xworm | 1457255025579c965caeae70fb78e8b65fa1791cac8524c35dfec8124c3093f1

Analysis

max time kernel
133s
max time network
142s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-11-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

33KB
MD5

47b197f16face93814adfec054a2a9bd
SHA1

a4f5a8c9333d038719372ffc375ef091ab834a8e
SHA256

1457255025579c965caeae70fb78e8b65fa1791cac8524c35dfec8124c3093f1
SHA512

34d143afb614a64d623b0a9a7f7d26f49b192c59e5b0ded379cb0f4d9a731cef3cc5cc2399d27d5118c2392ffab7b81fa420748005afdaf1c6b2a67721a322c8
SSDEEP

768:1AKdijXMwX1eJGl8y0UaKt4qNGU/fZl+BcgN7AlTF59i8O9hVS8Rt9:KjXMwX1eJGl8y0UbTIUXZcB5N7QF59ip

Score

10^/10

xworm evasion persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Mutex

avDNEinrJ0P6RQUY

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/3428-5-0x0000000002560000-0x000000000256C000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3428-1-0x00000000003E0000-0x00000000003EE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2372	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3428	XClient.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	XClient.exe
Token: 33	1888	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1888	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3428	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3428	XClient.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 2372	3428	XClient.exe	89
PID 3428 wrote to memory of 2372	3428	XClient.exe	89

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x3e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3428-0-0x00007FF8005E3000-0x00007FF8005E5000-memory.dmp

Filesize
8KB

Download
memory/3428-1-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/3428-2-0x00007FF8005E0000-0x00007FF8010A2000-memory.dmp

Filesize
10.8MB

Download
memory/3428-3-0x00007FF8005E3000-0x00007FF8005E5000-memory.dmp

Filesize
8KB

Download
memory/3428-4-0x00007FF8005E0000-0x00007FF8010A2000-memory.dmp

Filesize
10.8MB

Download
memory/3428-5-0x0000000002560000-0x000000000256C000-memory.dmp

Filesize
48KB

Download
memory/3428-6-0x0000000002570000-0x000000000257A000-memory.dmp

Filesize
40KB

Download