xworm | 3a5e81d324db316d732da47ab518739928ea4890fddff8b386ababf168719eaa

Analysis

max time kernel
30s
max time network
32s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm 5.6/Xworm V5.6.exe
Size

7.8MB
MD5

c271db9b847221076506fd6b80d27e70
SHA1

97949415366b41d720fc787fec8d79caed7b7167
SHA256

b33c17ec8a56e93f0c936197fe1b5c79c6db69bd002a89e739bd52871c9ebef1
SHA512

63e96f38074d6f81ee937e10caf49cb56c2f443dabc8c8ad10542c1e93e26be52a80d7f77761f42ad087d2c711d1f1e72bc467e6724f8256a602434767e6d6d1
SSDEEP

196608:cmKLCFU/jHq/puROyhxeyOC7+oiRkbtejBe5d:cmmq/pkOYxehohbtN

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

might-gdp.gl.at.ply.gg:58764

capacity-rise.gl.at.ply.gg:36727

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012262-5.dat	family_xworm
behavioral1/memory/2528-7-0x0000000000B40000-0x0000000000B58000-memory.dmp	family_xworm
behavioral1/files/0x000500000001c85b-19.dat	family_xworm
behavioral1/memory/536-20-0x00000000009B0000-0x00000000009C8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1104	powershell.exe
1280	powershell.exe
1772	powershell.exe
2544	powershell.exe
2756	powershell.exe
2796	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Russian Federation codex.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Russian Federation codex.exe

Executes dropped EXE 3 IoCs

pid	Process
2528	XClient.exe
2364	Xworm V5.6.exe
536	Russian Federation codex.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Russian Federation codex.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2756	powershell.exe
2796	powershell.exe
2528	XClient.exe
1104	powershell.exe
1280	powershell.exe
1772	powershell.exe
2544	powershell.exe
536	Russian Federation codex.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	Russian Federation codex.exe
Token: SeDebugPrivilege	2528	XClient.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2528	XClient.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	536	Russian Federation codex.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2528	XClient.exe
536	Russian Federation codex.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2528	2112	Xworm V5.6.exe	30
PID 2112 wrote to memory of 2528	2112	Xworm V5.6.exe	30
PID 2112 wrote to memory of 2528	2112	Xworm V5.6.exe	30
PID 2112 wrote to memory of 2364	2112	Xworm V5.6.exe	31
PID 2112 wrote to memory of 2364	2112	Xworm V5.6.exe	31
PID 2112 wrote to memory of 2364	2112	Xworm V5.6.exe	31
PID 2112 wrote to memory of 536	2112	Xworm V5.6.exe	32
PID 2112 wrote to memory of 536	2112	Xworm V5.6.exe	32
PID 2112 wrote to memory of 536	2112	Xworm V5.6.exe	32
PID 2528 wrote to memory of 2756	2528	XClient.exe	33
PID 2528 wrote to memory of 2756	2528	XClient.exe	33
PID 2528 wrote to memory of 2756	2528	XClient.exe	33
PID 2528 wrote to memory of 2796	2528	XClient.exe	35
PID 2528 wrote to memory of 2796	2528	XClient.exe	35
PID 2528 wrote to memory of 2796	2528	XClient.exe	35
PID 2364 wrote to memory of 1540	2364	Xworm V5.6.exe	39
PID 2364 wrote to memory of 1540	2364	Xworm V5.6.exe	39
PID 2364 wrote to memory of 1540	2364	Xworm V5.6.exe	39
PID 536 wrote to memory of 1104	536	Russian Federation codex.exe	40
PID 536 wrote to memory of 1104	536	Russian Federation codex.exe	40
PID 536 wrote to memory of 1104	536	Russian Federation codex.exe	40
PID 536 wrote to memory of 1280	536	Russian Federation codex.exe	42
PID 536 wrote to memory of 1280	536	Russian Federation codex.exe	42
PID 536 wrote to memory of 1280	536	Russian Federation codex.exe	42
PID 536 wrote to memory of 1772	536	Russian Federation codex.exe	44
PID 536 wrote to memory of 1772	536	Russian Federation codex.exe	44
PID 536 wrote to memory of 1772	536	Russian Federation codex.exe	44
PID 536 wrote to memory of 2544	536	Russian Federation codex.exe	46
PID 536 wrote to memory of 2544	536	Russian Federation codex.exe	46
PID 536 wrote to memory of 2544	536	Russian Federation codex.exe	46

C:\Users\Admin\AppData\Local\Temp\Xworm 5.6\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm 5.6\Xworm V5.6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2364 -s 732
    3⤵
    PID:1540
- C:\Users\Admin\AppData\Local\Temp\Russian Federation codex.exe
  "C:\Users\Admin\AppData\Local\Temp\Russian Federation codex.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Russian Federation codex.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Russian Federation codex.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Russian Federation codex.exe

Filesize
72KB

MD5
db2b36c00cbb0ba5526e493c71f2e8b4

SHA1
d1ab049ccbc747fd6ac36b99cc8ad2cceb6a74f9

SHA256
708674fdf1aa0adb64bbc8569f2256fca97ef9c09ae48f21b5bcd4502eb3d495

SHA512
4ef2681e1fdc6d8d12e770f650e7ffc3db1c88fb531aa358c0adf231e125d704f7193521e6d818672fe1ec732866a47dace3e2736c64d0fabb93ad906c89eabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
74KB

MD5
e8819b44e0b74910e40ad4c3e5e829e0

SHA1
3318a203b29399535655558f966bcd7386bc1bf8

SHA256
8161c201b11fda0b72f520678d6331eea251052c99951c8dc3f98bb374268a76

SHA512
8148cab78cb2d1ce23909a293773a2ffe40999525c0036c53bb5f885a4641a3bd6b31f05c425702889007a24a575b3a0ea2d1fd49658276cf42581f51fa68739

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
981bfc23ff14e19ba5963c335a8d1320

SHA1
5a1a80a6dffed415fd613bea27d19cd14b8554bb

SHA256
152c85e92d71e416c73e7bb1d4ad4c8696b8e1abc990ec85a225875926ce9fab

SHA512
1efaaa6269eaee5dad55c5a60b91dc1cd313d17b15795c344f7f1e5fd6b0ed16ca9bcf23325a181915a9a91e3557d65ed388efc23d998913fb35b9f4541f64b3

Download Submit
memory/536-20-0x00000000009B0000-0x00000000009C8000-memory.dmp

Filesize
96KB

Download
memory/1104-42-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1280-48-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2112-1-0x000000013F530000-0x000000013FD0C000-memory.dmp

Filesize
7.9MB

Download
memory/2112-10-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-0-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

Filesize
4KB

Download
memory/2112-21-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-22-0x0000000001170000-0x0000000002058000-memory.dmp

Filesize
14.9MB

Download
memory/2528-11-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2528-36-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2528-7-0x0000000000B40000-0x0000000000B58000-memory.dmp

Filesize
96KB

Download
memory/2528-63-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2528-64-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-28-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2756-27-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-34-0x000000001B900000-0x000000001BBE2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-35-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download