xworm | 13e0f289871d5fdb46d212725c9b13d3ab9c5012480c7cf4dd3a6708f0c3c908

Resubmissions

04-08-2024 11:35

240804-nqcl8sycrd 10

Analysis

max time kernel
597s
max time network
857s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-08-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

61KB
MD5

d32248d4b7834bbe4310a9bac11968ee
SHA1

b4d455bcb0c49520cfaae79321ebd2e50bd60ec6
SHA256

13e0f289871d5fdb46d212725c9b13d3ab9c5012480c7cf4dd3a6708f0c3c908
SHA512

70d15f6c89705484523a68267fe9765a15c437f4384ddbfa922b8a52f82e94cb53673c415f68bb42df76d3326b95dbfa4b407a1913bb9cec536ebbb6863c5f50
SSDEEP

1536:zhlXi9DkMS27xQz1AOmfkbWzOhcRsUXjIOJHujn:zLy6MDu1xmkbWaalcOJH0

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

tree-cleaning.gl.at.ply.gg:33027

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2064-1-0x00000000009E0000-0x00000000009F6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 1 IoCs

pid	Process
2360	vxhqbm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vxhqbm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2812	timeout.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	XClient.exe
Token: 33	4424	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4424	AUDIODG.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2360	2064	XClient.exe	75
PID 2064 wrote to memory of 2360	2064	XClient.exe	75
PID 2064 wrote to memory of 2360	2064	XClient.exe	75
PID 2064 wrote to memory of 4296	2064	XClient.exe	76
PID 2064 wrote to memory of 4296	2064	XClient.exe	76
PID 4296 wrote to memory of 2812	4296	cmd.exe	78
PID 4296 wrote to memory of 2812	4296	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe
  "C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2CC3.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2812

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x384
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2CC3.tmp.bat

Filesize
159B

MD5
1e52488bffc57e46a5d435e30b41b312

SHA1
b2c415781b9160f708de40ef75daea94047b00ed

SHA256
d8600593333cac9039e478d2df1a8a40ee0889b264fa6b5e31a37e934bf61b2b

SHA512
5e38757ffea3611812c863571799824f6ca6200f3cf4d86f86b404e27999b04ab7b710cd1a4fc0d1d6e252a9b2bae417935259dd7a9bd5dd4715bfaefe9a74a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe

Filesize
131KB

MD5
bd65d387482def1fe00b50406f731763

SHA1
d06a2ba2e29228f443f97d1dd3a8da5dd7df5903

SHA256
1ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997

SHA512
351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9

Download Submit
memory/2064-0-0x00007FFD618A3000-0x00007FFD618A4000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x00000000009E0000-0x00000000009F6000-memory.dmp

Filesize
88KB

Download
memory/2064-2-0x00007FFD618A0000-0x00007FFD6228C000-memory.dmp

Filesize
9.9MB

Download
memory/2064-3-0x00007FFD618A0000-0x00007FFD6228C000-memory.dmp

Filesize
9.9MB

Download
memory/2064-4-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

Filesize
48KB

Download
memory/2064-5-0x0000000000FE0000-0x000000000106E000-memory.dmp

Filesize
568KB

Download
memory/2064-17-0x00007FFD618A0000-0x00007FFD6228C000-memory.dmp

Filesize
9.9MB

Download