xworm | 6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

max time kernel
32s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

писька чит.exe
Size

71KB
MD5

ed3794861ddc34b4748ff8081e80cb2b
SHA1

e63cf084552f0c2803de0109e3d2fcd3102c4738
SHA256

6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f
SHA512

df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03
SSDEEP

1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

main-although.gl.at.ply.gg:30970

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/3692-1-0x0000000000D40000-0x0000000000D58000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
2292	powershell.exe
2388	powershell.exe
4336	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	писька чит.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "74"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3048	powershell.exe
3048	powershell.exe
2292	powershell.exe
2292	powershell.exe
2388	powershell.exe
2388	powershell.exe
4336	powershell.exe
4336	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	писька чит.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	3692	писька чит.exe
Token: SeShutdownPrivilege	3860	shutdown.exe
Token: SeRemoteShutdownPrivilege	3860	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1264	LogonUI.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 3048	3692	писька чит.exe	91
PID 3692 wrote to memory of 3048	3692	писька чит.exe	91
PID 3692 wrote to memory of 2292	3692	писька чит.exe	94
PID 3692 wrote to memory of 2292	3692	писька чит.exe	94
PID 3692 wrote to memory of 2388	3692	писька чит.exe	96
PID 3692 wrote to memory of 2388	3692	писька чит.exe	96
PID 3692 wrote to memory of 4336	3692	писька чит.exe	98
PID 3692 wrote to memory of 4336	3692	писька чит.exe	98
PID 3692 wrote to memory of 3860	3692	писька чит.exe	102
PID 3692 wrote to memory of 3860	3692	писька чит.exe	102

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3860

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3944055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c5e63e6a42853ae8cc6b5f8136f75d56

SHA1
b2af8979de738f2a696bcdcf08ed9891acdb5304

SHA256
635f9f9b4f1282bbab5781af64c631732fb31dfbe0382aeb466b2d4e0783efa1

SHA512
97145f6ab55fdbbb6a7bdd5b025ac2958e5f81024dbe99f9ebb9dd9bcd15686dbb5967642291984005f016f70c9c5e42df25c7e956e7ccfde12eddc7c09b79b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
120c6c9af4de2accfcff2ed8c3aab1af

SHA1
504f64ae4ac9c4fe308a6a50be24fe464f3dad95

SHA256
461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222

SHA512
041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbzd4ph4.3jp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3048-4-0x00007FFFAA8E0000-0x00007FFFAB3A1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-14-0x00000187B7610000-0x00000187B7632000-memory.dmp

Filesize
136KB

Download
memory/3048-15-0x00007FFFAA8E0000-0x00007FFFAB3A1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-18-0x00007FFFAA8E0000-0x00007FFFAB3A1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-3-0x00007FFFAA8E0000-0x00007FFFAB3A1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-0-0x00007FFFAA8E3000-0x00007FFFAA8E5000-memory.dmp

Filesize
8KB

Download
memory/3692-2-0x00007FFFAA8E0000-0x00007FFFAB3A1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-1-0x0000000000D40000-0x0000000000D58000-memory.dmp

Filesize
96KB

Download
memory/3692-57-0x00007FFFAA8E3000-0x00007FFFAA8E5000-memory.dmp

Filesize
8KB

Download
memory/3692-58-0x00007FFFAA8E0000-0x00007FFFAB3A1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-59-0x00007FFFAA8E0000-0x00007FFFAB3A1000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis