xworm | a68ced618573f390a8f0d4000271e5700dc876688ac326d241ec94ac865c9da5

General

Target

XClient.exe
Size

69KB
MD5

0c61da524872606bc42941764c79c919
SHA1

3f49cb2bfd22a39d3a0f52e97a0d91268c4117a6
SHA256

a68ced618573f390a8f0d4000271e5700dc876688ac326d241ec94ac865c9da5
SHA512

0166aae065bcd242c62828abfb2a43f65c8aa25baeab9867c1c1985b1379267653e3d7e86ed052cf82256f7bdf08d02ad9dc2c4009aef86cead1a145cf8c6407
SSDEEP

1536:bEMvp5a3ggGCZ5DstPmFBOc6b7cKC0bymta64/pObjf5U:bIPqtPbb7cpyymG/pObD5U

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

cameras-happen.gl.at.ply.gg:23386

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2144-1-0x00000000009A0000-0x00000000009B8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2052 powershell.exe
2576 powershell.exe
2924 powershell.exe
2668 powershell.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

860 cmd.exe

pid	process
2052	powershell.exe
2576	powershell.exe
2924	powershell.exe
2668	powershell.exe

pid	process
860	cmd.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2256 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2052 powershell.exe
2576 powershell.exe
2924 powershell.exe
2668 powershell.exe

flow	ioc
4	ip-api.com

pid	process
2256	timeout.exe

pid	process
2052	powershell.exe
2576	powershell.exe
2924	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2144	XClient.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2144	XClient.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

XClient.execmd.exe

description	pid	process	target process
PID 2144 wrote to memory of 2052	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2052	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2052	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2576	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2576	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2576	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2924	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2924	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2924	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2668	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2668	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 2668	2144	XClient.exe	powershell.exe
PID 2144 wrote to memory of 860	2144	XClient.exe	cmd.exe
PID 2144 wrote to memory of 860	2144	XClient.exe	cmd.exe
PID 2144 wrote to memory of 860	2144	XClient.exe	cmd.exe
PID 860 wrote to memory of 2256	860	cmd.exe	timeout.exe
PID 860 wrote to memory of 2256	860	cmd.exe	timeout.exe
PID 860 wrote to memory of 2256	860	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD401.tmp.bat""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD401.tmp.bat
Filesize
159B

MD5
447b7363a702e50d3d113b3ce91bba98

SHA1
05910e0889c776bc0f2da85105494fbf7a39b908

SHA256
67b1ff69c875d0b29c9c903a96884d602cd70d41f8fbf3c533002f4718df76f1

SHA512
74f25e11d3ac875f92c88eb97ad0f6672123242f8423277242a2cbf65c09f348b3804d7690c2a9e2cab86c3e16c4ebbe070799b6facb54d2bf17dded88aad7e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
58b408640cfbe3c890662bbb68a1702c

SHA1
6bdff520b273673b66a153f4e94a99ccf3f256c5

SHA256
a78ae2537d31a5e763be3101171dbb2aff60e79c9f54faf9d9669963e76b9a11

SHA512
fae8b2338333c3a1cedf45df5b5f28e53ee4263a313471d46f66ceb7c210c9a3aebfa4aa4127160a9b2ccb82ab1ef8b2cd0b71d3ce93f603674a449cbdec4fc3

Download Submit
memory/2052-7-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2052-8-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2052-9-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2144-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2144-2-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2144-31-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2144-32-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2144-33-0x000000001A8B0000-0x000000001A8BC000-memory.dmp

Filesize
48KB

Download
memory/2144-1-0x00000000009A0000-0x00000000009B8000-memory.dmp

Filesize
96KB

Download
memory/2144-45-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2576-15-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2576-16-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads