xworm | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

max time kernel
1795s
max time network
1800s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-09-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/XClient.exe
Size

172KB
MD5

75ba783757c5b61bd841afa136fc3eda
SHA1

8db9cda9508471a23f9b743027fa115e01bc1fe1
SHA256

75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a
SHA512

9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1
SSDEEP

1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/2jTT3Lnj

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral6/memory/4896-1-0x0000000000650000-0x0000000000680000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2260	powershell.exe
4532	powershell.exe
4996	powershell.exe
2360	powershell.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 30 IoCs

Web Service

T1102

Processes:

flow	ioc
266	7.tcp.eu.ngrok.io
7	7.tcp.eu.ngrok.io
101	7.tcp.eu.ngrok.io
96	7.tcp.eu.ngrok.io
192	7.tcp.eu.ngrok.io
200	7.tcp.eu.ngrok.io
257	7.tcp.eu.ngrok.io
5	pastebin.com
29	7.tcp.eu.ngrok.io
80	7.tcp.eu.ngrok.io
127	7.tcp.eu.ngrok.io
155	7.tcp.eu.ngrok.io
210	7.tcp.eu.ngrok.io
38	7.tcp.eu.ngrok.io
45	7.tcp.eu.ngrok.io
4	pastebin.com
239	7.tcp.eu.ngrok.io
220	7.tcp.eu.ngrok.io
62	7.tcp.eu.ngrok.io
165	7.tcp.eu.ngrok.io
136	7.tcp.eu.ngrok.io
118	7.tcp.eu.ngrok.io
145	7.tcp.eu.ngrok.io
174	7.tcp.eu.ngrok.io
184	7.tcp.eu.ngrok.io
230	7.tcp.eu.ngrok.io
248	7.tcp.eu.ngrok.io
72	7.tcp.eu.ngrok.io
110	7.tcp.eu.ngrok.io
19	7.tcp.eu.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXClient.exe

pid	Process
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
4996	powershell.exe
4996	powershell.exe
4996	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
4896	XClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4896	XClient.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeIncreaseQuotaPrivilege	4532	powershell.exe
Token: SeSecurityPrivilege	4532	powershell.exe
Token: SeTakeOwnershipPrivilege	4532	powershell.exe
Token: SeLoadDriverPrivilege	4532	powershell.exe
Token: SeSystemProfilePrivilege	4532	powershell.exe
Token: SeSystemtimePrivilege	4532	powershell.exe
Token: SeProfSingleProcessPrivilege	4532	powershell.exe
Token: SeIncBasePriorityPrivilege	4532	powershell.exe
Token: SeCreatePagefilePrivilege	4532	powershell.exe
Token: SeBackupPrivilege	4532	powershell.exe
Token: SeRestorePrivilege	4532	powershell.exe
Token: SeShutdownPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeSystemEnvironmentPrivilege	4532	powershell.exe
Token: SeRemoteShutdownPrivilege	4532	powershell.exe
Token: SeUndockPrivilege	4532	powershell.exe
Token: SeManageVolumePrivilege	4532	powershell.exe
Token: 33	4532	powershell.exe
Token: 34	4532	powershell.exe
Token: 35	4532	powershell.exe
Token: 36	4532	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeIncreaseQuotaPrivilege	4996	powershell.exe
Token: SeSecurityPrivilege	4996	powershell.exe
Token: SeTakeOwnershipPrivilege	4996	powershell.exe
Token: SeLoadDriverPrivilege	4996	powershell.exe
Token: SeSystemProfilePrivilege	4996	powershell.exe
Token: SeSystemtimePrivilege	4996	powershell.exe
Token: SeProfSingleProcessPrivilege	4996	powershell.exe
Token: SeIncBasePriorityPrivilege	4996	powershell.exe
Token: SeCreatePagefilePrivilege	4996	powershell.exe
Token: SeBackupPrivilege	4996	powershell.exe
Token: SeRestorePrivilege	4996	powershell.exe
Token: SeShutdownPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeSystemEnvironmentPrivilege	4996	powershell.exe
Token: SeRemoteShutdownPrivilege	4996	powershell.exe
Token: SeUndockPrivilege	4996	powershell.exe
Token: SeManageVolumePrivilege	4996	powershell.exe
Token: 33	4996	powershell.exe
Token: 34	4996	powershell.exe
Token: 35	4996	powershell.exe
Token: 36	4996	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeIncreaseQuotaPrivilege	2360	powershell.exe
Token: SeSecurityPrivilege	2360	powershell.exe
Token: SeTakeOwnershipPrivilege	2360	powershell.exe
Token: SeLoadDriverPrivilege	2360	powershell.exe
Token: SeSystemProfilePrivilege	2360	powershell.exe
Token: SeSystemtimePrivilege	2360	powershell.exe
Token: SeProfSingleProcessPrivilege	2360	powershell.exe
Token: SeIncBasePriorityPrivilege	2360	powershell.exe
Token: SeCreatePagefilePrivilege	2360	powershell.exe
Token: SeBackupPrivilege	2360	powershell.exe
Token: SeRestorePrivilege	2360	powershell.exe
Token: SeShutdownPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeSystemEnvironmentPrivilege	2360	powershell.exe
Token: SeRemoteShutdownPrivilege	2360	powershell.exe
Token: SeUndockPrivilege	2360	powershell.exe
Token: SeManageVolumePrivilege	2360	powershell.exe
Token: 33	2360	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid	Process
4896	XClient.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

XClient.exe

description	pid	Process	procid_target
PID 4896 wrote to memory of 4532	4896	XClient.exe	75
PID 4896 wrote to memory of 4532	4896	XClient.exe	75
PID 4896 wrote to memory of 4996	4896	XClient.exe	78
PID 4896 wrote to memory of 4996	4896	XClient.exe	78
PID 4896 wrote to memory of 2360	4896	XClient.exe	80
PID 4896 wrote to memory of 2360	4896	XClient.exe	80
PID 4896 wrote to memory of 2260	4896	XClient.exe	82
PID 4896 wrote to memory of 2260	4896	XClient.exe	82

C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53977ab8d65844684df72a4661f54d1b

SHA1
8dcc8a45f619726ce2b2d63ce6286298fb0d1c61

SHA256
af4adc8f972d2c30f05cf5a295fa3200e0c7e81d5ac7cc6dd042386a008e5705

SHA512
3bb7825f5eb8510d1e02f232fd72c9ba4e9075547d4e193455ca5658248d5a44091c3aa70c4fa0bf9901ad3b135570a7bb842d06704c0701c7d74d9d43b98b22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e13592c4c9094319633c8363ac1068b

SHA1
80e4248f094428cbb44d3f112a7a35685aa1c94b

SHA256
8d3765d7b40cfe5d620c2bd5f458e0da0689dd126a2f7da6f438f75fa46a7453

SHA512
f0f0d0970ad09c59f73fcc7b6291614d6608d80531193168991edf6f41868d44c7acb0aa11b26209a7aa5044838cce67b56d156190f680dabd4d350476b4c26b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a953721d088e3d07456fdfca2220f99c

SHA1
5b12aded20d8ab611f9e8fa25d458f9ef0f91a72

SHA256
7dcf742206203a1a98cc04e546ae8482a43e6c1a449e34fb1f5a97b414af66e4

SHA512
77564f706ffda97a399c1c06b12774385f2f4a64c74037069c6d2549dc5bf127b5f70bfaefb30b0e76a9aae360131b4203e2fd2de2a8b6ff89cc420b63a3fb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tdcthojc.vhq.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/4532-10-0x00007FFB1C1D0000-0x00007FFB1CBBC000-memory.dmp

Filesize
9.9MB

Download
memory/4532-13-0x00007FFB1C1D0000-0x00007FFB1CBBC000-memory.dmp

Filesize
9.9MB

Download
memory/4532-12-0x000002C9AC060000-0x000002C9AC0D6000-memory.dmp

Filesize
472KB

Download
memory/4532-51-0x00007FFB1C1D0000-0x00007FFB1CBBC000-memory.dmp

Filesize
9.9MB

Download
memory/4532-7-0x00007FFB1C1D0000-0x00007FFB1CBBC000-memory.dmp

Filesize
9.9MB

Download
memory/4532-8-0x000002C993A20000-0x000002C993A42000-memory.dmp

Filesize
136KB

Download
memory/4896-0-0x00007FFB1C1D3000-0x00007FFB1C1D4000-memory.dmp

Filesize
4KB

Download
memory/4896-2-0x00007FFB1C1D0000-0x00007FFB1CBBC000-memory.dmp

Filesize
9.9MB

Download
memory/4896-1-0x0000000000650000-0x0000000000680000-memory.dmp

Filesize
192KB

Download
memory/4896-181-0x00007FFB1C1D3000-0x00007FFB1C1D4000-memory.dmp

Filesize
4KB

Download
memory/4896-186-0x00007FFB1C1D0000-0x00007FFB1CBBC000-memory.dmp

Filesize
9.9MB

Download