xworm | d5a9a013320ba9ccda23abf7ad0e364193e3f7ba84554d4d70b8538084560b08

Analysis

max time kernel
135s
max time network
147s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31/10/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

шкибиди туалет.exe
Size

48KB
MD5

8855bf2042f8fb32e6b181832242a7e7
SHA1

933026bbb4c10bcef1e1d645ec4f30f3cc9d0525
SHA256

d5a9a013320ba9ccda23abf7ad0e364193e3f7ba84554d4d70b8538084560b08
SHA512

ffcc177442f1af324ffd92af71a86abd182f8698876f6ae05e932dc43598fd82322bcf1b3ef326ec0d2458b786472090e6c6520e6727e7db9c50da91358dfa71
SSDEEP

768:pivffaUlrlLGnaOL0k8LnooYsTUiWruIcO3QXdT7Bqfwx:pia+WaoRxTBWHCA

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

application-mess.gl.at.ply.gg:8848

Mutex

QO74sVclgUVzlyXQ

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00240000000450f6-12.dat	family_xworm
behavioral1/memory/3988-23-0x00000000008A0000-0x00000000008B0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1164	powershell.exe
3812	powershell.exe
1060	powershell.exe
4668	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	шкибиди туалет.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
3988	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\ProgramData\\XClient.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3812	powershell.exe
3812	powershell.exe
1060	powershell.exe
1060	powershell.exe
4668	powershell.exe
4668	powershell.exe
1164	powershell.exe
1164	powershell.exe
3988	XClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	XClient.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeIncreaseQuotaPrivilege	3812	powershell.exe
Token: SeSecurityPrivilege	3812	powershell.exe
Token: SeTakeOwnershipPrivilege	3812	powershell.exe
Token: SeLoadDriverPrivilege	3812	powershell.exe
Token: SeSystemProfilePrivilege	3812	powershell.exe
Token: SeSystemtimePrivilege	3812	powershell.exe
Token: SeProfSingleProcessPrivilege	3812	powershell.exe
Token: SeIncBasePriorityPrivilege	3812	powershell.exe
Token: SeCreatePagefilePrivilege	3812	powershell.exe
Token: SeBackupPrivilege	3812	powershell.exe
Token: SeRestorePrivilege	3812	powershell.exe
Token: SeShutdownPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeSystemEnvironmentPrivilege	3812	powershell.exe
Token: SeRemoteShutdownPrivilege	3812	powershell.exe
Token: SeUndockPrivilege	3812	powershell.exe
Token: SeManageVolumePrivilege	3812	powershell.exe
Token: 33	3812	powershell.exe
Token: 34	3812	powershell.exe
Token: 35	3812	powershell.exe
Token: 36	3812	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeIncreaseQuotaPrivilege	1060	powershell.exe
Token: SeSecurityPrivilege	1060	powershell.exe
Token: SeTakeOwnershipPrivilege	1060	powershell.exe
Token: SeLoadDriverPrivilege	1060	powershell.exe
Token: SeSystemProfilePrivilege	1060	powershell.exe
Token: SeSystemtimePrivilege	1060	powershell.exe
Token: SeProfSingleProcessPrivilege	1060	powershell.exe
Token: SeIncBasePriorityPrivilege	1060	powershell.exe
Token: SeCreatePagefilePrivilege	1060	powershell.exe
Token: SeBackupPrivilege	1060	powershell.exe
Token: SeRestorePrivilege	1060	powershell.exe
Token: SeShutdownPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeSystemEnvironmentPrivilege	1060	powershell.exe
Token: SeRemoteShutdownPrivilege	1060	powershell.exe
Token: SeUndockPrivilege	1060	powershell.exe
Token: SeManageVolumePrivilege	1060	powershell.exe
Token: 33	1060	powershell.exe
Token: 34	1060	powershell.exe
Token: 35	1060	powershell.exe
Token: 36	1060	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	4668	powershell.exe
Token: SeSecurityPrivilege	4668	powershell.exe
Token: SeTakeOwnershipPrivilege	4668	powershell.exe
Token: SeLoadDriverPrivilege	4668	powershell.exe
Token: SeSystemProfilePrivilege	4668	powershell.exe
Token: SeSystemtimePrivilege	4668	powershell.exe
Token: SeProfSingleProcessPrivilege	4668	powershell.exe
Token: SeIncBasePriorityPrivilege	4668	powershell.exe
Token: SeCreatePagefilePrivilege	4668	powershell.exe
Token: SeBackupPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	4668	powershell.exe
Token: SeShutdownPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeSystemEnvironmentPrivilege	4668	powershell.exe
Token: SeRemoteShutdownPrivilege	4668	powershell.exe
Token: SeUndockPrivilege	4668	powershell.exe
Token: SeManageVolumePrivilege	4668	powershell.exe
Token: 33	4668	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3988	XClient.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1544	2408	шкибиди туалет.exe	82
PID 2408 wrote to memory of 1544	2408	шкибиди туалет.exe	82
PID 2408 wrote to memory of 3988	2408	шкибиди туалет.exe	84
PID 2408 wrote to memory of 3988	2408	шкибиди туалет.exe	84
PID 1544 wrote to memory of 4756	1544	cmd.exe	85
PID 1544 wrote to memory of 4756	1544	cmd.exe	85
PID 3988 wrote to memory of 3812	3988	XClient.exe	87
PID 3988 wrote to memory of 3812	3988	XClient.exe	87
PID 3988 wrote to memory of 1060	3988	XClient.exe	90
PID 3988 wrote to memory of 1060	3988	XClient.exe	90
PID 3988 wrote to memory of 4668	3988	XClient.exe	92
PID 3988 wrote to memory of 4668	3988	XClient.exe	92
PID 3988 wrote to memory of 1164	3988	XClient.exe	94
PID 3988 wrote to memory of 1164	3988	XClient.exe	94

C:\Users\Admin\AppData\Local\Temp\шкибиди туалет.exe
"C:\Users\Admin\AppData\Local\Temp\шкибиди туалет.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\tilox.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4756
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26c94c408a5a2e1e04f1191fc2902d3e

SHA1
ce50b153be03511bd62a477abf71a7e9f94e68a5

SHA256
86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

SHA512
70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
75c327f39b17bffdacd9b0d27c5e3c6d

SHA1
0e6b7e931dcb6bb1eb1ed870fcbcdb6126630d72

SHA256
97005a5a8a6fc32273c308a570230476842a9efa84198f3787ed6b257cec8601

SHA512
a5706d6642aa150aade9638a2052744dc2b3e65748b6c42cb7e75e309b02c85fe454c2d8c6f62425be8eb430ca34790c4fa2d13e0c97e36690ffbf1a2161bd5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
13d3b7f7b70c0c2f38816e74e54e931b

SHA1
ea13bbbaaa60fef76d24877f56a0f972a97ed5fe

SHA256
3f6ddab0ffc074a2f7d100258464859efeda919e4158cbbdc399dc07fd705169

SHA512
0e82af0be8be59e52a29224fd0634b61637e76c8e6ef28bfa3c3519c0f9fe0947566cea9a7085f26b72c48688056a2d91d33f4e51697f725778be2ff926b4fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tg5tuhst.trg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
38KB

MD5
61f5c35f3d44c66758c41e80aa120df0

SHA1
31d83065eb4f30c1321ed717deeede0d181d6f9c

SHA256
a798b8d3494e70279dd61debeb3816b0f732ad7393b0b10c149c1becd72e5623

SHA512
05231e408327af615c751b5d1eb9f124883326a933fbf8ec076c35edb18cb39cf8a0aa0a2320f57cd42a49388d0021f91492f8f45cf5ea489de567ece87aee69

Download Submit
C:\Users\Admin\AppData\Roaming\tilox.bat

Filesize
65B

MD5
f14bef95f0b32676423586d7c07a5c3c

SHA1
a5865efc09bc7eada19532053553723dfdf5f995

SHA256
b6723ceece0204f3dd1334dfab91e4a141bf766d410be1de3c7c27b68450a6e6

SHA512
f3a33e86d02e612bc8976610ce762d654d5e91a934e979a3381ea370d007c6c8a15de72c6a44c4b54252cd505b364c98aab22a0db64573b819340601c92cb3e9

Download Submit
memory/2408-0-0x00007FFCAB873000-0x00007FFCAB875000-memory.dmp

Filesize
8KB

Download
memory/2408-1-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/3812-31-0x000002117B6E0000-0x000002117B702000-memory.dmp

Filesize
136KB

Download
memory/3988-25-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

Filesize
10.8MB

Download
memory/3988-23-0x00000000008A0000-0x00000000008B0000-memory.dmp

Filesize
64KB

Download
memory/3988-73-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

Filesize
10.8MB

Download
memory/3988-74-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

Filesize
10.8MB

Download
memory/3988-75-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

Filesize
10.8MB

Download