xworm | baa8ace81d5e51f20fea99bf6b8de26c594a2011b670883304e085e5a9847eb2

Analysis

max time kernel
133s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-08-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

80KB
MD5

bfa950b37b6a4f8de71af861e677a8b4
SHA1

2ee40bfbf2964d92c82256e5924169295dfdd225
SHA256

07f94f8f6061ba95899914496edc5854aa810de56797d9004875276d60e21ade
SHA512

235b514fac01b24edaef3aeb4209676789b6ba9264a8798cb7ae48c26d2455cdd8f254e92bbba688535acb69fd77b3c0a0a549cf97ece84c235cc74f72234e1a
SSDEEP

1536:EI5NuEGJkEtydWqZQSp1eS+b59gxzhfxdl/5m6qeo//3Oy/4IK4Dax5:Eg1GhtktQGAS+b59cJ4eA/OlINDab

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

full-self.gl.at.ply.gg:45212

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4540-0-0x00000000002A0000-0x00000000002BA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4428	powershell.exe
2472	powershell.exe
4364	powershell.exe
1180	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1148	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
2472	powershell.exe
2472	powershell.exe
2472	powershell.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe
1180	powershell.exe
1180	powershell.exe
1180	powershell.exe
4540	XClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	XClient.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeIncreaseQuotaPrivilege	4428	powershell.exe
Token: SeSecurityPrivilege	4428	powershell.exe
Token: SeTakeOwnershipPrivilege	4428	powershell.exe
Token: SeLoadDriverPrivilege	4428	powershell.exe
Token: SeSystemProfilePrivilege	4428	powershell.exe
Token: SeSystemtimePrivilege	4428	powershell.exe
Token: SeProfSingleProcessPrivilege	4428	powershell.exe
Token: SeIncBasePriorityPrivilege	4428	powershell.exe
Token: SeCreatePagefilePrivilege	4428	powershell.exe
Token: SeBackupPrivilege	4428	powershell.exe
Token: SeRestorePrivilege	4428	powershell.exe
Token: SeShutdownPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeSystemEnvironmentPrivilege	4428	powershell.exe
Token: SeRemoteShutdownPrivilege	4428	powershell.exe
Token: SeUndockPrivilege	4428	powershell.exe
Token: SeManageVolumePrivilege	4428	powershell.exe
Token: 33	4428	powershell.exe
Token: 34	4428	powershell.exe
Token: 35	4428	powershell.exe
Token: 36	4428	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeIncreaseQuotaPrivilege	2472	powershell.exe
Token: SeSecurityPrivilege	2472	powershell.exe
Token: SeTakeOwnershipPrivilege	2472	powershell.exe
Token: SeLoadDriverPrivilege	2472	powershell.exe
Token: SeSystemProfilePrivilege	2472	powershell.exe
Token: SeSystemtimePrivilege	2472	powershell.exe
Token: SeProfSingleProcessPrivilege	2472	powershell.exe
Token: SeIncBasePriorityPrivilege	2472	powershell.exe
Token: SeCreatePagefilePrivilege	2472	powershell.exe
Token: SeBackupPrivilege	2472	powershell.exe
Token: SeRestorePrivilege	2472	powershell.exe
Token: SeShutdownPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeSystemEnvironmentPrivilege	2472	powershell.exe
Token: SeRemoteShutdownPrivilege	2472	powershell.exe
Token: SeUndockPrivilege	2472	powershell.exe
Token: SeManageVolumePrivilege	2472	powershell.exe
Token: 33	2472	powershell.exe
Token: 34	2472	powershell.exe
Token: 35	2472	powershell.exe
Token: 36	2472	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeIncreaseQuotaPrivilege	4364	powershell.exe
Token: SeSecurityPrivilege	4364	powershell.exe
Token: SeTakeOwnershipPrivilege	4364	powershell.exe
Token: SeLoadDriverPrivilege	4364	powershell.exe
Token: SeSystemProfilePrivilege	4364	powershell.exe
Token: SeSystemtimePrivilege	4364	powershell.exe
Token: SeProfSingleProcessPrivilege	4364	powershell.exe
Token: SeIncBasePriorityPrivilege	4364	powershell.exe
Token: SeCreatePagefilePrivilege	4364	powershell.exe
Token: SeBackupPrivilege	4364	powershell.exe
Token: SeRestorePrivilege	4364	powershell.exe
Token: SeShutdownPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeSystemEnvironmentPrivilege	4364	powershell.exe
Token: SeRemoteShutdownPrivilege	4364	powershell.exe
Token: SeUndockPrivilege	4364	powershell.exe
Token: SeManageVolumePrivilege	4364	powershell.exe
Token: 33	4364	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4540	XClient.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4428	4540	XClient.exe	73
PID 4540 wrote to memory of 4428	4540	XClient.exe	73
PID 4540 wrote to memory of 2472	4540	XClient.exe	76
PID 4540 wrote to memory of 2472	4540	XClient.exe	76
PID 4540 wrote to memory of 4364	4540	XClient.exe	78
PID 4540 wrote to memory of 4364	4540	XClient.exe	78
PID 4540 wrote to memory of 1180	4540	XClient.exe	80
PID 4540 wrote to memory of 1180	4540	XClient.exe	80
PID 4540 wrote to memory of 2388	4540	XClient.exe	83
PID 4540 wrote to memory of 2388	4540	XClient.exe	83
PID 2388 wrote to memory of 1148	2388	cmd.exe	85
PID 2388 wrote to memory of 1148	2388	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF3A7.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9e3de2a7ef8ff5b7dbd3f6fc5d1092a3

SHA1
9f54fe06ff384e3219c763c1da34d38f1e12d1b3

SHA256
96c020d91efc07945747a364624f5861eb9a54dd4b92d771f5568a5f833f8acf

SHA512
09367fdc1e246d8f93194d56cdc7e42168ebd47c6e5221b71db4ada8fe074c18d0c344519be783f0336e4ec5ecfcb418baa7ee4fc8748b83d738ab3599e15537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c3ac6a9ce9f30b6488d1a4e4314762a2

SHA1
00b82255048009027aaea0481c4881994012361a

SHA256
42d8047c5bd690bbcb0c9e7dd8e5736c80d878743c19bf94ba298969f14083b4

SHA512
06fb1691c5f200686946972fabe8b23651809680871b8ffad901d8399486fd2178a5b49864d467b7ec36a1d48aa18503a5d561d1bbec6ff5d211fa8412f9c217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
74131166c1059cdb42f84af37ec6311f

SHA1
77f0851de6b07f8be0b841148c6e8a665d119762

SHA256
d8d3588cab2c687fc7b53facedcb3e4f44234689d29c79a9876ad4f9138306f5

SHA512
8efb888d92ecf674903f79040ecc680b98b995141c0b5a28e41bd0d9ecee4dad1d35bbccad90162a5d11d2adc4f775e4985c151a1c180f631e1b78ab1e8af883

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1picfxsn.opz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3A7.tmp.bat

Filesize
159B

MD5
03ab889e730c30d78b6c7261ddc1b5d9

SHA1
132216d672373f4c537c82b29c650da202f17905

SHA256
9aa06c16f6bdc34a824384440c02aaa1e0ac6f96a3ca5540f2b3bfdc11450cb7

SHA512
722422c0f23824f998a573fb119ac7de3b1e979f8ae2a9299b870480c5023ef09c7040cf72f92df22ca692828c9e285cb43be047014ab9e1efd5ac6a640c6b0f

Download Submit
memory/4428-10-0x000001ED57E20000-0x000001ED57E96000-memory.dmp

Filesize
472KB

Download
memory/4428-20-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

Filesize
9.9MB

Download
memory/4428-25-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

Filesize
9.9MB

Download
memory/4428-51-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

Filesize
9.9MB

Download
memory/4428-11-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

Filesize
9.9MB

Download
memory/4428-9-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

Filesize
9.9MB

Download
memory/4428-6-0x000001ED3F6A0000-0x000001ED3F6C2000-memory.dmp

Filesize
136KB

Download
memory/4540-0-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/4540-183-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

Filesize
9.9MB

Download
memory/4540-184-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

Filesize
9.9MB

Download
memory/4540-1-0x00007FFCC3B93000-0x00007FFCC3B94000-memory.dmp

Filesize
4KB

Download
memory/4540-190-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

Filesize
9.9MB

Download