xworm | 986ae9a9ddb4c6f5ad6e025e7e33b88e8ad7d44873cdbb95c36008c8d88acc53

Reason

Machine shutdown

General

Target

XClient2.exe
Size

42KB
MD5

1ec8a6cea5e8dc9b654b2e1883df2d0a
SHA1

742221275c4b16fd5fb9d26bcf8dcbefabfcb187
SHA256

986ae9a9ddb4c6f5ad6e025e7e33b88e8ad7d44873cdbb95c36008c8d88acc53
SHA512

eb0d0cd8a0aa7bc7bf921aa310d3462b633a098e8d304e124054d2834b4394b48b81aee9c209391e7bb25796ead0b633646ce0afb2b904f8805f3788a4b0dc9a
SSDEEP

768:kUlyU7A+3G4R7e8ccs6B3p9cr+pF5PG9eD06vOwhF35iv:DV7zZLFPcraFI9k06vOwXMv

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

xErcLvQIi89NYxG4

Attributes

Install_directory
%ProgramData%
install_file
Calculator.exe
pastebin_url
https://pastebin.com/raw/8NHjMQQu
telegram
https://api.telegram.org/bot7167058941:AAEJhrFmM-_DOjntPUu3dU0-dH40X4Umt2M

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1576-1-0x0000000000260000-0x0000000000270000-memory.dmp	family_xworm
C:\ProgramData\Calculator.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4928 powershell.exe
4660 powershell.exe
2992 powershell.exe
4952 powershell.exe

pid	process
4928	powershell.exe
4660	powershell.exe
2992	powershell.exe
4952	powershell.exe

Drops startup file 2 IoCs

Processes:

XClient2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calculator.lnk	XClient2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calculator.lnk	XClient2.exe

Executes dropped EXE 3 IoCs

Processes:

Calculator.exeCalculator.exeCalculator.exe

pid process

2056 Calculator.exe
5076 Calculator.exe
2952 Calculator.exe

pid	process
2056	Calculator.exe
5076	Calculator.exe
2952	Calculator.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\ProgramData\\Calculator.exe"	XClient2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 pastebin.com
3 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2032 schtasks.exe

flow	ioc
1	pastebin.com
3	pastebin.com

flow	ioc
1	ip-api.com

pid	process
2032	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "235"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXClient2.exe

pid	process
2992	powershell.exe
2992	powershell.exe
4952	powershell.exe
4952	powershell.exe
4928	powershell.exe
4928	powershell.exe
4660	powershell.exe
4660	powershell.exe
1576	XClient2.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

XClient2.exepowershell.exepowershell.exepowershell.exepowershell.exeCalculator.exeCalculator.exeCalculator.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	1576	XClient2.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	1576	XClient2.exe
Token: SeDebugPrivilege	2056	Calculator.exe
Token: SeDebugPrivilege	5076	Calculator.exe
Token: SeDebugPrivilege	2952	Calculator.exe
Token: SeShutdownPrivilege	1988	shutdown.exe
Token: SeRemoteShutdownPrivilege	1988	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

XClient2.exe

pid process

1576 XClient2.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

XClient2.exeLogonUI.exe

pid process

1576 XClient2.exe
4204 LogonUI.exe

pid	process
1576	XClient2.exe

pid	process
1576	XClient2.exe
4204	LogonUI.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

XClient2.exe

description	pid	process	target process
PID 1576 wrote to memory of 2992	1576	XClient2.exe	powershell.exe
PID 1576 wrote to memory of 2992	1576	XClient2.exe	powershell.exe
PID 1576 wrote to memory of 4952	1576	XClient2.exe	powershell.exe
PID 1576 wrote to memory of 4952	1576	XClient2.exe	powershell.exe
PID 1576 wrote to memory of 4928	1576	XClient2.exe	powershell.exe
PID 1576 wrote to memory of 4928	1576	XClient2.exe	powershell.exe
PID 1576 wrote to memory of 4660	1576	XClient2.exe	powershell.exe
PID 1576 wrote to memory of 4660	1576	XClient2.exe	powershell.exe
PID 1576 wrote to memory of 2032	1576	XClient2.exe	schtasks.exe
PID 1576 wrote to memory of 2032	1576	XClient2.exe	schtasks.exe
PID 1576 wrote to memory of 1988	1576	XClient2.exe	shutdown.exe
PID 1576 wrote to memory of 1988	1576	XClient2.exe	shutdown.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient2.exe
"C:\Users\Admin\AppData\Local\Temp\XClient2.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient2.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient2.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Calculator.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Calculator.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Calculator" /tr "C:\ProgramData\Calculator.exe"
2⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe /f /r /t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\ProgramData\Calculator.exe
C:\ProgramData\Calculator.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\ProgramData\Calculator.exe
C:\ProgramData\Calculator.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\ProgramData\Calculator.exe
C:\ProgramData\Calculator.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a01855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Calculator.exe

Filesize
42KB

MD5
1ec8a6cea5e8dc9b654b2e1883df2d0a

SHA1
742221275c4b16fd5fb9d26bcf8dcbefabfcb187

SHA256
986ae9a9ddb4c6f5ad6e025e7e33b88e8ad7d44873cdbb95c36008c8d88acc53

SHA512
eb0d0cd8a0aa7bc7bf921aa310d3462b633a098e8d304e124054d2834b4394b48b81aee9c209391e7bb25796ead0b633646ce0afb2b904f8805f3788a4b0dc9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Calculator.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cb9070f7a07a5d3fc17121852bff6953

SHA1
1932f99c2039a98cf0d65bca0f882dde0686fc11

SHA256
6c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac

SHA512
97b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1bbdcd1100fd03ff0b6402fd8abd8ad

SHA1
76af750b4db8fc6cc3e57197762ac0760e47e868

SHA256
e8797c3902f771187d64dc8f39ad26641188e96d5f7218c8211512076ee5f95e

SHA512
11ad29bd424421cfdd10b1ed7c0125aff933d838ea3677519dd9767c7f560586b98e67cf70c1f05a6f1bda413ce7e62239b2caf09a50395943da66891a7db915

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ojf2bt2.1jx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1576-0-0x00007FFE96423000-0x00007FFE96425000-memory.dmp

Filesize
8KB

Download
memory/1576-53-0x00007FFE96423000-0x00007FFE96425000-memory.dmp

Filesize
8KB

Download
memory/1576-54-0x00007FFE96420000-0x00007FFE96EE2000-memory.dmp

Filesize
10.8MB

Download
memory/1576-2-0x00007FFE96420000-0x00007FFE96EE2000-memory.dmp

Filesize
10.8MB

Download
memory/1576-59-0x000000001C060000-0x000000001C06A000-memory.dmp

Filesize
40KB

Download
memory/1576-1-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1576-63-0x00007FFE96420000-0x00007FFE96EE2000-memory.dmp

Filesize
10.8MB

Download
memory/2992-14-0x00007FFE96420000-0x00007FFE96EE2000-memory.dmp

Filesize
10.8MB

Download
memory/2992-17-0x00007FFE96420000-0x00007FFE96EE2000-memory.dmp

Filesize
10.8MB

Download
memory/2992-13-0x00007FFE96420000-0x00007FFE96EE2000-memory.dmp

Filesize
10.8MB

Download
memory/2992-4-0x00000212C1620000-0x00000212C1642000-memory.dmp

Filesize
136KB

Download
memory/2992-3-0x00007FFE96420000-0x00007FFE96EE2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads