xworm | d56871854edc765cabbec4c94213e48018f06ac3e05ad688aeda733299b8c9e8

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

78KB
MD5

dcb1c6ea097c0b99326a533ef8dcb99c
SHA1

0c32ff7d84de2e561fdff0920e4dffefae2a6701
SHA256

d56871854edc765cabbec4c94213e48018f06ac3e05ad688aeda733299b8c9e8
SHA512

92f6d308aca63a7974ade9a8ebbfcb994ddccbc7e3da016fb94f99d39feb7802e4ab5c3efa7b94212e4d29477470852ea21c4c5a6a920b166f21fb2ef4d6e8a4
SSDEEP

1536:qUzKKr1fw6QryHIKyMLqp+WSpNUnFbBf8mDf86MsbwOAOpY97Dfs9ijlzGI:TKe7Q9RMLPvpUFbBUuFwO/q97DHjpGI

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

provides-reduces.gl.at.ply.gg:6197

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2784-1-0x00000000011F0000-0x000000000120A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2656	powershell.exe
2588	powershell.exe
2880	powershell.exe
2548	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
2232	afirlu.exe

Loads dropped DLL 1 IoCs

pid	Process
2784	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2220	vlc.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2656	powershell.exe
2588	powershell.exe
2880	powershell.exe
2548	powershell.exe
2784	XClient.exe
2232	afirlu.exe
2232	afirlu.exe
2232	afirlu.exe
2232	afirlu.exe
2232	afirlu.exe
2232	afirlu.exe
2232	afirlu.exe
2232	afirlu.exe
2232	afirlu.exe
2232	afirlu.exe
2232	afirlu.exe
2232	afirlu.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2220	vlc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	XClient.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2784	XClient.exe
Token: 33	1556	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1556	AUDIODG.EXE
Token: 33	1556	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1556	AUDIODG.EXE
Token: 33	2220	vlc.exe
Token: SeIncBasePriorityPrivilege	2220	vlc.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2784	XClient.exe
2232	afirlu.exe
2220	vlc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2656	2784	XClient.exe	29
PID 2784 wrote to memory of 2656	2784	XClient.exe	29
PID 2784 wrote to memory of 2656	2784	XClient.exe	29
PID 2784 wrote to memory of 2588	2784	XClient.exe	31
PID 2784 wrote to memory of 2588	2784	XClient.exe	31
PID 2784 wrote to memory of 2588	2784	XClient.exe	31
PID 2784 wrote to memory of 2880	2784	XClient.exe	33
PID 2784 wrote to memory of 2880	2784	XClient.exe	33
PID 2784 wrote to memory of 2880	2784	XClient.exe	33
PID 2784 wrote to memory of 2548	2784	XClient.exe	35
PID 2784 wrote to memory of 2548	2784	XClient.exe	35
PID 2784 wrote to memory of 2548	2784	XClient.exe	35
PID 2784 wrote to memory of 2232	2784	XClient.exe	39
PID 2784 wrote to memory of 2232	2784	XClient.exe	39
PID 2784 wrote to memory of 2232	2784	XClient.exe	39
PID 2784 wrote to memory of 2220	2784	XClient.exe	42
PID 2784 wrote to memory of 2220	2784	XClient.exe	42
PID 2784 wrote to memory of 2220	2784	XClient.exe	42

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\afirlu.exe
  "C:\Users\Admin\AppData\Local\Temp\afirlu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2232
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\alnxlq.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x588
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\alnxlq.mp4

Filesize
477KB

MD5
f7354ae727a93ad5faaccfddb01e89ad

SHA1
bb995a04c5389e14e77f1c6221a29b1b43515c9f

SHA256
0376c3fc0723cca598a21d6ce53a7aeb9949ccc36c3ce2f15f7baa9abf099eaa

SHA512
ef5eb4a681a36e8e92790ac9cb2fd3df4a60a54e7450c119707dc7cc7a86d13b56935988d5e0ae638e242828d5be67903d7ad0becd621bfd8c0dc288a638227f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3718bc51fd9dc28feea7031d0f3fee15

SHA1
9663b58e8b8b925f56f629a7a7700541ae52ef4f

SHA256
ddbe6a7e2da6091dfa46f9f95fe5017e3fd73f8a5f8366c8764e379c0a322be3

SHA512
59902308616aa575821ce052b1eb3c09888bb23b8d440f250f1817396231f03baad49a880ff8378a65e3b0f527dad6ecb630cd53a5d050c399249ebaa150b3e6

Download Submit
\Users\Admin\AppData\Local\Temp\afirlu.exe

Filesize
8.6MB

MD5
9206b155aea722ee2f30ad90b0f2af01

SHA1
16699e08b05bf96bf84c372277532c98b2f0951c

SHA256
2dd2da56922514c37a0119ade975c78077d9d662c76e1908d46425d675f8ea23

SHA512
f2d08de1d7a8899ff996d5b3f9155001566bc694d8856571b1a7b406ca8530491aa396502e4c18ef4b3872136752a0288c383b18115c51c6f78c8b5acfae2978

Download Submit
memory/2220-104-0x000007FEEA720000-0x000007FEEA7A1000-memory.dmp

Filesize
516KB

Download
memory/2220-76-0x000007FEF1B60000-0x000007FEF1BC7000-memory.dmp

Filesize
412KB

Download
memory/2220-66-0x000007FEF1D90000-0x000007FEF1DCF000-memory.dmp

Filesize
252KB

Download
memory/2220-67-0x000007FEF1D60000-0x000007FEF1D81000-memory.dmp

Filesize
132KB

Download
memory/2220-68-0x000007FEF1D40000-0x000007FEF1D58000-memory.dmp

Filesize
96KB

Download
memory/2220-69-0x000007FEF1D20000-0x000007FEF1D31000-memory.dmp

Filesize
68KB

Download
memory/2220-70-0x000007FEF1D00000-0x000007FEF1D11000-memory.dmp

Filesize
68KB

Download
memory/2220-71-0x000007FEF1CE0000-0x000007FEF1CF1000-memory.dmp

Filesize
68KB

Download
memory/2220-65-0x000007FEED2D0000-0x000007FEEE37B000-memory.dmp

Filesize
16.7MB

Download
memory/2220-73-0x000007FEF1C20000-0x000007FEF1C31000-memory.dmp

Filesize
68KB

Download
memory/2220-74-0x000007FEF1C00000-0x000007FEF1C18000-memory.dmp

Filesize
96KB

Download
memory/2220-75-0x000007FEF1BD0000-0x000007FEF1C00000-memory.dmp

Filesize
192KB

Download
memory/2220-102-0x000007FEEA880000-0x000007FEEA8DD000-memory.dmp

Filesize
372KB

Download
memory/2220-55-0x000007FEF2F70000-0x000007FEF2FA4000-memory.dmp

Filesize
208KB

Download
memory/2220-54-0x000000013F930000-0x000000013FA28000-memory.dmp

Filesize
992KB

Download
memory/2220-58-0x000007FEF2E00000-0x000007FEF2E17000-memory.dmp

Filesize
92KB

Download
memory/2220-63-0x000007FEF1DD0000-0x000007FEF1DE1000-memory.dmp

Filesize
68KB

Download
memory/2220-56-0x000007FEEE580000-0x000007FEEE834000-memory.dmp

Filesize
2.7MB

Download
memory/2220-62-0x000007FEF24B0000-0x000007FEF24CD000-memory.dmp

Filesize
116KB

Download
memory/2220-61-0x000007FEF2990000-0x000007FEF29A1000-memory.dmp

Filesize
68KB

Download
memory/2220-60-0x000007FEF2DC0000-0x000007FEF2DD7000-memory.dmp

Filesize
92KB

Download
memory/2220-59-0x000007FEF2DE0000-0x000007FEF2DF1000-memory.dmp

Filesize
68KB

Download
memory/2220-57-0x000007FEF2E20000-0x000007FEF2E38000-memory.dmp

Filesize
96KB

Download
memory/2220-64-0x000007FEEE380000-0x000007FEEE580000-memory.dmp

Filesize
2.0MB

Download
memory/2220-72-0x000007FEF1CC0000-0x000007FEF1CDB000-memory.dmp

Filesize
108KB

Download
memory/2220-77-0x000007FEF1A40000-0x000007FEF1AAF000-memory.dmp

Filesize
444KB

Download
memory/2220-90-0x000007FEEB330000-0x000007FEEB346000-memory.dmp

Filesize
88KB

Download
memory/2220-101-0x000007FEEA8E0000-0x000007FEEA8F1000-memory.dmp

Filesize
68KB

Download
memory/2220-106-0x000007FEEA330000-0x000007FEEA37E000-memory.dmp

Filesize
312KB

Download
memory/2220-108-0x000007FEEA2A0000-0x000007FEEA2D4000-memory.dmp

Filesize
208KB

Download
memory/2220-107-0x000007FEEA2E0000-0x000007FEEA323000-memory.dmp

Filesize
268KB

Download
memory/2220-105-0x000007FEEA3A0000-0x000007FEEA3B1000-memory.dmp

Filesize
68KB

Download
memory/2220-78-0x000007FEF1B40000-0x000007FEF1B51000-memory.dmp

Filesize
68KB

Download
memory/2220-100-0x000007FEEADA0000-0x000007FEEADC3000-memory.dmp

Filesize
140KB

Download
memory/2220-79-0x000007FEEFFD0000-0x000007FEF0026000-memory.dmp

Filesize
344KB

Download
memory/2220-103-0x000007FEEA830000-0x000007FEEA877000-memory.dmp

Filesize
284KB

Download
memory/2220-99-0x000007FEEADD0000-0x000007FEEADE5000-memory.dmp

Filesize
84KB

Download
memory/2220-98-0x000007FEEAAD0000-0x000007FEEAC4A000-memory.dmp

Filesize
1.5MB

Download
memory/2220-97-0x000007FEEADF0000-0x000007FEEAE02000-memory.dmp

Filesize
72KB

Download
memory/2220-96-0x000007FEEAE10000-0x000007FEEAE21000-memory.dmp

Filesize
68KB

Download
memory/2220-95-0x000007FEEAE30000-0x000007FEEB04D000-memory.dmp

Filesize
2.1MB

Download
memory/2220-94-0x000007FEEB100000-0x000007FEEB16D000-memory.dmp

Filesize
436KB

Download
memory/2220-93-0x000007FEEB170000-0x000007FEEB1D2000-memory.dmp

Filesize
392KB

Download
memory/2220-92-0x000007FEEB1E0000-0x000007FEEB255000-memory.dmp

Filesize
468KB

Download
memory/2220-91-0x000007FEEB260000-0x000007FEEB325000-memory.dmp

Filesize
788KB

Download
memory/2220-89-0x000007FEEB350000-0x000007FEEB361000-memory.dmp

Filesize
68KB

Download
memory/2220-88-0x000007FEEFFA0000-0x000007FEEFFCF000-memory.dmp

Filesize
188KB

Download
memory/2220-87-0x000007FEFB060000-0x000007FEFB070000-memory.dmp

Filesize
64KB

Download
memory/2220-86-0x000007FEECDD0000-0x000007FEECF3B000-memory.dmp

Filesize
1.4MB

Download
memory/2220-85-0x000007FEECF40000-0x000007FEECF8C000-memory.dmp

Filesize
304KB

Download
memory/2220-84-0x000007FEECF90000-0x000007FEECFD2000-memory.dmp

Filesize
264KB

Download
memory/2220-83-0x000007FEF1B00000-0x000007FEF1B12000-memory.dmp

Filesize
72KB

Download
memory/2220-82-0x000007FEECFE0000-0x000007FEED150000-memory.dmp

Filesize
1.4MB

Download
memory/2220-81-0x000007FEF1B20000-0x000007FEF1B37000-memory.dmp

Filesize
92KB

Download
memory/2220-80-0x000007FEED150000-0x000007FEED2C8000-memory.dmp

Filesize
1.5MB

Download
memory/2588-16-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2588-15-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2656-8-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2656-7-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2656-9-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2784-0-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

Filesize
4KB

Download
memory/2784-33-0x0000000000D50000-0x0000000000D5C000-memory.dmp

Filesize
48KB

Download
memory/2784-44-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/2784-32-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

Filesize
4KB

Download
memory/2784-2-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2784-46-0x000000001A610000-0x000000001A69E000-memory.dmp

Filesize
568KB

Download
memory/2784-34-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2784-1-0x00000000011F0000-0x000000000120A000-memory.dmp

Filesize
104KB

Download