xworm | ad335bba6ec965c12c17a0fb8ae86aa26beebca57e63fba662757a79f1d6df22

General

Target

XClient.exe
Size

41KB
MD5

cb09c9133f40c4903525fa5a7df4c405
SHA1

e8496990338d09a6b73d4808e3aada0f50cf758a
SHA256

ad335bba6ec965c12c17a0fb8ae86aa26beebca57e63fba662757a79f1d6df22
SHA512

be757f81deb1b8f43d51332d383ff829524ea94a54a732576b30bdba43a31eee2dfc9cd8ed5dce2cd06e191c307db2ddee687895a0de5ad6bc9709d167631b1f
SSDEEP

768:KU0MzzOOfBbw197oyoyv08cr/rZ+IF5Pa9n2e6iOwhM3sik:KU0M/bZbwXsyrs3rd9F492e6iOwSNk

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

https://pastebin.com/raw/qaWffTar:5

Mutex

C6npgtaAk9A5snxm

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/qaWffTar

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1932-1-0x0000000001150000-0x0000000001160000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
behavioral1/memory/1548-36-0x0000000000DD0000-0x0000000000DE0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2988 powershell.exe
2576 powershell.exe
2872 powershell.exe
2708 powershell.exe

pid	process
2988	powershell.exe
2576	powershell.exe
2872	powershell.exe
2708	powershell.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe

Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

1548 svchost.exe
2904 svchost.exe
2240 svchost.exe

pid	process
1548	svchost.exe
2904	svchost.exe
2240	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 pastebin.com
7 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1864 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXClient.exe

pid process

2988 powershell.exe
2576 powershell.exe
2872 powershell.exe
2708 powershell.exe
1932 XClient.exe

flow	ioc
6	pastebin.com
7	pastebin.com

flow	ioc
4	ip-api.com

pid	process
1864	schtasks.exe

pid	process
2988	powershell.exe
2576	powershell.exe
2872	powershell.exe
2708	powershell.exe
1932	XClient.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1932	XClient.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1932	XClient.exe
Token: SeDebugPrivilege	1548	svchost.exe
Token: SeDebugPrivilege	2904	svchost.exe
Token: SeDebugPrivilege	2240	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

1932 XClient.exe

pid	process
1932	XClient.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

XClient.exetaskeng.exe

description	pid	process	target process
PID 1932 wrote to memory of 2988	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2988	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2988	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2576	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2576	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2576	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2872	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2872	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2872	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2708	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2708	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 2708	1932	XClient.exe	powershell.exe
PID 1932 wrote to memory of 1864	1932	XClient.exe	schtasks.exe
PID 1932 wrote to memory of 1864	1932	XClient.exe	schtasks.exe
PID 1932 wrote to memory of 1864	1932	XClient.exe	schtasks.exe
PID 1452 wrote to memory of 1548	1452	taskeng.exe	svchost.exe
PID 1452 wrote to memory of 1548	1452	taskeng.exe	svchost.exe
PID 1452 wrote to memory of 1548	1452	taskeng.exe	svchost.exe
PID 1452 wrote to memory of 2904	1452	taskeng.exe	svchost.exe
PID 1452 wrote to memory of 2904	1452	taskeng.exe	svchost.exe
PID 1452 wrote to memory of 2904	1452	taskeng.exe	svchost.exe
PID 1452 wrote to memory of 2240	1452	taskeng.exe	svchost.exe
PID 1452 wrote to memory of 2240	1452	taskeng.exe	svchost.exe
PID 1452 wrote to memory of 2240	1452	taskeng.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\taskeng.exe
taskeng.exe {9DBF893E-5606-466E-BE56-FAAB580DCFBD} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
574ab3f1e372e9cdf3c5a8b4c8e26f2f

SHA1
422c17f79cba7ca6beb933ba964ccd162feb5631

SHA256
33a9aafeb02a29dfb86ac284ebc7364f2e40888cb24cbdd69985a4831aa13c86

SHA512
2f01568664f88c0eb958eae700b0142b2207325eae7cd4c2fd4868b7138ec788bd97aec25ee94a93fded3ea807776116dcd0af1fc650b4b16ef3469792a3b36d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
41KB

MD5
cb09c9133f40c4903525fa5a7df4c405

SHA1
e8496990338d09a6b73d4808e3aada0f50cf758a

SHA256
ad335bba6ec965c12c17a0fb8ae86aa26beebca57e63fba662757a79f1d6df22

SHA512
be757f81deb1b8f43d51332d383ff829524ea94a54a732576b30bdba43a31eee2dfc9cd8ed5dce2cd06e191c307db2ddee687895a0de5ad6bc9709d167631b1f

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1548-36-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

Filesize
64KB

Download
memory/1932-1-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/1932-2-0x000007FEFD150000-0x000007FEFD22B000-memory.dmp

Filesize
876KB

Download
memory/1932-0-0x000007FEFD150000-0x000007FEFD22B000-memory.dmp

Filesize
876KB

Download
memory/1932-37-0x000007FEFD150000-0x000007FEFD22B000-memory.dmp

Filesize
876KB

Download
memory/2576-16-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2576-17-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2988-7-0x000007FEFD150000-0x000007FEFD22B000-memory.dmp

Filesize
876KB

Download
memory/2988-10-0x000007FEFD150000-0x000007FEFD22B000-memory.dmp

Filesize
876KB

Download
memory/2988-9-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2988-8-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads