xworm | e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7

General

Target

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
Size

726KB
MD5

0e9969044f657b12f4cdad27254e5f91
SHA1

41d8196fd7520fa391361a39e3d1c6e6f124f07e
SHA256

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7
SHA512

2021bc8a0828084bcfbe0af6f997b3847cc0c63fa614db25a9116259b1bf9124eccdf5ad0a1fab37192b535199ad4e5c5570e448be43154baa49bd327db65284
SSDEEP

12288:SMMbni72U8L4042zQ1WVeXFfJoPQ5Puvg8BQcCRjEgTeRJRCIYpu5ssoxU:VMbni723L73/gXFxoY8Y8eckEH

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5112-13-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5112-13-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1592 powershell.exe
3432 powershell.exe
4680 powershell.exe
2600 powershell.exe

pid	process
1592	powershell.exe
3432	powershell.exe
4680	powershell.exe
2600	powershell.exe

Drops startup file 2 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	InstallUtil.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe

description	pid	process	target process
PID 3500 set thread context of 5112	3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exepowershell.exepowershell.exepowershell.exepowershell.exeInstallUtil.exe

pid	process
3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
4680	powershell.exe
4680	powershell.exe
2600	powershell.exe
2600	powershell.exe
1592	powershell.exe
1592	powershell.exe
3432	powershell.exe
3432	powershell.exe
5112	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exeInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
Token: SeDebugPrivilege	5112	InstallUtil.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

5112 InstallUtil.exe

pid	process
5112	InstallUtil.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exeInstallUtil.exe

description	pid	process	target process
PID 3500 wrote to memory of 5112	3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 3500 wrote to memory of 5112	3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 3500 wrote to memory of 5112	3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 3500 wrote to memory of 5112	3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 3500 wrote to memory of 5112	3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 3500 wrote to memory of 5112	3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 3500 wrote to memory of 5112	3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 3500 wrote to memory of 5112	3500	e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe	InstallUtil.exe
PID 5112 wrote to memory of 4680	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 4680	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 4680	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 2600	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 2600	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 2600	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 1592	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 1592	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 1592	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 3432	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 3432	5112	InstallUtil.exe	powershell.exe
PID 5112 wrote to memory of 3432	5112	InstallUtil.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
"C:\Users\Admin\AppData\Local\Temp\e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
bae5176ae11c4f33c7593da6f0778233

SHA1
7c3e7bf483b52e7cd0524957fbd1c579ef14357c

SHA256
d13f781c6957a6f4a9fcf5c3f66622b61db156a181bec14e57560a0f1f938c36

SHA512
0da5a8b7913decae5209ea0570afbea368de0ac8b5e687bcfc8705ced284753d131e42883f326fad1686391d1409239a23322bb4012944db5f436450d0dff32f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
905ddcc629030284435aa280941c23b7

SHA1
66cdb2b9867f2c75f8c80402d406594e4e3ea565

SHA256
61f283a896cac3ea3dc8c221d2f659631ae1e400b375a029b09d6cf5844ff498

SHA512
99b331538ce5ba661e231921cdb67a14e9fe1057b8a760ab291f763a70b5558f7711f27d20ecb1cdb326a0098bc2c6cf8b60e1cc3536a373ccede134b9ad661f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
9dd70cc1e95ae0bea520c9795b2c4afe

SHA1
79699bc5928944830668e45d1e1bdab75e2ab310

SHA256
26eefd84aad9339bb5235bae1e21c4ff63dfa48d92c7f30fe65d48070ead5561

SHA512
958c6edec019c72a0d8655b3c73d2941f984878224cec094f2e917f8a5f515e1219b09f0aeb1083665d3ba4a106e9775c67d985d5a68c543044350bce9c10009

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xbgxqhqh.tck.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1592-96-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/2600-72-0x00000000056B0000-0x0000000005A04000-memory.dmp

Filesize
3.3MB

Download
memory/2600-74-0x0000000005CC0000-0x0000000005D0C000-memory.dmp

Filesize
304KB

Download
memory/2600-75-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/3432-117-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

Filesize
304KB

Download
memory/3500-6-0x0000000005730000-0x00000000057CC000-memory.dmp

Filesize
624KB

Download
memory/3500-7-0x0000000006750000-0x0000000006794000-memory.dmp

Filesize
272KB

Download
memory/3500-12-0x000000000A1E0000-0x000000000A1E6000-memory.dmp

Filesize
24KB

Download
memory/3500-10-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/3500-15-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/3500-9-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/3500-8-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/3500-11-0x0000000007B60000-0x0000000007B7A000-memory.dmp

Filesize
104KB

Download
memory/3500-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/3500-5-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/3500-4-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/3500-3-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/3500-2-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/3500-1-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/4680-35-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/4680-57-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/4680-32-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/4680-36-0x0000000006120000-0x000000000616C000-memory.dmp

Filesize
304KB

Download
memory/4680-37-0x0000000006650000-0x0000000006682000-memory.dmp

Filesize
200KB

Download
memory/4680-38-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

Filesize
304KB

Download
memory/4680-48-0x0000000007250000-0x000000000726E000-memory.dmp

Filesize
120KB

Download
memory/4680-49-0x0000000007270000-0x0000000007313000-memory.dmp

Filesize
652KB

Download
memory/4680-50-0x00000000079F0000-0x000000000806A000-memory.dmp

Filesize
6.5MB

Download
memory/4680-51-0x00000000073B0000-0x00000000073CA000-memory.dmp

Filesize
104KB

Download
memory/4680-52-0x0000000007410000-0x000000000741A000-memory.dmp

Filesize
40KB

Download
memory/4680-53-0x0000000007640000-0x00000000076D6000-memory.dmp

Filesize
600KB

Download
memory/4680-54-0x00000000075B0000-0x00000000075C1000-memory.dmp

Filesize
68KB

Download
memory/4680-55-0x00000000075E0000-0x00000000075EE000-memory.dmp

Filesize
56KB

Download
memory/4680-56-0x00000000075F0000-0x0000000007604000-memory.dmp

Filesize
80KB

Download
memory/4680-34-0x0000000005C10000-0x0000000005F64000-memory.dmp

Filesize
3.3MB

Download
memory/4680-58-0x0000000007630000-0x0000000007638000-memory.dmp

Filesize
32KB

Download
memory/4680-61-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4680-33-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/4680-22-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4680-21-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/4680-19-0x00000000052F0000-0x0000000005918000-memory.dmp

Filesize
6.2MB

Download
memory/4680-20-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4680-18-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4680-17-0x0000000002750000-0x0000000002786000-memory.dmp

Filesize
216KB

Download
memory/5112-16-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/5112-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5112-132-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/5112-133-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/5112-134-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads