Malware Analysis Report

2025-08-11 07:49

Sample ID 241029-2qjmfa1glr
Target XCliente.exe
SHA256 6beed422d1b8dd262962ce2b277dfa8d6f852b4572ee818d77173eea1842be4b
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6beed422d1b8dd262962ce2b277dfa8d6f852b4572ee818d77173eea1842be4b

Threat Level: Known bad

The file XCliente.exe was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Xworm

Xworm family

Detect Xworm Payload

Drops startup file

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 22:47

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 22:47

Reported

2024-10-29 22:49

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XCliente.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XCliente.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCliente.lnk C:\Users\Admin\AppData\Local\Temp\XCliente.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCliente.lnk C:\Users\Admin\AppData\Local\Temp\XCliente.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\XCliente.exe N/A
N/A N/A C:\Users\Public\XCliente.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XCliente = "C:\\Users\\Public\\XCliente.exe" C:\Users\Admin\AppData\Local\Temp\XCliente.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XCliente.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\XCliente.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\XCliente.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\XCliente.exe C:\Windows\System32\schtasks.exe
PID 2332 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\XCliente.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XCliente.exe

"C:\Users\Admin\AppData\Local\Temp\XCliente.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XCliente" /tr "C:\Users\Public\XCliente.exe"

C:\Users\Public\XCliente.exe

C:\Users\Public\XCliente.exe

C:\Users\Public\XCliente.exe

C:\Users\Public\XCliente.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 schools-fits.gl.at.ply.gg udp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 8.8.8.8:53 23.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp
US 147.185.221.23:14654 schools-fits.gl.at.ply.gg tcp

Files

memory/2332-0-0x00007FFAC2433000-0x00007FFAC2435000-memory.dmp

memory/2332-1-0x0000000000EF0000-0x0000000000EFE000-memory.dmp

memory/3952-2-0x0000021E61300000-0x0000021E61301000-memory.dmp

memory/3952-4-0x0000021E61300000-0x0000021E61301000-memory.dmp

memory/3952-3-0x0000021E61300000-0x0000021E61301000-memory.dmp

memory/3952-14-0x0000021E61300000-0x0000021E61301000-memory.dmp

memory/3952-13-0x0000021E61300000-0x0000021E61301000-memory.dmp

memory/3952-12-0x0000021E61300000-0x0000021E61301000-memory.dmp

memory/3952-11-0x0000021E61300000-0x0000021E61301000-memory.dmp

memory/3952-10-0x0000021E61300000-0x0000021E61301000-memory.dmp

memory/3952-9-0x0000021E61300000-0x0000021E61301000-memory.dmp

memory/3952-8-0x0000021E61300000-0x0000021E61301000-memory.dmp

C:\Users\Public\XCliente.exe

MD5 46af754270dd36d49444438d59d3dc03
SHA1 3c7026e503ad99e027c441b386de18ab24417f54
SHA256 6beed422d1b8dd262962ce2b277dfa8d6f852b4572ee818d77173eea1842be4b
SHA512 38d39b06c945cc3690acb463f4fceea44a8bc6d3d5862fdde34ac86e060b06e88969f431029ff83b38f25e3dd616ef64f6e9eca21dbe4d2efdae1577f096a904

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCliente.lnk

MD5 6b0d884f20ad1362e502782423c8d87a
SHA1 0592204030ca102574a240611cd6ca2aa8d912ab
SHA256 14133a517672e7396abc44dec9d8706ade9f0134d6c190bb49c2a6646de2ea40
SHA512 32d596854a99222d097b59fb6b69a0856b1be48f6d5f94b86f98c8f82b492ef395c7301a4329d5ed700fa6badbddab8ede3012ca1c46f082fcc94fd8cbdc3612

memory/2332-24-0x00007FFAC2430000-0x00007FFAC2EF1000-memory.dmp

memory/2332-26-0x00007FFAC2430000-0x00007FFAC2EF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XCliente.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1