xworm | eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8

Analysis

max time kernel
118s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe
Size

625KB
MD5

3a2f7315aa9aa110c98c396bff591c0d
SHA1

33793dfc29dc8997ad535aa5a4af58b699e864a0
SHA256

eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8
SHA512

79a33baa45a0e6ef6bf9dfadee5b9bad82cd26adda7a5673e0774d31601f86d77a096ecbb74814a5a3517b7405134261f26c7d0a3876a570da66347e84d29ede
SSDEEP

12288:o7FvizoyZ7UtcPZe69HP/RdAJrz7KKLjKdUcLz9dnHJZs:oxEFZ7Ui99HvEzxjiUYdnU

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

45.141.26.214:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023c75-6.dat	family_xworm
behavioral2/memory/2136-18-0x0000000000E80000-0x0000000000E98000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4996	powershell.exe
4208	powershell.exe
4364	powershell.exe
4460	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2136	svchost.exe
4140	windxten.exe
2212	void.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
35	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4364	powershell.exe
4364	powershell.exe
4460	powershell.exe
4460	powershell.exe
4996	powershell.exe
4996	powershell.exe
4208	powershell.exe
4208	powershell.exe
2136	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	svchost.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	2136	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2136	svchost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2136	876	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe	83
PID 876 wrote to memory of 2136	876	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe	83
PID 876 wrote to memory of 4140	876	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe	84
PID 876 wrote to memory of 4140	876	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe	84
PID 4140 wrote to memory of 1224	4140	windxten.exe	86
PID 4140 wrote to memory of 1224	4140	windxten.exe	86
PID 1224 wrote to memory of 3900	1224	cmd.exe	87
PID 1224 wrote to memory of 3900	1224	cmd.exe	87
PID 1224 wrote to memory of 3520	1224	cmd.exe	88
PID 1224 wrote to memory of 3520	1224	cmd.exe	88
PID 1224 wrote to memory of 3408	1224	cmd.exe	89
PID 1224 wrote to memory of 3408	1224	cmd.exe	89
PID 4140 wrote to memory of 1060	4140	windxten.exe	93
PID 4140 wrote to memory of 1060	4140	windxten.exe	93
PID 4140 wrote to memory of 4644	4140	windxten.exe	97
PID 4140 wrote to memory of 4644	4140	windxten.exe	97
PID 4644 wrote to memory of 2392	4644	cmd.exe	98
PID 4644 wrote to memory of 2392	4644	cmd.exe	98
PID 2136 wrote to memory of 4364	2136	svchost.exe	99
PID 2136 wrote to memory of 4364	2136	svchost.exe	99
PID 2136 wrote to memory of 4460	2136	svchost.exe	102
PID 2136 wrote to memory of 4460	2136	svchost.exe	102
PID 2136 wrote to memory of 4996	2136	svchost.exe	104
PID 2136 wrote to memory of 4996	2136	svchost.exe	104
PID 2136 wrote to memory of 4208	2136	svchost.exe	106
PID 2136 wrote to memory of 4208	2136	svchost.exe	106
PID 4140 wrote to memory of 2212	4140	windxten.exe	109
PID 4140 wrote to memory of 2212	4140	windxten.exe	109

C:\Users\Admin\AppData\Local\Temp\eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe
"C:\Users\Admin\AppData\Local\Temp\eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:876
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- C:\ProgramData\windxten.exe
  "C:\ProgramData\windxten.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\ProgramData\windxten.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\ProgramData\windxten.exe" MD5
      4⤵
      PID:3900
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:3520
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c MODE CON COLS=56 LINES=5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\system32\mode.com
      MODE CON COLS=56 LINES=5
      4⤵
      PID:2392
- - C:\void.exe
    "C:\void.exe"
    3⤵
    - Executes dropped EXE
    PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe

Filesize
73KB

MD5
a6e3543ed1eeb525e84cc28e97713491

SHA1
442ab143ae0ca371e495cefc87c893d1642a98df

SHA256
3cc4913315247d3d179e8bfdd5778caf030926f68bcb12aacff481dca5d7857b

SHA512
01e079a5ae6e3d3f860e0c91b61d2dbbf4c02e4f52f1ccce3f7f628c9882b4e704dfe78a4389bec70459df898acab1bc6cdb18f15e7287a8d276117bf6f7453d

Download Submit
C:\ProgramData\windxten.exe

Filesize
538KB

MD5
7775aa2691793fd8b5796622f6cdeba2

SHA1
ecf724467ccf9eff7fcfc18e62947f8a1ab66f42

SHA256
9323cca187bca8657e9bb87ac986f3e6eb0dd235edc308b2bd3ba7306ef21286

SHA512
0722d63371329f2855c38865d5517df04c20d365bf0465d22459e5edcda7a58fbd11284b4bd53e5d75ffe193549dc8c1bedac5aac05d0257c3a1eb1eac645a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65a68df1062af34622552c4f644a5708

SHA1
6f6ecf7b4b635abb0b132d95dac2759dc14b50af

SHA256
718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

SHA512
4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlbprvwe.vxs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\void.exe

Filesize
3.3MB

MD5
1fb609b003d248c95520ba5e129fb910

SHA1
2bf8a36152a27a6779741e84caf44fa3cbcc6134

SHA256
5e3b6852c7433c82af0cb87244efe818ac82c7480c38bd4bea5359a6c43063c6

SHA512
072778a0e6bb08bb511e6fa54605678a1bdf78cb4ce1ced0d3678d76fd89e11755d242bc766a16fc4917ba3707173cc72d30e15e619e902db86e6b504afaad6f

Download Submit
memory/876-1-0x0000000000350000-0x00000000003F2000-memory.dmp

Filesize
648KB

Download
memory/876-0-0x00007FFF17D33000-0x00007FFF17D35000-memory.dmp

Filesize
8KB

Download
memory/2136-18-0x0000000000E80000-0x0000000000E98000-memory.dmp

Filesize
96KB

Download
memory/2136-23-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

Filesize
10.8MB

Download
memory/2136-104-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

Filesize
10.8MB

Download
memory/2212-103-0x000002DFBFCB0000-0x000002DFC0008000-memory.dmp

Filesize
3.3MB

Download
memory/4364-29-0x0000016A64EC0000-0x0000016A64EE2000-memory.dmp

Filesize
136KB

Download