xworm | d5a9a013320ba9ccda23abf7ad0e364193e3f7ba84554d4d70b8538084560b08

Analysis

max time kernel
146s
max time network
152s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31/10/2024, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

шкибиди туалет.exe
Size

48KB
MD5

8855bf2042f8fb32e6b181832242a7e7
SHA1

933026bbb4c10bcef1e1d645ec4f30f3cc9d0525
SHA256

d5a9a013320ba9ccda23abf7ad0e364193e3f7ba84554d4d70b8538084560b08
SHA512

ffcc177442f1af324ffd92af71a86abd182f8698876f6ae05e932dc43598fd82322bcf1b3ef326ec0d2458b786472090e6c6520e6727e7db9c50da91358dfa71
SSDEEP

768:pivffaUlrlLGnaOL0k8LnooYsTUiWruIcO3QXdT7Bqfwx:pia+WaoRxTBWHCA

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

application-mess.gl.at.ply.gg:8848

Mutex

QO74sVclgUVzlyXQ

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002900000004506b-12.dat	family_xworm
behavioral1/memory/1728-23-0x00000000000F0000-0x0000000000100000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4648	powershell.exe
8	powershell.exe
4396	powershell.exe
4980	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	шкибиди туалет.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\ProgramData\\XClient.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4648	powershell.exe
4648	powershell.exe
8	powershell.exe
8	powershell.exe
4396	powershell.exe
4396	powershell.exe
4980	powershell.exe
4980	powershell.exe
1728	XClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	XClient.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4648	powershell.exe
Token: SeSecurityPrivilege	4648	powershell.exe
Token: SeTakeOwnershipPrivilege	4648	powershell.exe
Token: SeLoadDriverPrivilege	4648	powershell.exe
Token: SeSystemProfilePrivilege	4648	powershell.exe
Token: SeSystemtimePrivilege	4648	powershell.exe
Token: SeProfSingleProcessPrivilege	4648	powershell.exe
Token: SeIncBasePriorityPrivilege	4648	powershell.exe
Token: SeCreatePagefilePrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4648	powershell.exe
Token: SeRestorePrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeSystemEnvironmentPrivilege	4648	powershell.exe
Token: SeRemoteShutdownPrivilege	4648	powershell.exe
Token: SeUndockPrivilege	4648	powershell.exe
Token: SeManageVolumePrivilege	4648	powershell.exe
Token: 33	4648	powershell.exe
Token: 34	4648	powershell.exe
Token: 35	4648	powershell.exe
Token: 36	4648	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeIncreaseQuotaPrivilege	8	powershell.exe
Token: SeSecurityPrivilege	8	powershell.exe
Token: SeTakeOwnershipPrivilege	8	powershell.exe
Token: SeLoadDriverPrivilege	8	powershell.exe
Token: SeSystemProfilePrivilege	8	powershell.exe
Token: SeSystemtimePrivilege	8	powershell.exe
Token: SeProfSingleProcessPrivilege	8	powershell.exe
Token: SeIncBasePriorityPrivilege	8	powershell.exe
Token: SeCreatePagefilePrivilege	8	powershell.exe
Token: SeBackupPrivilege	8	powershell.exe
Token: SeRestorePrivilege	8	powershell.exe
Token: SeShutdownPrivilege	8	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeSystemEnvironmentPrivilege	8	powershell.exe
Token: SeRemoteShutdownPrivilege	8	powershell.exe
Token: SeUndockPrivilege	8	powershell.exe
Token: SeManageVolumePrivilege	8	powershell.exe
Token: 33	8	powershell.exe
Token: 34	8	powershell.exe
Token: 35	8	powershell.exe
Token: 36	8	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeIncreaseQuotaPrivilege	4396	powershell.exe
Token: SeSecurityPrivilege	4396	powershell.exe
Token: SeTakeOwnershipPrivilege	4396	powershell.exe
Token: SeLoadDriverPrivilege	4396	powershell.exe
Token: SeSystemProfilePrivilege	4396	powershell.exe
Token: SeSystemtimePrivilege	4396	powershell.exe
Token: SeProfSingleProcessPrivilege	4396	powershell.exe
Token: SeIncBasePriorityPrivilege	4396	powershell.exe
Token: SeCreatePagefilePrivilege	4396	powershell.exe
Token: SeBackupPrivilege	4396	powershell.exe
Token: SeRestorePrivilege	4396	powershell.exe
Token: SeShutdownPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeSystemEnvironmentPrivilege	4396	powershell.exe
Token: SeRemoteShutdownPrivilege	4396	powershell.exe
Token: SeUndockPrivilege	4396	powershell.exe
Token: SeManageVolumePrivilege	4396	powershell.exe
Token: 33	4396	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1728	XClient.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 1980	3888	шкибиди туалет.exe	83
PID 3888 wrote to memory of 1980	3888	шкибиди туалет.exe	83
PID 3888 wrote to memory of 1728	3888	шкибиди туалет.exe	85
PID 3888 wrote to memory of 1728	3888	шкибиди туалет.exe	85
PID 1980 wrote to memory of 1668	1980	cmd.exe	86
PID 1980 wrote to memory of 1668	1980	cmd.exe	86
PID 1728 wrote to memory of 4648	1728	XClient.exe	90
PID 1728 wrote to memory of 4648	1728	XClient.exe	90
PID 1728 wrote to memory of 8	1728	XClient.exe	95
PID 1728 wrote to memory of 8	1728	XClient.exe	95
PID 1728 wrote to memory of 4396	1728	XClient.exe	97
PID 1728 wrote to memory of 4396	1728	XClient.exe	97
PID 1728 wrote to memory of 4980	1728	XClient.exe	99
PID 1728 wrote to memory of 4980	1728	XClient.exe	99

C:\Users\Admin\AppData\Local\Temp\шкибиди туалет.exe
"C:\Users\Admin\AppData\Local\Temp\шкибиди туалет.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\tilox.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1668
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26c94c408a5a2e1e04f1191fc2902d3e

SHA1
ce50b153be03511bd62a477abf71a7e9f94e68a5

SHA256
86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

SHA512
70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
13b2e4eb45bebc3043ead7e6749b70c4

SHA1
cf92d2c8e3f324ae070f57d1c066f1678b0530ac

SHA256
3b4cc714b7c34a8b2c507426577e6a4e23c405e71f103b06292ad8734d6751cb

SHA512
5f4d846d47cb749fdcb2b9c25cca4ca82e07944556fd952299ad09193d56846ed2bd3d27f99706f92c362a52cebd716ba630a622d6095da55ecc345a9bd5ad37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87e99003b41b406b16a979a7f29afede

SHA1
8ca487ae1547b02228d3d3754e4d7fe00a7cc16a

SHA256
40ee14627b2772924b2c691eb6a505216a04b27719cc55509edf41364117ec1a

SHA512
eb68867d3829493b82da3cccbb9113c612d1ce2ba7a909f2ae64d52dd24e9de9438747a44c96889ad531006abaec7dd29071c4d860b610092434654ab89a2e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eoihc2yx.dje.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
38KB

MD5
61f5c35f3d44c66758c41e80aa120df0

SHA1
31d83065eb4f30c1321ed717deeede0d181d6f9c

SHA256
a798b8d3494e70279dd61debeb3816b0f732ad7393b0b10c149c1becd72e5623

SHA512
05231e408327af615c751b5d1eb9f124883326a933fbf8ec076c35edb18cb39cf8a0aa0a2320f57cd42a49388d0021f91492f8f45cf5ea489de567ece87aee69

Download Submit
C:\Users\Admin\AppData\Roaming\tilox.bat

Filesize
65B

MD5
f14bef95f0b32676423586d7c07a5c3c

SHA1
a5865efc09bc7eada19532053553723dfdf5f995

SHA256
b6723ceece0204f3dd1334dfab91e4a141bf766d410be1de3c7c27b68450a6e6

SHA512
f3a33e86d02e612bc8976610ce762d654d5e91a934e979a3381ea370d007c6c8a15de72c6a44c4b54252cd505b364c98aab22a0db64573b819340601c92cb3e9

Download Submit
memory/1728-25-0x00007FFDC8210000-0x00007FFDC8CD2000-memory.dmp

Filesize
10.8MB

Download
memory/1728-23-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1728-73-0x00007FFDC8210000-0x00007FFDC8CD2000-memory.dmp

Filesize
10.8MB

Download
memory/1728-74-0x00007FFDC8210000-0x00007FFDC8CD2000-memory.dmp

Filesize
10.8MB

Download
memory/1728-75-0x00007FFDC8210000-0x00007FFDC8CD2000-memory.dmp

Filesize
10.8MB

Download
memory/3888-0-0x00007FFDC8213000-0x00007FFDC8215000-memory.dmp

Filesize
8KB

Download
memory/3888-1-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/4648-31-0x000001AED73E0000-0x000001AED7402000-memory.dmp

Filesize
136KB

Download