xworm | e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7

General

Target

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
Size

726KB
MD5

0e9969044f657b12f4cdad27254e5f91
SHA1

41d8196fd7520fa391361a39e3d1c6e6f124f07e
SHA256

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7
SHA512

2021bc8a0828084bcfbe0af6f997b3847cc0c63fa614db25a9116259b1bf9124eccdf5ad0a1fab37192b535199ad4e5c5570e448be43154baa49bd327db65284
SSDEEP

12288:SMMbni72U8L4042zQ1WVeXFfJoPQ5Puvg8BQcCRjEgTeRJRCIYpu5ssoxU:VMbni723L73/gXFxoY8Y8eckEH

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2592-13-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2592-15-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2592-19-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2592-23-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2592-21-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2592-13-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2592-15-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2592-19-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2592-23-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2592-21-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2144 powershell.exe
1568 powershell.exe
2148 powershell.exe
3056 powershell.exe

pid	process
2144	powershell.exe
1568	powershell.exe
2148	powershell.exe
3056	powershell.exe

Drops startup file 2 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	InstallUtil.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	InstallUtil.exe

Loads dropped DLL 1 IoCs

Processes:

InstallUtil.exe

pid process

2592 InstallUtil.exe

pid	process
2592	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe

description	pid	process	target process
PID 2172 set thread context of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exepowershell.exepowershell.exepowershell.exepowershell.exeInstallUtil.exe

pid	process
2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
2144	powershell.exe
1568	powershell.exe
2148	powershell.exe
3056	powershell.exe
2592	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exeInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
Token: SeDebugPrivilege	2592	InstallUtil.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

2592 InstallUtil.exe

pid	process
2592	InstallUtil.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exeInstallUtil.exe

description	pid	process	target process
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2172 wrote to memory of 2592	2172	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 2592 wrote to memory of 2144	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 2144	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 2144	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 2144	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 1568	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 1568	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 1568	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 1568	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 2148	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 2148	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 2148	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 2148	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 3056	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 3056	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 3056	2592	InstallUtil.exe	powershell.exe
PID 2592 wrote to memory of 3056	2592	InstallUtil.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
"C:\Users\Admin\AppData\Local\Temp\e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I4K9L9FQTWN576HC98D6.temp
Filesize
7KB

MD5
6de2d8b60ab2186688df8d018e585915

SHA1
3e2b4633a43fa1fc60222ad42c4ffdf0e9b2537e

SHA256
ce5abb37307c4cc4023bcc7d9300c2723b015f5e8c32b04c47ef4c1a94a5e0dc

SHA512
785ffae7ab0d8e2604c88c3332f57b6577dd0f7581288bd7ef9900457e1d81935e544eeb75ef6aeb211d4896f3cb03b2656a7c7bf8aabe7e22fea114d97c26ee

Download Submit
\Users\Admin\AppData\Roaming\XClient.exe
Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
memory/2172-3-0x0000000004F00000-0x0000000004F44000-memory.dmp

Filesize
272KB

Download
memory/2172-18-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-4-0x000000007406E000-0x000000007406F000-memory.dmp

Filesize
4KB

Download
memory/2172-5-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-6-0x0000000000770000-0x000000000078A000-memory.dmp

Filesize
104KB

Download
memory/2172-7-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/2172-8-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-2-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-1-0x00000000008F0000-0x00000000009AC000-memory.dmp

Filesize
752KB

Download
memory/2172-24-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-0-0x000000007406E000-0x000000007406F000-memory.dmp

Filesize
4KB

Download
memory/2592-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2592-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2592-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2592-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2592-25-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2592-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2592-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2592-48-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-49-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-50-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads