xworm | d4d38f87de58a5245ab1a01a7e28df51f69e890ab05ebc67ede60bf59221c721

General

Target

Nursultan/Nurik.exe
Size

93.0MB
MD5

a7af4ea5482967126191e729140dfd4c
SHA1

dbff744bbc2f7adfbe337f3fd700c50433301b2d
SHA256

5cac4982836ceae3b8de591f5f469234c5e75dd5c90757279015ddd6b73251d6
SHA512

4734bde77c6fe490589aeb7ac142fa293b59b09cda0226bc22b2c8928c2d4cd1ef47cab95d88a7618c9dd76fe482a346bd6dd2186dea7610e5697c3b46c32156
SSDEEP

1536:OfeHtRfrimdNmkKZr311OGAiQj39IdcCqcAPh9KE:nHtRp6r311RAzj390VAPh9v

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:38492

warning-ms.gl.at.ply.gg:38492

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00190000000055b1-12.dat	family_xworm
behavioral1/memory/2536-15-0x00000000010A0000-0x00000000010BC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
3000	powershell.exe
580	powershell.exe
2868	powershell.exe
2240	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Nursultan.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	Nursultan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Nursultan.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2644	powershell.exe
3000	powershell.exe
580	powershell.exe
2868	powershell.exe
2240	powershell.exe
2536	Nursultan.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2536	Nursultan.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2536	Nursultan.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2536	Nursultan.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2644	1716	Nurik.exe	28
PID 1716 wrote to memory of 2644	1716	Nurik.exe	28
PID 1716 wrote to memory of 2644	1716	Nurik.exe	28
PID 1716 wrote to memory of 2536	1716	Nurik.exe	30
PID 1716 wrote to memory of 2536	1716	Nurik.exe	30
PID 1716 wrote to memory of 2536	1716	Nurik.exe	30
PID 2536 wrote to memory of 3000	2536	Nursultan.exe	32
PID 2536 wrote to memory of 3000	2536	Nursultan.exe	32
PID 2536 wrote to memory of 3000	2536	Nursultan.exe	32
PID 2536 wrote to memory of 580	2536	Nursultan.exe	34
PID 2536 wrote to memory of 580	2536	Nursultan.exe	34
PID 2536 wrote to memory of 580	2536	Nursultan.exe	34
PID 2536 wrote to memory of 2868	2536	Nursultan.exe	36
PID 2536 wrote to memory of 2868	2536	Nursultan.exe	36
PID 2536 wrote to memory of 2868	2536	Nursultan.exe	36
PID 2536 wrote to memory of 2240	2536	Nursultan.exe	38
PID 2536 wrote to memory of 2240	2536	Nursultan.exe	38
PID 2536 wrote to memory of 2240	2536	Nursultan.exe	38

C:\Users\Admin\AppData\Local\Temp\Nursultan\Nurik.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan\Nurik.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
87KB

MD5
38fc92faaaa97884e49674a2fb59dffa

SHA1
d2fdfcd6a426e4a0eb3dfc3b1c0d09ea0db945a2

SHA256
26d868f392303276bb62ce6771ec4bae63add8874e2621549d447490112ba992

SHA512
b8d4a64a9e02e96848d9285b3a6e7986cf4c54a520f75354008815790d7001361b3e570d9ff1c2d5e747ee1943b6bee791012120b536b06edb534aa76c445777

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CHCDMSJG0JCZCJPOAR55.temp

Filesize
7KB

MD5
342497d4c40c9ce3b67944bd67ac15e2

SHA1
ce61b6d87970fbc09db68a8e1f8a9e05b793a47d

SHA256
1429a48786158583612daec1072b817d89977c213297487250cd781242792344

SHA512
5156f969da0afcd64e9aa2a551002691df1e0c4215ac03819e2f68c737a79fb69b576401fa630e6f02157870c6af62a677c02c854e38294f928fac478b0b7253

Download Submit
memory/580-28-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1716-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/1716-1-0x000000013FB10000-0x000000013FB24000-memory.dmp

Filesize
80KB

Download
memory/1716-2-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/2536-15-0x00000000010A0000-0x00000000010BC000-memory.dmp

Filesize
112KB

Download
memory/2644-7-0x0000000002DE0000-0x0000000002E60000-memory.dmp

Filesize
512KB

Download
memory/2644-8-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2644-9-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/3000-21-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/3000-22-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads