xworm | eb8db18db280b1d68aa5aaa05d4d6f4bdfcf9921609d2c80915f8db2bb386a0e

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09/11/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

54KB
MD5

f54070cb3f8967ad80f93d00a02a52ea
SHA1

ddef9179a43fd625d5c3f04c8f1919379de7e480
SHA256

eb8db18db280b1d68aa5aaa05d4d6f4bdfcf9921609d2c80915f8db2bb386a0e
SHA512

a605105bec3ccc2d6cb204c5ef27247653abc41ff1ef5bc5e739e19dc7308f33f136c338c94683f2cd8d97458e63298dd98b36571bde261862e2a301755a8f7d
SSDEEP

1536:om+BiZLw0HucpDIKBqCVzbiucbq0LSgZ6+LG8Or/1wB:keLicpEdQzbiur0LhS8OreB

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

147.185.221.23:53631

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1952-77-0x0000000001030000-0x000000000103C000-memory.dmp	disable_win_def

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/2844-1-0x0000000000BB0000-0x0000000000BC4000-memory.dmp	family_xworm
behavioral1/files/0x000a000000003cf2-28.dat	family_xworm
behavioral1/memory/1408-37-0x0000000000C60000-0x0000000000C74000-memory.dmp	family_xworm
behavioral1/memory/1952-58-0x0000000001050000-0x0000000001064000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1900	powershell.exe
2464	powershell.exe
2904	powershell.exe
1012	powershell.exe
2668	powershell.exe
2256	powershell.exe
2152	powershell.exe
2628	powershell.exe
2544	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
1408	XClient.exe
1952	XClient.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2384	schtasks.exe
1784	schtasks.exe
2644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1900	powershell.exe
2464	powershell.exe
2668	powershell.exe
2256	powershell.exe
2904	powershell.exe
2152	powershell.exe
2628	powershell.exe
2544	powershell.exe
1012	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	XClient.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2844	XClient.exe
Token: SeDebugPrivilege	1408	XClient.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1408	XClient.exe
Token: 33	1436	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1436	AUDIODG.EXE
Token: 33	1436	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1436	AUDIODG.EXE
Token: SeDebugPrivilege	1952	XClient.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1952	XClient.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1900	2844	XClient.exe	28
PID 2844 wrote to memory of 1900	2844	XClient.exe	28
PID 2844 wrote to memory of 1900	2844	XClient.exe	28
PID 2844 wrote to memory of 2464	2844	XClient.exe	30
PID 2844 wrote to memory of 2464	2844	XClient.exe	30
PID 2844 wrote to memory of 2464	2844	XClient.exe	30
PID 2844 wrote to memory of 2668	2844	XClient.exe	32
PID 2844 wrote to memory of 2668	2844	XClient.exe	32
PID 2844 wrote to memory of 2668	2844	XClient.exe	32
PID 2844 wrote to memory of 2384	2844	XClient.exe	34
PID 2844 wrote to memory of 2384	2844	XClient.exe	34
PID 2844 wrote to memory of 2384	2844	XClient.exe	34
PID 1472 wrote to memory of 1408	1472	taskeng.exe	40
PID 1472 wrote to memory of 1408	1472	taskeng.exe	40
PID 1472 wrote to memory of 1408	1472	taskeng.exe	40
PID 1408 wrote to memory of 2256	1408	XClient.exe	41
PID 1408 wrote to memory of 2256	1408	XClient.exe	41
PID 1408 wrote to memory of 2256	1408	XClient.exe	41
PID 1408 wrote to memory of 2904	1408	XClient.exe	43
PID 1408 wrote to memory of 2904	1408	XClient.exe	43
PID 1408 wrote to memory of 2904	1408	XClient.exe	43
PID 1408 wrote to memory of 2152	1408	XClient.exe	45
PID 1408 wrote to memory of 2152	1408	XClient.exe	45
PID 1408 wrote to memory of 2152	1408	XClient.exe	45
PID 1408 wrote to memory of 1784	1408	XClient.exe	47
PID 1408 wrote to memory of 1784	1408	XClient.exe	47
PID 1408 wrote to memory of 1784	1408	XClient.exe	47
PID 1472 wrote to memory of 1952	1472	taskeng.exe	52
PID 1472 wrote to memory of 1952	1472	taskeng.exe	52
PID 1472 wrote to memory of 1952	1472	taskeng.exe	52
PID 1952 wrote to memory of 2628	1952	XClient.exe	53
PID 1952 wrote to memory of 2628	1952	XClient.exe	53
PID 1952 wrote to memory of 2628	1952	XClient.exe	53
PID 1952 wrote to memory of 2544	1952	XClient.exe	55
PID 1952 wrote to memory of 2544	1952	XClient.exe	55
PID 1952 wrote to memory of 2544	1952	XClient.exe	55
PID 1952 wrote to memory of 1012	1952	XClient.exe	57
PID 1952 wrote to memory of 1012	1952	XClient.exe	57
PID 1952 wrote to memory of 1012	1952	XClient.exe	57
PID 1952 wrote to memory of 2644	1952	XClient.exe	59
PID 1952 wrote to memory of 2644	1952	XClient.exe	59
PID 1952 wrote to memory of 2644	1952	XClient.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2384

C:\Windows\system32\taskeng.exe
taskeng.exe {45189F96-9ED4-4ED2-A415-EC8F9192B13A} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1784
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2644

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bc0a7c0743a8afe4604c7d5066bf8e8a

SHA1
75efb6ad77b948228d2d704fa87063051a610b58

SHA256
60fc9e93ba635a484f4b6f3e23f7458a18f4637e29568e0644387c8dea43a0ec

SHA512
72750b06f9c0f61461020fe53599fd62338651281a44c3d7fd94c5b337927ece060858b3934b2a5a53ee170afd03bace6868d4be8c68fb3d8389236ad04daa12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6686436d23dcf2e2f2649311da679ea3

SHA1
1e916ce9038be42aeb9ffe37d6f47e452bb66789

SHA256
3bca7d570cf16b39769ba98b246bd001236c657bd4a5cad8be557131ce6457e0

SHA512
599449523b18735fee66d4295fd5f8952239b1af0245dea8078edbf72491601d3a8c09618a767f72bfaf117222eda369d29db05dc04c69a6f53d1e48093423eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
692B

MD5
ab431076fbb106ee8d7ec4c5867719d7

SHA1
5c4916bd6c96e7ac228eefcf8f1e104c964fed0a

SHA256
b79f58c0e9703af2c999b93648c11f7c1728ae6bd0f610fbe2a24fedf4357785

SHA512
4f60e18476757083015405cf7cb2e113f2ad855538888e1cacbbb2513cfd63ff5e846293760d08dc6cf1eb82096b3c999b94768bbf1229dcf3a81fc541d83bd6

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
54KB

MD5
f54070cb3f8967ad80f93d00a02a52ea

SHA1
ddef9179a43fd625d5c3f04c8f1919379de7e480

SHA256
eb8db18db280b1d68aa5aaa05d4d6f4bdfcf9921609d2c80915f8db2bb386a0e

SHA512
a605105bec3ccc2d6cb204c5ef27247653abc41ff1ef5bc5e739e19dc7308f33f136c338c94683f2cd8d97458e63298dd98b36571bde261862e2a301755a8f7d

Download Submit
memory/1408-37-0x0000000000C60000-0x0000000000C74000-memory.dmp

Filesize
80KB

Download
memory/1900-7-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1900-6-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/1900-8-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/1952-77-0x0000000001030000-0x000000000103C000-memory.dmp

Filesize
48KB

Download
memory/1952-76-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/1952-58-0x0000000001050000-0x0000000001064000-memory.dmp

Filesize
80KB

Download
memory/2256-43-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2464-14-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2464-15-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2844-32-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2844-1-0x0000000000BB0000-0x0000000000BC4000-memory.dmp

Filesize
80KB

Download
memory/2844-31-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2844-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/2844-30-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download