xworm | c452cbd1ba250f9e63e1d277259783b8dede810426b21b2e91762c9a02702990

General

Target

XClient.exe
Size

171KB
MD5

e897e677766711e9b467f0765b1704d9
SHA1

9c4f70c61b538d82f4c6d47deb4fd9d0c4adf2b0
SHA256

c452cbd1ba250f9e63e1d277259783b8dede810426b21b2e91762c9a02702990
SHA512

19a7e0e2ed7da78da5802202a1e0814e12217540797e282ee18f5d2a7f25b8d8bbea2f1ed53fabba6a2bb6dae4fd46051e989ffae2cf4b02cbe02b7c356e1293
SSDEEP

3072:JBAzYQ+bIoFbuluYOOf7h3Bz65/M6If+3Js+3JFkKeTno:J+zmbLc77h3xBt25

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:39377

79.127.146.115:39377

Attributes

Install_directory
%AppData%
install_file
registry.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2332-1-0x0000000000A60000-0x0000000000A90000-memory.dmp	family_xworm
behavioral1/files/0x000f0000000131aa-35.dat	family_xworm
behavioral1/memory/1928-37-0x0000000001240000-0x0000000001270000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1876	powershell.exe
2736	powershell.exe
2944	powershell.exe
2632	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\registry.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\registry.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
1928	registry.exe
2804	registry.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\registry = "C:\\Users\\Admin\\AppData\\Roaming\\registry.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1876	powershell.exe
2736	powershell.exe
2944	powershell.exe
2632	powershell.exe
2332	XClient.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	XClient.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2332	XClient.exe
Token: SeDebugPrivilege	1928	registry.exe
Token: SeDebugPrivilege	2804	registry.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2332	XClient.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1876	2332	XClient.exe	31
PID 2332 wrote to memory of 1876	2332	XClient.exe	31
PID 2332 wrote to memory of 1876	2332	XClient.exe	31
PID 2332 wrote to memory of 2736	2332	XClient.exe	33
PID 2332 wrote to memory of 2736	2332	XClient.exe	33
PID 2332 wrote to memory of 2736	2332	XClient.exe	33
PID 2332 wrote to memory of 2944	2332	XClient.exe	35
PID 2332 wrote to memory of 2944	2332	XClient.exe	35
PID 2332 wrote to memory of 2944	2332	XClient.exe	35
PID 2332 wrote to memory of 2632	2332	XClient.exe	37
PID 2332 wrote to memory of 2632	2332	XClient.exe	37
PID 2332 wrote to memory of 2632	2332	XClient.exe	37
PID 2332 wrote to memory of 2728	2332	XClient.exe	39
PID 2332 wrote to memory of 2728	2332	XClient.exe	39
PID 2332 wrote to memory of 2728	2332	XClient.exe	39
PID 2028 wrote to memory of 1928	2028	taskeng.exe	43
PID 2028 wrote to memory of 1928	2028	taskeng.exe	43
PID 2028 wrote to memory of 1928	2028	taskeng.exe	43
PID 2028 wrote to memory of 2804	2028	taskeng.exe	45
PID 2028 wrote to memory of 2804	2028	taskeng.exe	45
PID 2028 wrote to memory of 2804	2028	taskeng.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "registry" /tr "C:\Users\Admin\AppData\Roaming\registry.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2728

C:\Windows\system32\taskeng.exe
taskeng.exe {3E50B02B-C0EB-4280-A946-134FB9804002} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\registry.exe
  C:\Users\Admin\AppData\Roaming\registry.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Users\Admin\AppData\Roaming\registry.exe
  C:\Users\Admin\AppData\Roaming\registry.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a787309778a23a2b8cf8f7d2e225929d

SHA1
7f0ced5a29afa53d5f5a4b094e4d3b9a32db31f5

SHA256
9eeb304b13fe34ee842710b751b5ea4bfbde46ed76f369c40a4426853e7f3972

SHA512
03b3ed69a554e1240094e453ab63a518bec1caf2f7d15f20b73e7e9ae197d1cab205477aa004c6ca555295d93932b4dee3055adb60f8aa6f75f6be340b5d4eac

Download Submit
C:\Users\Admin\AppData\Roaming\registry.exe

Filesize
171KB

MD5
e897e677766711e9b467f0765b1704d9

SHA1
9c4f70c61b538d82f4c6d47deb4fd9d0c4adf2b0

SHA256
c452cbd1ba250f9e63e1d277259783b8dede810426b21b2e91762c9a02702990

SHA512
19a7e0e2ed7da78da5802202a1e0814e12217540797e282ee18f5d2a7f25b8d8bbea2f1ed53fabba6a2bb6dae4fd46051e989ffae2cf4b02cbe02b7c356e1293

Download Submit
memory/1876-6-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/1876-8-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1876-7-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/1928-37-0x0000000001240000-0x0000000001270000-memory.dmp

Filesize
192KB

Download
memory/2332-31-0x000000001AE80000-0x000000001AF00000-memory.dmp

Filesize
512KB

Download
memory/2332-0-0x000007FEF6723000-0x000007FEF6724000-memory.dmp

Filesize
4KB

Download
memory/2332-32-0x000007FEF6723000-0x000007FEF6724000-memory.dmp

Filesize
4KB

Download
memory/2332-33-0x000000001AE80000-0x000000001AF00000-memory.dmp

Filesize
512KB

Download
memory/2332-1-0x0000000000A60000-0x0000000000A90000-memory.dmp

Filesize
192KB

Download
memory/2736-15-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2736-14-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads