xworm | f9aba8647ab6d32967c7d16773b77a9b9a9136bd9d3ceabe31fd4d5d3ac204e4

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 22:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-28_2599b7f1f17461be8a9bbe48fdc09962_hiddentear.exe
Size

308KB
MD5

2599b7f1f17461be8a9bbe48fdc09962
SHA1

21cbd2c4b33b02d86affb2e66b4e0b50f4bb12e9
SHA256

f9aba8647ab6d32967c7d16773b77a9b9a9136bd9d3ceabe31fd4d5d3ac204e4
SHA512

d3e0bee8bf6e4e206b3743fad85649e7bf9964d4e3efa9561878129dbc74afcc6625ccc186227513d0103cd5f2a9326aae34788a0b98ae8e61c8c5884fdf9522
SSDEEP

3072:pBrjWFP9ZmO/OiM+lmsolAIrRuw+mqv9j1MWLQI8qJzrrtRJlhkg9V6tuAxdLfww:pBPoP9Ah+lDAADr9fjqtspmd8XCa1c

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

193.26.115.92:7000

Mutex

tQVOItr2kWmDvohV

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2664-1-0x00000000013C0000-0x00000000013E6000-memory.dmp	family_xworm
behavioral1/files/0x0004000000011ba2-7.dat	family_xworm
behavioral1/memory/2564-9-0x0000000001290000-0x00000000012B6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 2 IoCs

pid	Process
2564	XClient.exe
960	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2764	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	2024-08-28_2599b7f1f17461be8a9bbe48fdc09962_hiddentear.exe
Token: SeDebugPrivilege	2664	2024-08-28_2599b7f1f17461be8a9bbe48fdc09962_hiddentear.exe
Token: SeDebugPrivilege	2564	XClient.exe
Token: SeDebugPrivilege	960	XClient.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2764	2664	2024-08-28_2599b7f1f17461be8a9bbe48fdc09962_hiddentear.exe	30
PID 2664 wrote to memory of 2764	2664	2024-08-28_2599b7f1f17461be8a9bbe48fdc09962_hiddentear.exe	30
PID 2664 wrote to memory of 2764	2664	2024-08-28_2599b7f1f17461be8a9bbe48fdc09962_hiddentear.exe	30
PID 2804 wrote to memory of 2564	2804	taskeng.exe	33
PID 2804 wrote to memory of 2564	2804	taskeng.exe	33
PID 2804 wrote to memory of 2564	2804	taskeng.exe	33
PID 2804 wrote to memory of 960	2804	taskeng.exe	34
PID 2804 wrote to memory of 960	2804	taskeng.exe	34
PID 2804 wrote to memory of 960	2804	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-08-28_2599b7f1f17461be8a9bbe48fdc09962_hiddentear.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-28_2599b7f1f17461be8a9bbe48fdc09962_hiddentear.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2764

C:\Windows\system32\taskeng.exe
taskeng.exe {B80DA058-025E-47AA-B6AA-EDB81DC55D4D} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
308KB

MD5
2599b7f1f17461be8a9bbe48fdc09962

SHA1
21cbd2c4b33b02d86affb2e66b4e0b50f4bb12e9

SHA256
f9aba8647ab6d32967c7d16773b77a9b9a9136bd9d3ceabe31fd4d5d3ac204e4

SHA512
d3e0bee8bf6e4e206b3743fad85649e7bf9964d4e3efa9561878129dbc74afcc6625ccc186227513d0103cd5f2a9326aae34788a0b98ae8e61c8c5884fdf9522

Download Submit
memory/2564-9-0x0000000001290000-0x00000000012B6000-memory.dmp

Filesize
152KB

Download
memory/2664-0-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

Filesize
4KB

Download
memory/2664-1-0x00000000013C0000-0x00000000013E6000-memory.dmp

Filesize
152KB

Download
memory/2664-3-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-4-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

Filesize
4KB

Download
memory/2664-5-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads