xworm | cf7cfe8d3a2b3237eb9515ded19da6c7ef5bc039446275a1b3cc21d1051d250b

General

Target

Extreme_Injector_v3 (2).exe
Size

1.9MB
MD5

b0c8e9d2acca95a8b5bea83730ea57ef
SHA1

6397ca2befa45eb5554d119db79c894f593f9989
SHA256

cf7cfe8d3a2b3237eb9515ded19da6c7ef5bc039446275a1b3cc21d1051d250b
SHA512

bc9574c10a4eaa0a93719d0e2600d0236255e7b6e4419fcc7230b822a5f10f48503ffaabdbf43aca9284ecb516e0cb61a736bf7ff6e4206d6c9b765a4964cd40
SSDEEP

49152:52Zs4je5X9d3RTOQO67S118yYH9n5NtdpVFddPZv8I/WbR5K8RlBUnS:526FX9d3RTHLaYnNtd1ddPZEI/Q5rRl6

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

late-unfortunately.gl.at.ply.gg:38601

Mutex

eW3meCUfK2MhlV9s

Attributes

Install_directory
%Userprofile%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023443-6.dat	family_xworm
behavioral2/memory/3176-21-0x00000000001C0000-0x00000000001D0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Extreme_Injector_v3 (2).exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	pixel.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	pixel.exe

Executes dropped EXE 2 IoCs

pid	Process
3176	pixel.exe
1980	Extreme Injector v3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\XClient.exe"	pixel.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3176	pixel.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	pixel.exe
Token: SeDebugPrivilege	1980	Extreme Injector v3.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe
Token: SeDebugPrivilege	1980	Extreme Injector v3.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe
Token: SeDebugPrivilege	3176	pixel.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe
Token: 33	1980	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1980	Extreme Injector v3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1980	Extreme Injector v3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3176	pixel.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 3176	4144	Extreme_Injector_v3 (2).exe	83
PID 4144 wrote to memory of 3176	4144	Extreme_Injector_v3 (2).exe	83
PID 4144 wrote to memory of 1980	4144	Extreme_Injector_v3 (2).exe	84
PID 4144 wrote to memory of 1980	4144	Extreme_Injector_v3 (2).exe	84

C:\Users\Admin\AppData\Local\Temp\Extreme_Injector_v3 (2).exe
"C:\Users\Admin\AppData\Local\Temp\Extreme_Injector_v3 (2).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Roaming\pixel.exe
  "C:\Users\Admin\AppData\Roaming\pixel.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3176
- C:\Users\Admin\AppData\Roaming\Extreme Injector v3.exe
  "C:\Users\Admin\AppData\Roaming\Extreme Injector v3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Roaming\pixel.exe

Filesize
40KB

MD5
5c3686aec36190ba110aac90a3eb6c4b

SHA1
83c9f6d0e64157953a69d553245960fb4241f4a6

SHA256
b17807e731d803c6e0eef24876dd45b3cfd9000fe0f974db0c19e2a948c12db7

SHA512
133212c2847a5888ba9daf5fe76338fde3f6032048cdc59f7e953de7dbd1a8f5a2aac17c464ed9bfddbcefe3deffdfe03937aeb264696fc1bb9709c43415f666

Download Submit
memory/1980-26-0x0000000000FC0000-0x00000000011A6000-memory.dmp

Filesize
1.9MB

Download
memory/1980-28-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/1980-29-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/1980-30-0x000000001E5B0000-0x000000001E5C2000-memory.dmp

Filesize
72KB

Download
memory/1980-31-0x000000001E810000-0x000000001E84C000-memory.dmp

Filesize
240KB

Download
memory/3176-21-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/3176-27-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/3176-33-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/4144-0-0x00007FFCB1363000-0x00007FFCB1365000-memory.dmp

Filesize
8KB

Download
memory/4144-1-0x0000000000160000-0x0000000000358000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads