xworm | 3d0566863a71c0bdd072c29413be5654bd922f4733192ee26fef5431208e8a30

General

Target

XClient.exe
Size

67KB
MD5

3f218b783946a9c9de51a2d04655eafa
SHA1

9ae1e92e8e90fba57ad56d52292a060e8bd2cfc2
SHA256

3d0566863a71c0bdd072c29413be5654bd922f4733192ee26fef5431208e8a30
SHA512

1da0d07bd2a9a7abfb552b79af4a3f6c3b6dd3746857ca6e8c9c574f90a843a012a26441ef995c52f13b8ba5d47b604eae03b384f6c822d3770e573f5bfa3596
SSDEEP

1536:LgQiUr6VzoA6ahdIf53B2XlP4b9GiTQHo603Uk9O5h2u56:LV65hdIx3wXlP4b9rTQ+3Uk9O5ou56

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

cameras-happen.gl.at.ply.gg:23386

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2164-1-0x0000000000DB0000-0x0000000000DC8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2784	powershell.exe
2692	powershell.exe
3052	powershell.exe
2720	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2784	powershell.exe
2692	powershell.exe
3052	powershell.exe
2720	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	XClient.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2164	XClient.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2784	2164	XClient.exe	29
PID 2164 wrote to memory of 2784	2164	XClient.exe	29
PID 2164 wrote to memory of 2784	2164	XClient.exe	29
PID 2164 wrote to memory of 2692	2164	XClient.exe	31
PID 2164 wrote to memory of 2692	2164	XClient.exe	31
PID 2164 wrote to memory of 2692	2164	XClient.exe	31
PID 2164 wrote to memory of 3052	2164	XClient.exe	33
PID 2164 wrote to memory of 3052	2164	XClient.exe	33
PID 2164 wrote to memory of 3052	2164	XClient.exe	33
PID 2164 wrote to memory of 2720	2164	XClient.exe	35
PID 2164 wrote to memory of 2720	2164	XClient.exe	35
PID 2164 wrote to memory of 2720	2164	XClient.exe	35

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a47f4d94ede02f8dfe3eb1b81d709d04

SHA1
f5f3b8c09f9445985c24f6c4bf55c77908e7d58c

SHA256
28099985b15cb9acd06e37247b1ddb9c295e311a77a754d70639d6544e13550c

SHA512
7683ad76ef297e710c095aa010c46f3e0343fdd08a28588d7b4925c7111bbc5f7cd555e88cc4ddaf71d94bc7613d741a6208481a6092a5381b618a061f9b602f

Download Submit
memory/2164-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x0000000000DB0000-0x0000000000DC8000-memory.dmp

Filesize
96KB

Download
memory/2164-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2164-3-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2164-32-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-16-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2692-17-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2784-8-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/2784-9-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2784-10-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing