token: SeDebugPrivilege	3952	$77client.exe
Token: SeDebugPrivilege	1552	$77client.exe
Token: SeDebugPrivilege	2164	$77client.exe
Token: SeDebugPrivilege	4896	$77client.exe
Token: SeDebugPrivilege	4124	$77client.exe
Token: SeDebugPrivilege	4468	$77client.exe
Token: SeDebugPrivilege	2696	$77client.exe
Token: SeDebugPrivilege	3368	$77client.exe
Token: SeDebugPrivilege	4332	$77client.exe
Token: SeDebugPrivilege	4572	$77client.exe
Token: SeDebugPrivilege	5060	$77client.exe
Token: SeDebugPrivilege	2640	$77client.exe
Token: SeDebugPrivilege	1872	$77client.exe
Token: SeDebugPrivilege	1552	$77client.exe
Token: SeDebugPrivilege	4736	$77client.exe
Token: SeDebugPrivilege	3688	$77client.exe
Token: SeDebugPrivilege	4292	$77client.exe
Token: SeDebugPrivilege	1244	$77client.exe
Token: SeDebugPrivilege	4968	$77client.exe
Token: SeDebugPrivilege	3704	$77client.exe
Token: SeDebugPrivilege	3988	$77client.exe
Token: SeDebugPrivilege	2104	$77client.exe
Token: SeDebugPrivilege	1324	$77client.exe
Token: SeDebugPrivilege	4032	$77client.exe
Token: SeDebugPrivilege	3872	$77client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

4656 XClient.exe

pid	process
4656	XClient.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

XClient.exe

description	pid	process	target process
PID 4656 wrote to memory of 1940	4656	XClient.exe	schtasks.exe
PID 4656 wrote to memory of 1940	4656	XClient.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77client" /tr "C:\Users\Admin\AppData\Roaming\$77client.exe"
2⤵
- Creates scheduled task(s)
PID:1940

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Users\Admin\AppData\Roaming\$77client.exe
C:\Users\Admin\AppData\Roaming\$77client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77client.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Roaming\$77client.exe

Filesize
41KB

MD5
0658f349a11af82050212edf3f599342

SHA1
0fa5f0818a7e50fd312f5dab4b7150de7df9fa7e

SHA256
5da1772e67ac37571ed70b498e237cde750647607d4fe98fd8e7fd8668e0c0e0

SHA512
0c337cf6b38a2e2c7078813c61086a173c5761f4b90efdbee85fd7edb4f16731d66a9ea95bc4988340b64e37d75b4227b224a110bb0e64fc36e076511857c3f7

Download Submit
memory/4492-11-0x00007FF9D9340000-0x00007FF9D9E01000-memory.dmp

Filesize
10.8MB

Download
memory/4492-13-0x00007FF9D9340000-0x00007FF9D9E01000-memory.dmp

Filesize
10.8MB

Download
memory/4656-0-0x00007FF9D9343000-0x00007FF9D9345000-memory.dmp

Filesize
8KB

Download
memory/4656-1-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/4656-2-0x00007FF9D9340000-0x00007FF9D9E01000-memory.dmp

Filesize
10.8MB

Download
memory/4656-7-0x00007FF9D9343000-0x00007FF9D9345000-memory.dmp

Filesize
8KB

Download
memory/4656-8-0x00007FF9D9340000-0x00007FF9D9E01000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads