xworm | 6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

max time kernel
136s
max time network
146s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

писька чит.exe
Size

71KB
MD5

ed3794861ddc34b4748ff8081e80cb2b
SHA1

e63cf084552f0c2803de0109e3d2fcd3102c4738
SHA256

6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f
SHA512

df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03
SSDEEP

1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

main-although.gl.at.ply.gg:30970

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1672-1-0x0000000000CA0000-0x0000000000CB8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3032	powershell.exe
2724	powershell.exe
2632	powershell.exe
976	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe

Executes dropped EXE 1 IoCs

pid	Process
2252	raclif.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raclif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3032	powershell.exe
2724	powershell.exe
2632	powershell.exe
976	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	писька чит.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1672	писька чит.exe
Token: 33	2020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2020	AUDIODG.EXE
Token: 33	2020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2020	AUDIODG.EXE
Token: 33	1324	WScript.exe
Token: SeIncBasePriorityPrivilege	1324	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 3032	1672	писька чит.exe	31
PID 1672 wrote to memory of 3032	1672	писька чит.exe	31
PID 1672 wrote to memory of 3032	1672	писька чит.exe	31
PID 1672 wrote to memory of 2724	1672	писька чит.exe	33
PID 1672 wrote to memory of 2724	1672	писька чит.exe	33
PID 1672 wrote to memory of 2724	1672	писька чит.exe	33
PID 1672 wrote to memory of 2632	1672	писька чит.exe	35
PID 1672 wrote to memory of 2632	1672	писька чит.exe	35
PID 1672 wrote to memory of 2632	1672	писька чит.exe	35
PID 1672 wrote to memory of 976	1672	писька чит.exe	37
PID 1672 wrote to memory of 976	1672	писька чит.exe	37
PID 1672 wrote to memory of 976	1672	писька чит.exe	37
PID 1672 wrote to memory of 2252	1672	писька чит.exe	39
PID 1672 wrote to memory of 2252	1672	писька чит.exe	39
PID 1672 wrote to memory of 2252	1672	писька чит.exe	39
PID 1672 wrote to memory of 2252	1672	писька чит.exe	39
PID 2252 wrote to memory of 1324	2252	raclif.exe	40
PID 2252 wrote to memory of 1324	2252	raclif.exe	40
PID 2252 wrote to memory of 1324	2252	raclif.exe	40
PID 2252 wrote to memory of 1324	2252	raclif.exe	40

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Users\Admin\AppData\Local\Temp\raclif.exe
  "C:\Users\Admin\AppData\Local\Temp\raclif.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gadenez.mp3

Filesize
302KB

MD5
40aa171b2c2424aef9c8ceb7f73fd74a

SHA1
63443c841bdcdcbfe973f72a5a6151eca472c152

SHA256
1c103b98ffdf9bc81921a6149d34ca0c0deac92ca978fb335a6bb1c171d06fd1

SHA512
2e5febadde6ddf91da6b3cf001a361070b638adb8cfcda656dfbed02839a627f995a0366f701f9816468a13b55bb5a39c8b0463beb34a38650ad6213655f2d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

Filesize
238B

MD5
87fa26f6b7378cb4ae7008410230830d

SHA1
f4dca2ee4647b1ec7345d22d38e8a9c4a42f8a52

SHA256
20487cb6e13bc037127a4b81d48c1bd56f6f0d93eab87d9b9710d6f305d9e06b

SHA512
670e097854fcfe0a98fb8669eef166bda62d463353ac5bca80c8c40a56750298736234b5271d5922266d5038f0d048b24151c72aea9c75c39ebe62461bbcb07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\raclif.exe

Filesize
614KB

MD5
5f6789a373c64653906f8ee0bf1d1af4

SHA1
b3e5a250f6c3424f0e3bb0b2a8c22c4b407a6da1

SHA256
6f065bb112e187a614117f70bad5b5eff47e05a63f93c7e68e1c6bb4a382f68b

SHA512
5b997f009f047fddbba47ce33cca4392e3ce11d5f3fade822c18bf9bfd58dd4d4f246c80f8a153867c3fe9bb3bf8c22c03d93956af5949d4cd76c65bfe2f3ec7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
32246ac7af7404a8b38f0eaf74b3df00

SHA1
c25580d3adc3a376a1bd5079e63c58f1c27a5381

SHA256
ec4788db439c2053500841d14bfbfbe7a73152e33b1ca5bbcb79a99fee2ebf20

SHA512
4a97623e55217910f028e68d77c5231391ffe1765b0545a9467489b1229b167e2bf6878eb81bd5ac505fcca69cea2fddf91b73f9b218841653d7fa116edd8c98

Download Submit
memory/1672-31-0x000007FEF63B3000-0x000007FEF63B4000-memory.dmp

Filesize
4KB

Download
memory/1672-0-0x000007FEF63B3000-0x000007FEF63B4000-memory.dmp

Filesize
4KB

Download
memory/1672-32-0x000007FEF63B0000-0x000007FEF6D9C000-memory.dmp

Filesize
9.9MB

Download
memory/1672-33-0x0000000002240000-0x000000000224C000-memory.dmp

Filesize
48KB

Download
memory/1672-2-0x000007FEF63B0000-0x000007FEF6D9C000-memory.dmp

Filesize
9.9MB

Download
memory/1672-1-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

Filesize
96KB

Download
memory/2724-15-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2724-16-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/3032-9-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/3032-8-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/3032-7-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download