xworm | d5a9a013320ba9ccda23abf7ad0e364193e3f7ba84554d4d70b8538084560b08

General

Target

.exe
Size

48KB
MD5

8855bf2042f8fb32e6b181832242a7e7
SHA1

933026bbb4c10bcef1e1d645ec4f30f3cc9d0525
SHA256

d5a9a013320ba9ccda23abf7ad0e364193e3f7ba84554d4d70b8538084560b08
SHA512

ffcc177442f1af324ffd92af71a86abd182f8698876f6ae05e932dc43598fd82322bcf1b3ef326ec0d2458b786472090e6c6520e6727e7db9c50da91358dfa71
SSDEEP

768:pivffaUlrlLGnaOL0k8LnooYsTUiWruIcO3QXdT7Bqfwx:pia+WaoRxTBWHCA

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

application-mess.gl.at.ply.gg:8848

Mutex

QO74sVclgUVzlyXQ

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000197fd-13.dat	family_xworm
behavioral1/memory/2380-15-0x0000000000A40000-0x0000000000A50000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1784	powershell.exe
2928	powershell.exe
2908	powershell.exe
2776	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\ProgramData\\XClient.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2928	powershell.exe
2908	powershell.exe
2776	powershell.exe
1784	powershell.exe
2380	XClient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	XClient.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2380	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2380	XClient.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1892	2100	.exe	30
PID 2100 wrote to memory of 1892	2100	.exe	30
PID 2100 wrote to memory of 1892	2100	.exe	30
PID 2100 wrote to memory of 2380	2100	.exe	32
PID 2100 wrote to memory of 2380	2100	.exe	32
PID 2100 wrote to memory of 2380	2100	.exe	32
PID 1892 wrote to memory of 2576	1892	cmd.exe	33
PID 1892 wrote to memory of 2576	1892	cmd.exe	33
PID 1892 wrote to memory of 2576	1892	cmd.exe	33
PID 2380 wrote to memory of 2928	2380	XClient.exe	34
PID 2380 wrote to memory of 2928	2380	XClient.exe	34
PID 2380 wrote to memory of 2928	2380	XClient.exe	34
PID 2380 wrote to memory of 2908	2380	XClient.exe	36
PID 2380 wrote to memory of 2908	2380	XClient.exe	36
PID 2380 wrote to memory of 2908	2380	XClient.exe	36
PID 2380 wrote to memory of 2776	2380	XClient.exe	38
PID 2380 wrote to memory of 2776	2380	XClient.exe	38
PID 2380 wrote to memory of 2776	2380	XClient.exe	38
PID 2380 wrote to memory of 1784	2380	XClient.exe	40
PID 2380 wrote to memory of 1784	2380	XClient.exe	40
PID 2380 wrote to memory of 1784	2380	XClient.exe	40

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\tilox.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2576
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
182201d17236a98e7ff41e3aee39e0b4

SHA1
47d0270d189ea10127229c28d9c908c36a484140

SHA256
f2cdc96d4bfa155467548cb1089104cd25c58efdad95f48dab70f9cad4bfaef3

SHA512
976ecb7ecff8bbfa37ead2a39ef443f23029a0df0d18145be10b64bd124228e84b25719c85158709094dbf7fd6c685834d1c425071a73481e6bbea5c6299ba08

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
38KB

MD5
61f5c35f3d44c66758c41e80aa120df0

SHA1
31d83065eb4f30c1321ed717deeede0d181d6f9c

SHA256
a798b8d3494e70279dd61debeb3816b0f732ad7393b0b10c149c1becd72e5623

SHA512
05231e408327af615c751b5d1eb9f124883326a933fbf8ec076c35edb18cb39cf8a0aa0a2320f57cd42a49388d0021f91492f8f45cf5ea489de567ece87aee69

Download Submit
C:\Users\Admin\AppData\Roaming\tilox.bat

Filesize
65B

MD5
f14bef95f0b32676423586d7c07a5c3c

SHA1
a5865efc09bc7eada19532053553723dfdf5f995

SHA256
b6723ceece0204f3dd1334dfab91e4a141bf766d410be1de3c7c27b68450a6e6

SHA512
f3a33e86d02e612bc8976610ce762d654d5e91a934e979a3381ea370d007c6c8a15de72c6a44c4b54252cd505b364c98aab22a0db64573b819340601c92cb3e9

Download Submit
memory/2100-1-0x00000000000B0000-0x00000000000C2000-memory.dmp

Filesize
72KB

Download
memory/2100-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2380-15-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/2380-17-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-45-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-44-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-43-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-29-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2908-30-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2928-23-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2928-22-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads