xworm | e7c799e5792a32c201e37cb394c494ad457dbc18f14c23d150f0a18b90962a53

General

Target

ратник бу виникс.exe
Size

64KB
MD5

ed79e4a37007d71cb42b006f28ec1200
SHA1

8a6d2d4847e6b48cb47c81db01594c28e1224e96
SHA256

e7c799e5792a32c201e37cb394c494ad457dbc18f14c23d150f0a18b90962a53
SHA512

8d516b2149686aad8637cbfa6a1aa2e8be9daae58f1245edb288b0ce890ba7da678b715bad56b76ccd5ad8cc9df3adc48511f1bfcd3e032da5847f5138efcb3c
SSDEEP

1536:SUqYXqi4M+5MkeMx9wA52pgGqdp5Mt9mCbCG7/CLChx0Xwi6dc8zSOQHk55:uK+5MkeMx9wA52Gp5a9xbCq/jh+XIHO0

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

main-although.gl.at.ply.gg:30970

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3664-1-0x0000000000100000-0x0000000000116000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2320	powershell.exe
4048	powershell.exe
2648	powershell.exe
4068	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ратник бу виникс.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ратник бу виникс.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ратник бу виникс.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4068	powershell.exe
4068	powershell.exe
2320	powershell.exe
2320	powershell.exe
4048	powershell.exe
4048	powershell.exe
2648	powershell.exe
2648	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	ратник бу виникс.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	3664	ратник бу виникс.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 4068	3664	ратник бу виникс.exe	91
PID 3664 wrote to memory of 4068	3664	ратник бу виникс.exe	91
PID 3664 wrote to memory of 2320	3664	ратник бу виникс.exe	94
PID 3664 wrote to memory of 2320	3664	ратник бу виникс.exe	94
PID 3664 wrote to memory of 4048	3664	ратник бу виникс.exe	96
PID 3664 wrote to memory of 4048	3664	ратник бу виникс.exe	96
PID 3664 wrote to memory of 2648	3664	ратник бу виникс.exe	98
PID 3664 wrote to memory of 2648	3664	ратник бу виникс.exe	98

C:\Users\Admin\AppData\Local\Temp\ратник бу виникс.exe
"C:\Users\Admin\AppData\Local\Temp\ратник бу виникс.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ратник бу виникс.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ратник бу виникс.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a7e7cfd43d30bcc61251a5a230d79a7c

SHA1
0d5c054cc7a8a11b102ba68635e306799897ce28

SHA256
063bb7675f043bb4c1d78d5dc04801560331b0e430e7579d3a535740c539590f

SHA512
1fd8d7924a249fb3200dad3d5d9eda04b33f01bbb25579e71d541d6be97b0467338a28b0a8948223e357d6bf6b851f9fd9a2c38026002307ccf7a973f7ecbe83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4b451bfff41491fbb65db7899b220e6e

SHA1
a80f200d4fa07d163f77edaf76ca88a13ae8b92e

SHA256
2460aaf397f756acea0d527e928a2633b6e947ce02a363cbb2288ec7dafd7e6b

SHA512
4e01c3bb07259f5e93ad6a98f97aaf20b32bc00d306bec76b235a0dbabc66cb29aebe568265dd3b44c9ad0fe31d2230029e88700498bb819b9ae22f2acd4b2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
110b59ca4d00786d0bde151d21865049

SHA1
557e730d93fdf944a0cad874022df1895fb5b2e2

SHA256
77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f

SHA512
cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pdre0113.0hx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3664-0-0x00007FFC1FA03000-0x00007FFC1FA05000-memory.dmp

Filesize
8KB

Download
memory/3664-2-0x00007FFC1FA00000-0x00007FFC204C1000-memory.dmp

Filesize
10.8MB

Download
memory/3664-1-0x0000000000100000-0x0000000000116000-memory.dmp

Filesize
88KB

Download
memory/3664-57-0x00007FFC1FA03000-0x00007FFC1FA05000-memory.dmp

Filesize
8KB

Download
memory/3664-58-0x00007FFC1FA00000-0x00007FFC204C1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-13-0x00007FFC1FA00000-0x00007FFC204C1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-14-0x00007FFC1FA00000-0x00007FFC204C1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-15-0x00007FFC1FA00000-0x00007FFC204C1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-18-0x00007FFC1FA00000-0x00007FFC204C1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-12-0x000001BE1DCA0000-0x000001BE1DCC2000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing