xworm | 3a5e81d324db316d732da47ab518739928ea4890fddff8b386ababf168719eaa

Analysis

max time kernel
16s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm 5.6/Xworm V5.6.exe
Size

7.8MB
MD5

c271db9b847221076506fd6b80d27e70
SHA1

97949415366b41d720fc787fec8d79caed7b7167
SHA256

b33c17ec8a56e93f0c936197fe1b5c79c6db69bd002a89e739bd52871c9ebef1
SHA512

63e96f38074d6f81ee937e10caf49cb56c2f443dabc8c8ad10542c1e93e26be52a80d7f77761f42ad087d2c711d1f1e72bc467e6724f8256a602434767e6d6d1
SSDEEP

196608:cmKLCFU/jHq/puROyhxeyOC7+oiRkbtejBe5d:cmmq/pkOYxehohbtN

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

might-gdp.gl.at.ply.gg:58764

capacity-rise.gl.at.ply.gg:36727

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x00070000000226f8-6.dat	family_xworm
behavioral2/memory/868-15-0x0000000000DE0000-0x0000000000DF8000-memory.dmp	family_xworm
behavioral2/files/0x00090000000233ff-29.dat	family_xworm
behavioral2/memory/4036-41-0x00000000008D0000-0x00000000008E8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3348	powershell.exe
2468	powershell.exe
4748	powershell.exe
3660	powershell.exe
3544	powershell.exe
2320	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Xworm V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Russian Federation codex.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Russian Federation codex.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Russian Federation codex.exe

Executes dropped EXE 3 IoCs

pid	Process
868	XClient.exe
376	Xworm V5.6.exe
4036	Russian Federation codex.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Russian Federation codex.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe
868	XClient.exe
868	XClient.exe
3544	powershell.exe
3544	powershell.exe
3544	powershell.exe
2320	powershell.exe
2320	powershell.exe
2320	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
4036	Russian Federation codex.exe
4036	Russian Federation codex.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	Russian Federation codex.exe
Token: SeDebugPrivilege	868	XClient.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	868	XClient.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	4036	Russian Federation codex.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
868	XClient.exe
4036	Russian Federation codex.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 868	2960	Xworm V5.6.exe	88
PID 2960 wrote to memory of 868	2960	Xworm V5.6.exe	88
PID 2960 wrote to memory of 376	2960	Xworm V5.6.exe	89
PID 2960 wrote to memory of 376	2960	Xworm V5.6.exe	89
PID 2960 wrote to memory of 4036	2960	Xworm V5.6.exe	90
PID 2960 wrote to memory of 4036	2960	Xworm V5.6.exe	90
PID 868 wrote to memory of 4748	868	XClient.exe	95
PID 868 wrote to memory of 4748	868	XClient.exe	95
PID 868 wrote to memory of 3660	868	XClient.exe	97
PID 868 wrote to memory of 3660	868	XClient.exe	97
PID 4036 wrote to memory of 3544	4036	Russian Federation codex.exe	99
PID 4036 wrote to memory of 3544	4036	Russian Federation codex.exe	99
PID 4036 wrote to memory of 2320	4036	Russian Federation codex.exe	101
PID 4036 wrote to memory of 2320	4036	Russian Federation codex.exe	101
PID 4036 wrote to memory of 3348	4036	Russian Federation codex.exe	103
PID 4036 wrote to memory of 3348	4036	Russian Federation codex.exe	103
PID 4036 wrote to memory of 2468	4036	Russian Federation codex.exe	106
PID 4036 wrote to memory of 2468	4036	Russian Federation codex.exe	106

C:\Users\Admin\AppData\Local\Temp\Xworm 5.6\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm 5.6\Xworm V5.6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Users\Admin\AppData\Local\Temp\Russian Federation codex.exe
  "C:\Users\Admin\AppData\Local\Temp\Russian Federation codex.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Russian Federation codex.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Russian Federation codex.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5afb2e6ea0396df69c8d082b7c0111b5

SHA1
ed3fe21a7591d295581a3270c0804e88ac9d3fde

SHA256
0cdd39b0d1adb03a8262ac587582c571c02a4c0d4767fe2094150d33eb1946b4

SHA512
d58837e7782e157189e3319fef42dcceaf68474d6d219b02d926580617ec10efd5b77294259e539b3b298b9844318d943a5d92b6408500454d67684319df8a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Temp\Russian Federation codex.exe

Filesize
72KB

MD5
db2b36c00cbb0ba5526e493c71f2e8b4

SHA1
d1ab049ccbc747fd6ac36b99cc8ad2cceb6a74f9

SHA256
708674fdf1aa0adb64bbc8569f2256fca97ef9c09ae48f21b5bcd4502eb3d495

SHA512
4ef2681e1fdc6d8d12e770f650e7ffc3db1c88fb531aa358c0adf231e125d704f7193521e6d818672fe1ec732866a47dace3e2736c64d0fabb93ad906c89eabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
74KB

MD5
e8819b44e0b74910e40ad4c3e5e829e0

SHA1
3318a203b29399535655558f966bcd7386bc1bf8

SHA256
8161c201b11fda0b72f520678d6331eea251052c99951c8dc3f98bb374268a76

SHA512
8148cab78cb2d1ce23909a293773a2ffe40999525c0036c53bb5f885a4641a3bd6b31f05c425702889007a24a575b3a0ea2d1fd49658276cf42581f51fa68739

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwlopdad.5mg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/376-40-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

Filesize
10.8MB

Download
memory/376-116-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

Filesize
10.8MB

Download
memory/376-42-0x0000023D58D40000-0x0000023D59C28000-memory.dmp

Filesize
14.9MB

Download
memory/868-14-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

Filesize
10.8MB

Download
memory/868-67-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

Filesize
10.8MB

Download
memory/868-15-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Filesize
96KB

Download
memory/868-117-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

Filesize
10.8MB

Download
memory/2960-39-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

Filesize
10.8MB

Download
memory/2960-0-0x00007FFFE82A3000-0x00007FFFE82A5000-memory.dmp

Filesize
8KB

Download
memory/2960-11-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

Filesize
10.8MB

Download
memory/2960-1-0x0000000000040000-0x000000000081C000-memory.dmp

Filesize
7.9MB

Download
memory/4036-41-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/4748-48-0x000001CE4AFC0000-0x000001CE4AFE2000-memory.dmp

Filesize
136KB

Download