xworm | 28041fc75ea0dd89b4cfa6338ff7dd3ef053bf5e49eca14f6d8e4acc003c9c6b

Resubmissions

02/09/2024, 04:11 UTC

240902-erx5ws1ekl 10

31/08/2024, 15:44 UTC

240831-s6y8dssajf 10

31/08/2024, 15:41 UTC

240831-s4ytva1gph 10

31/08/2024, 15:35 UTC

240831-s1fh4a1fjk 10

Analysis

max time kernel
719s
max time network
721s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
31/08/2024, 15:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

84KB
MD5

13f12b20731a141144d59aef56828f78
SHA1

2aef63a0f584914b022ea7d039bd431fa99520b3
SHA256

28041fc75ea0dd89b4cfa6338ff7dd3ef053bf5e49eca14f6d8e4acc003c9c6b
SHA512

19f9aeb3ceed2cd0ab93e0f449174de9f07afba41f38c620a1480b052c18ce898d52b9c90f3cfe83611064b4b6cf7444041a4b1d52de214811436975802bcbaa
SSDEEP

1536:E4VFkamGxes+ESPmWnz5fH0hgThsipZR8beJKNlG8V6f7/7zOD5gfRJoBP:E4VNxedPmWt04/UbeSly7/vOD5c4V

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

178.215.236.68:7000

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1020-1-0x0000000000C90000-0x0000000000CAC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2784	powershell.exe
2692	powershell.exe

Deletes itself 1 IoCs

pid	Process
1900	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
992	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2784	powershell.exe
2692	powershell.exe
1020	XClient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	XClient.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1020	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1020	XClient.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 2784	1020	XClient.exe	30
PID 1020 wrote to memory of 2784	1020	XClient.exe	30
PID 1020 wrote to memory of 2784	1020	XClient.exe	30
PID 1020 wrote to memory of 2692	1020	XClient.exe	32
PID 1020 wrote to memory of 2692	1020	XClient.exe	32
PID 1020 wrote to memory of 2692	1020	XClient.exe	32
PID 1020 wrote to memory of 1900	1020	XClient.exe	34
PID 1020 wrote to memory of 1900	1020	XClient.exe	34
PID 1020 wrote to memory of 1900	1020	XClient.exe	34
PID 1900 wrote to memory of 992	1900	cmd.exe	36
PID 1900 wrote to memory of 992	1900	cmd.exe	36
PID 1900 wrote to memory of 992	1900	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA718.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:992

Network

DNS

ip-api.com

XClient.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

XClient.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 15:41:50 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44

208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

XClient.exe

264 B
307 B
4
3

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
178.215.236.68:7000

XClient.exe

2.7kB
17.2kB
32
33

8.8.8.8:53

ip-api.com

dns

XClient.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA718.tmp.bat

Filesize
159B

MD5
c9f2a35c1ce15a06b9b168c546e4ed24

SHA1
265dcbf0f0cbcfac7ec6cd6ad505deaee9d038d4

SHA256
d6d890460d82f137a1a6e6aff4b7223d72049f35e5608b6498c3527ab9085614

SHA512
31cd42dae48d904103225ee5dc69656d1c4249ce2d1df2419dfeb38ace5379171bd315784ac88ff00f373a849100af9f0e303181a853b01ad5836bae9c6552c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7545cb0e7b8388423fbc380b36c0a7e3

SHA1
aa6414259fcbabb75e1347f51db613e07f13bfb4

SHA256
984834914109fe732f2c2317090f3e05a4455b7a5f09a1bc71f5393401c8fc81

SHA512
2be708c5ef2ca95e25520912937d33be21882930b7a701d846714588d6b8c34899c6aca387f43c859efb103d16caac116a6ba9d655272c8717178f6d89f23243

Download Submit
memory/1020-17-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/1020-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1020-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/1020-18-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1020-1-0x0000000000C90000-0x0000000000CAC000-memory.dmp

Filesize
112KB

Download
memory/1020-27-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-15-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2692-16-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2784-7-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2784-8-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2784-9-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.