xworm | fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exe030.exe
Size

1.1MB
MD5

30a5ad6d62e4cd603673a9e3b3e77631
SHA1

c8d42f3efe983add08b190325239290e4fb79631
SHA256

fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090
SHA512

a0a87ea2374a4d3f8dd014011a0373f6302aa04d8dc70e9bda0e78221486057ac26ef09c3702e6ee80a3f738bcee7c8fb62363b5cd238ed36b9fb068d35113bc
SSDEEP

24576:0zAW5Wy3XuH/pR0+9vwe5oc78dBDaiMo9mRCYDwECvw:0NWHH/Dt55l4jaYKIEcw

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.23:25808

Attributes

Install_directory
%LocalAppData%
install_file
Realtek HD Audio Universal Service.exe

Extracted

Family

xworm

Version

5.0

senior-adopted.gl.at.ply.gg:56758

Mutex

Bz7AHGcWuERgvPvx

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000800000001660e-6.dat	family_xworm
behavioral1/files/0x0009000000016689-26.dat	family_xworm
behavioral1/memory/2980-35-0x00000000013E0000-0x00000000013FA000-memory.dmp	family_xworm
behavioral1/memory/1528-34-0x0000000001130000-0x0000000001140000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1640	powershell.exe
348	powershell.exe
2804	powershell.exe
2884	powershell.exe
2344	powershell.exe
2592	powershell.exe
2532	powershell.exe
672	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	2.exe

Executes dropped EXE 4 IoCs

pid	Process
1528	2.exe
1920	FREE BYPASS.exe
2980	Realtek HD Audio Universal Service.exe
1884	SAM CHEAT bypass.exe

Loads dropped DLL 2 IoCs

pid	Process
1920	FREE BYPASS.exe
1920	FREE BYPASS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Local\\Realtek HD Audio Universal Service.exe"	Realtek HD Audio Universal Service.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FREE BYPASS.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a0000000120d6-20.dat	nsis_installer_1
behavioral1/files/0x000a0000000120d6-20.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2344	powershell.exe
2592	powershell.exe
2532	powershell.exe
672	powershell.exe
1528	2.exe
1640	powershell.exe
348	powershell.exe
2804	powershell.exe
2884	powershell.exe
2980	Realtek HD Audio Universal Service.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	Realtek HD Audio Universal Service.exe
Token: SeDebugPrivilege	1528	2.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	1528	2.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1528	2.exe
2980	Realtek HD Audio Universal Service.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1528	1364	exe030.exe	28
PID 1364 wrote to memory of 1528	1364	exe030.exe	28
PID 1364 wrote to memory of 1528	1364	exe030.exe	28
PID 1364 wrote to memory of 1920	1364	exe030.exe	29
PID 1364 wrote to memory of 1920	1364	exe030.exe	29
PID 1364 wrote to memory of 1920	1364	exe030.exe	29
PID 1364 wrote to memory of 1920	1364	exe030.exe	29
PID 1920 wrote to memory of 2980	1920	FREE BYPASS.exe	30
PID 1920 wrote to memory of 2980	1920	FREE BYPASS.exe	30
PID 1920 wrote to memory of 2980	1920	FREE BYPASS.exe	30
PID 1920 wrote to memory of 2980	1920	FREE BYPASS.exe	30
PID 1920 wrote to memory of 1884	1920	FREE BYPASS.exe	31
PID 1920 wrote to memory of 1884	1920	FREE BYPASS.exe	31
PID 1920 wrote to memory of 1884	1920	FREE BYPASS.exe	31
PID 1920 wrote to memory of 1884	1920	FREE BYPASS.exe	31
PID 1528 wrote to memory of 2344	1528	2.exe	32
PID 1528 wrote to memory of 2344	1528	2.exe	32
PID 1528 wrote to memory of 2344	1528	2.exe	32
PID 1528 wrote to memory of 2592	1528	2.exe	35
PID 1528 wrote to memory of 2592	1528	2.exe	35
PID 1528 wrote to memory of 2592	1528	2.exe	35
PID 1528 wrote to memory of 2532	1528	2.exe	37
PID 1528 wrote to memory of 2532	1528	2.exe	37
PID 1528 wrote to memory of 2532	1528	2.exe	37
PID 1528 wrote to memory of 672	1528	2.exe	39
PID 1528 wrote to memory of 672	1528	2.exe	39
PID 1528 wrote to memory of 672	1528	2.exe	39
PID 2980 wrote to memory of 1640	2980	Realtek HD Audio Universal Service.exe	41
PID 2980 wrote to memory of 1640	2980	Realtek HD Audio Universal Service.exe	41
PID 2980 wrote to memory of 1640	2980	Realtek HD Audio Universal Service.exe	41
PID 2980 wrote to memory of 348	2980	Realtek HD Audio Universal Service.exe	43
PID 2980 wrote to memory of 348	2980	Realtek HD Audio Universal Service.exe	43
PID 2980 wrote to memory of 348	2980	Realtek HD Audio Universal Service.exe	43
PID 2980 wrote to memory of 2804	2980	Realtek HD Audio Universal Service.exe	45
PID 2980 wrote to memory of 2804	2980	Realtek HD Audio Universal Service.exe	45
PID 2980 wrote to memory of 2804	2980	Realtek HD Audio Universal Service.exe	45
PID 2980 wrote to memory of 2884	2980	Realtek HD Audio Universal Service.exe	47
PID 2980 wrote to memory of 2884	2980	Realtek HD Audio Universal Service.exe	47
PID 2980 wrote to memory of 2884	2980	Realtek HD Audio Universal Service.exe	47

C:\Users\Admin\AppData\Local\Temp\exe030.exe
"C:\Users\Admin\AppData\Local\Temp\exe030.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:672
- C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe
  "C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
    "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
- - C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe
    "C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe"
    3⤵
    - Executes dropped EXE
    PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
38KB

MD5
8b2dcbe05d600ce494098fd501786fb5

SHA1
20dea1f20b8506d9703c12ebbac32eb89be0b5e3

SHA256
a3ddac32a27fe5da8c189519d6a9801cbf2f4bd38c6e85b2b8dcb54351e01649

SHA512
9338ae864d823ce397d853b3ca3e699270bbd8405654e9a84714aff43343a9e0c26c0594188ce2ca43a2e4a3548c5031dcd50e2c039ec9b27b66370eae4a6920

Download Submit
C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe

Filesize
758KB

MD5
d73c9e865143acd7ee7b526266109048

SHA1
86cd070de3e808bfa057daf04ca7286644e33e35

SHA256
d1179ff1ecadf6756288590c6c08420ec7b9e06aa9e0effc9b2c6b9b8ca5fa4e

SHA512
a3ba88e3418d68cac8bb7d96a29fa218605933696cf1489367062f8d85d5a6c701403b24e701c668dcfeb27abdd1fd907a9815691f47d6802087b409bdc66e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe

Filesize
1.3MB

MD5
d46bcf5d90966c10fb75419041fae79f

SHA1
9db2c47dd39acd50983c963d370045fcb956d72a

SHA256
edcef9f0255fa29acdfd80bbfb03abea630eb152b19f20fca12fdd88ccf9b399

SHA512
26a241bb87b5abafbba8209135c49163e9ee97ef4f8eaa4dbaf5723b9ce7038b6bdfa9926da29ad3728a854d424168384605c3f494dc29f55249b96adcbe7fb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A4RWYJD4QCGICSHYFCNC.temp

Filesize
7KB

MD5
95c79db648837ab26322d6bf33c46adf

SHA1
d28b5a559eb098bd247b67dd4a6c1868ee1f9e90

SHA256
3877bd9470c3438307ce19c255ea5d4c24ec9a4e0df25feb92b8561a46881313

SHA512
6ff095d4805046a866d2490fb42e3f45c01d47085f7775a7c14f490de851cacd260e0f409d05589881c230a94a2cfef568ca98a0e79407cb3bf0c8e96a411271

Download Submit
\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

Filesize
79KB

MD5
066d90fb1d671648842a3b46622eb7ce

SHA1
6d0949bd4f494c9f8d80b705a79cfa9038c80e51

SHA256
8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8

SHA512
b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745

Download Submit
memory/1528-34-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/1528-24-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/1528-85-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2344-40-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2344-41-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2592-47-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2592-48-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2980-35-0x00000000013E0000-0x00000000013FA000-memory.dmp

Filesize
104KB

Download