xworm | d4c990c378fac48ea03b65c09c3ee495f691da21784b8066172e8c573b8ce8b0

General

Target

Проверка.exe
Size

73KB
MD5

30cc24470e68d13c41b59711f0044522
SHA1

8ff05b533a3bef46c6c11bd1a2bdfcaf581c150f
SHA256

d4c990c378fac48ea03b65c09c3ee495f691da21784b8066172e8c573b8ce8b0
SHA512

a37918d3249f743b27bfe9c2dcb99e9d5dd7768953f0db35ef23ace58394f08733f30436a605650e7305c26d462c6ff964136b55919abd0ebc3638b9b374f993
SSDEEP

1536:bOyUUsYqdjAKcwqIuw5AebuT3PZVfslH+6qh6ezlOGwXf5M:fujBuAbuT3eU6qlO/P5M

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:23386

cameras-happen.gl.at.ply.gg:23386

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5072-0-0x0000000000820000-0x0000000000838000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1120 powershell.exe
1548 powershell.exe
2904 powershell.exe
2464 powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Проверка.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Проверка.exe

Drops startup file 2 IoCs

Processes:

Проверка.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Проверка.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Проверка.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
3	ip-api.com

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Проверка.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5072	Проверка.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	5072	Проверка.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Проверка.exe

description	pid	process	target process
PID 5072 wrote to memory of 1120	5072	Проверка.exe	powershell.exe
PID 5072 wrote to memory of 1120	5072	Проверка.exe	powershell.exe
PID 5072 wrote to memory of 1548	5072	Проверка.exe	powershell.exe
PID 5072 wrote to memory of 1548	5072	Проверка.exe	powershell.exe
PID 5072 wrote to memory of 2904	5072	Проверка.exe	powershell.exe
PID 5072 wrote to memory of 2904	5072	Проверка.exe	powershell.exe
PID 5072 wrote to memory of 2464	5072	Проверка.exe	powershell.exe
PID 5072 wrote to memory of 2464	5072	Проверка.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Проверка.exe
"C:\Users\Admin\AppData\Local\Temp\Проверка.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Проверка.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Проверка.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
09c38bf09493920e93b25f37f1ae4efe

SHA1
42e5d800056f08481870c4ca2d0d48181ca8edc8

SHA256
37874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255

SHA512
91eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d22d90563c4f6cc8a57bace873aa4f97

SHA1
fb3d2c2be8f7ed986304bffd0ebb6f3223c574c5

SHA256
94702f9806e6e649e739a0f3eb9c3bb7bdf2f90c3b37c1c1c5b9ab9eceb0aa2f

SHA512
8188e7bd2bce34592e233cc0965ea654cb6b78969b867446d0e230b3d0243da4d9b135c5da72f3ea95ea7361d64e43db094ca06cc7957e339e7307c05f6181d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y31uzsmq.5ep.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1120-19-0x00007FF842860000-0x00007FF843321000-memory.dmp

Filesize
10.8MB

Download
memory/1120-14-0x00007FF842860000-0x00007FF843321000-memory.dmp

Filesize
10.8MB

Download
memory/1120-15-0x000002E0745A0000-0x000002E0745C2000-memory.dmp

Filesize
136KB

Download
memory/1120-16-0x00007FF842860000-0x00007FF843321000-memory.dmp

Filesize
10.8MB

Download
memory/1120-13-0x00007FF842860000-0x00007FF843321000-memory.dmp

Filesize
10.8MB

Download
memory/5072-0-0x0000000000820000-0x0000000000838000-memory.dmp

Filesize
96KB

Download
memory/5072-3-0x000000001C340000-0x000000001C442000-memory.dmp

Filesize
1.0MB

Download
memory/5072-2-0x00007FF842860000-0x00007FF843321000-memory.dmp

Filesize
10.8MB

Download
memory/5072-1-0x00007FF842863000-0x00007FF842865000-memory.dmp

Filesize
8KB

Download
memory/5072-59-0x00007FF842860000-0x00007FF843321000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads