xworm | d7d0c2631a0b521fb3e0bd438bc6039672c9892d305e0219bf48daa6fa304336

General

Target

InspectedSetupFreeV1.3.exe
Size

100KB
MD5

32fc084c514fdd90340e84c95dd1b1d0
SHA1

c216536523a116d7797211f82f46b7c736871962
SHA256

d7d0c2631a0b521fb3e0bd438bc6039672c9892d305e0219bf48daa6fa304336
SHA512

a254b4048e11c95fd4676eb976901805c2ca82adb7caaac5ec0d83e089394a2abb04d109c3c95aee9a4500dded124c3e999cf31e57758f5c59b070a432c1eae3
SSDEEP

3072:z0GvrRmy5wl9za2BL905Ft1zcYQ9jmoUZ:IGvr5wlFp9059zcYQY

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

Valdemar-21441.portmap.host:21441

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023483-6.dat	family_xworm
behavioral2/memory/2428-15-0x00000000003B0000-0x00000000003CC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2696	powershell.exe
3720	powershell.exe
2760	powershell.exe
4796	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	FreeInspectedSetupV1.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	InspectedSetupFreeV1.3.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	FreeInspectedSetupV1.3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	FreeInspectedSetupV1.3.exe

Executes dropped EXE 2 IoCs

pid	Process
2428	FreeInspectedSetupV1.3.exe
1924	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	FreeInspectedSetupV1.3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	InspectedSetupFreeV1.3.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4764	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3564	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2428	FreeInspectedSetupV1.3.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4796	powershell.exe
4796	powershell.exe
2696	powershell.exe
2696	powershell.exe
3720	powershell.exe
3720	powershell.exe
2760	powershell.exe
2760	powershell.exe
2428	FreeInspectedSetupV1.3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4792	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	FreeInspectedSetupV1.3.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2428	FreeInspectedSetupV1.3.exe
Token: SeDebugPrivilege	1924	XClient.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
4792	OpenWith.exe
2428	FreeInspectedSetupV1.3.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2428	2396	InspectedSetupFreeV1.3.exe	87
PID 2396 wrote to memory of 2428	2396	InspectedSetupFreeV1.3.exe	87
PID 2428 wrote to memory of 4796	2428	FreeInspectedSetupV1.3.exe	94
PID 2428 wrote to memory of 4796	2428	FreeInspectedSetupV1.3.exe	94
PID 2428 wrote to memory of 2696	2428	FreeInspectedSetupV1.3.exe	96
PID 2428 wrote to memory of 2696	2428	FreeInspectedSetupV1.3.exe	96
PID 2428 wrote to memory of 3720	2428	FreeInspectedSetupV1.3.exe	98
PID 2428 wrote to memory of 3720	2428	FreeInspectedSetupV1.3.exe	98
PID 2428 wrote to memory of 2760	2428	FreeInspectedSetupV1.3.exe	101
PID 2428 wrote to memory of 2760	2428	FreeInspectedSetupV1.3.exe	101
PID 2428 wrote to memory of 3564	2428	FreeInspectedSetupV1.3.exe	103
PID 2428 wrote to memory of 3564	2428	FreeInspectedSetupV1.3.exe	103
PID 4792 wrote to memory of 4764	4792	OpenWith.exe	109
PID 4792 wrote to memory of 4764	4792	OpenWith.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\InspectedSetupFreeV1.3.exe
"C:\Users\Admin\AppData\Local\Temp\InspectedSetupFreeV1.3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Roaming\FreeInspectedSetupV1.3.exe
  "C:\Users\Admin\AppData\Roaming\FreeInspectedSetupV1.3.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\FreeInspectedSetupV1.3.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FreeInspectedSetupV1.3.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\INSPECTEDfree.py
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4764

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
380007fbdf9fef355db2afd71fce9cd1

SHA1
e98802ef10fac8ef96a3210930784c317ca76fa0

SHA256
6353a11014d2c1495ac7a5efef195d06d8e8b30a163c437263361deb5a28de03

SHA512
9790c6b4c16ed4f4e6cddf492d01a6b4963e20bde6ddf40017db20ffc672b0cfaea2ad6aebcb51e8e459682974be0d024b35546aad840051a1e9fe2d3e565bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m5srtrk3.gw3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\FreeInspectedSetupV1.3.exe

Filesize
84KB

MD5
8c00a8c46310ee271e576695f6cafb6b

SHA1
34b7cd31b3f93ae18ad6d9c3fb8a2e7936a0cd42

SHA256
d175d2e76884e1b7fd54372240887f05816e5dacc6d45fdefd377eb6fe6f8a64

SHA512
5334758f59968f02e2ecda3d481e3596a34adee5bd059ef5cf483e546e14729654c4398b1e5ec8ac452803be31a513e2b88bd76995d4badf5869fea3bb363f46

Download Submit
C:\Users\Admin\AppData\Roaming\INSPECTEDfree.py

Filesize
6KB

MD5
8e7c31442c74161f512d84d8eaa53bec

SHA1
7f3e23999f9266420006c92913d3e8bf97f388e1

SHA256
b318ea280d72d060c0d12a279d964f46a52db202870b47f32ba41a5f046169c2

SHA512
0acf6f412345a82cbcbe4da79fc040b0d2f4af9b2beae2ad19a37b75645e60ebceac8f1aa548baf6ecef3d337686e705934ca820fdc15d160b3ff3d7836227fc

Download Submit
memory/2396-0-0x00007FFD14463000-0x00007FFD14465000-memory.dmp

Filesize
8KB

Download
memory/2396-1-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/2428-18-0x00007FFD14460000-0x00007FFD14F21000-memory.dmp

Filesize
10.8MB

Download
memory/2428-16-0x00007FFD14460000-0x00007FFD14F21000-memory.dmp

Filesize
10.8MB

Download
memory/2428-15-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2428-70-0x00007FFD14460000-0x00007FFD14F21000-memory.dmp

Filesize
10.8MB

Download
memory/2428-71-0x00007FFD14460000-0x00007FFD14F21000-memory.dmp

Filesize
10.8MB

Download
memory/4796-28-0x000001B12E880000-0x000001B12E8A2000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads