xworm | fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe
Size

1.1MB
MD5

30a5ad6d62e4cd603673a9e3b3e77631
SHA1

c8d42f3efe983add08b190325239290e4fb79631
SHA256

fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090
SHA512

a0a87ea2374a4d3f8dd014011a0373f6302aa04d8dc70e9bda0e78221486057ac26ef09c3702e6ee80a3f738bcee7c8fb62363b5cd238ed36b9fb068d35113bc
SSDEEP

24576:0zAW5Wy3XuH/pR0+9vwe5oc78dBDaiMo9mRCYDwECvw:0NWHH/Dt55l4jaYKIEcw

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

senior-adopted.gl.at.ply.gg:56758

Mutex

Bz7AHGcWuERgvPvx

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

xworm

147.185.221.23:25808

Attributes

Install_directory
%LocalAppData%
install_file
Realtek HD Audio Universal Service.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb1-10.dat	family_xworm
behavioral2/memory/4972-19-0x0000000000650000-0x0000000000660000-memory.dmp	family_xworm
behavioral2/files/0x0008000000023cb3-28.dat	family_xworm
behavioral2/memory/3148-40-0x0000000000F90000-0x0000000000FAA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5040	powershell.exe
244	powershell.exe
456	powershell.exe
4460	powershell.exe
2160	powershell.exe
3464	powershell.exe
4612	powershell.exe
2304	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FREE BYPASS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Realtek HD Audio Universal Service.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	2.exe

Executes dropped EXE 4 IoCs

pid	Process
4972	2.exe
3960	FREE BYPASS.exe
3148	Realtek HD Audio Universal Service.exe
3776	SAM CHEAT bypass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Local\\Realtek HD Audio Universal Service.exe"	Realtek HD Audio Universal Service.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FREE BYPASS.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0009000000023cb0-16.dat	nsis_installer_1
behavioral2/files/0x0009000000023cb0-16.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
456	powershell.exe
456	powershell.exe
4460	powershell.exe
4460	powershell.exe
2160	powershell.exe
2160	powershell.exe
3464	powershell.exe
3464	powershell.exe
3464	powershell.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
2304	powershell.exe
2304	powershell.exe
5040	powershell.exe
5040	powershell.exe
4972	2.exe
244	powershell.exe
244	powershell.exe
3148	Realtek HD Audio Universal Service.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	2.exe
Token: SeDebugPrivilege	3148	Realtek HD Audio Universal Service.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	4972	2.exe
Token: SeDebugPrivilege	244	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3960	FREE BYPASS.exe
4972	2.exe
3148	Realtek HD Audio Universal Service.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4972	4960	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe	83
PID 4960 wrote to memory of 4972	4960	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe	83
PID 4960 wrote to memory of 3960	4960	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe	85
PID 4960 wrote to memory of 3960	4960	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe	85
PID 4960 wrote to memory of 3960	4960	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe	85
PID 3960 wrote to memory of 3148	3960	FREE BYPASS.exe	89
PID 3960 wrote to memory of 3148	3960	FREE BYPASS.exe	89
PID 3960 wrote to memory of 3776	3960	FREE BYPASS.exe	90
PID 3960 wrote to memory of 3776	3960	FREE BYPASS.exe	90
PID 4972 wrote to memory of 456	4972	2.exe	94
PID 4972 wrote to memory of 456	4972	2.exe	94
PID 4972 wrote to memory of 4460	4972	2.exe	98
PID 4972 wrote to memory of 4460	4972	2.exe	98
PID 4972 wrote to memory of 2160	4972	2.exe	100
PID 4972 wrote to memory of 2160	4972	2.exe	100
PID 4972 wrote to memory of 3464	4972	2.exe	102
PID 4972 wrote to memory of 3464	4972	2.exe	102
PID 3148 wrote to memory of 4612	3148	Realtek HD Audio Universal Service.exe	104
PID 3148 wrote to memory of 4612	3148	Realtek HD Audio Universal Service.exe	104
PID 3148 wrote to memory of 2304	3148	Realtek HD Audio Universal Service.exe	106
PID 3148 wrote to memory of 2304	3148	Realtek HD Audio Universal Service.exe	106
PID 3148 wrote to memory of 5040	3148	Realtek HD Audio Universal Service.exe	108
PID 3148 wrote to memory of 5040	3148	Realtek HD Audio Universal Service.exe	108
PID 3148 wrote to memory of 244	3148	Realtek HD Audio Universal Service.exe	110
PID 3148 wrote to memory of 244	3148	Realtek HD Audio Universal Service.exe	110

C:\Users\Admin\AppData\Local\Temp\fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe
"C:\Users\Admin\AppData\Local\Temp\fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3464
- C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe
  "C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
    "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:244
- - C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe
    "C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe"
    3⤵
    - Executes dropped EXE
    PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e25058a5d8ac6b42d8c7c9883c598303

SHA1
bd9e6194a36a959772fc020f905244900ffc3d57

SHA256
9f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51

SHA512
0146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5a4647bc07b9b3427fedb719062d98dd

SHA1
3d33cde34515bd51ca1e537e3e88b2121e347726

SHA256
7237d30aca79f45a6610b3d2b1f91671a6be9bd380322e03fe1ad96166072cfd

SHA512
33572a23e5c387bd7bf9c7c62f285d68bcb294fe629664957352469dff95ec591753a8493678415f240368556176cf4454d572e91e75cdaccb6108dc73406dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6e09573715495338a569f0316d59af57

SHA1
1a9fd3073801c241b276cdb8b3d7035afbcd0c8d

SHA256
bdad2d4c1b3475754cb3b9ef41a9eda243f46e30117539f81399c977a459b570

SHA512
61add4e0cfef5f138e95f0d941c39c0bce038a47fbc262d5622a0fdf46621231653adfcca3b81bef3a662a37c288e1e9644bed44591551aea5399a370afaeced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f3bc9dee8a80a73a256a69e26fe61c07

SHA1
bc546c10ce1b4cb47b89ea60498384f88f96fa5a

SHA256
3c7f3194722f46cb07885da576daf720a5133913b3fbce4a3ef8c8040028364d

SHA512
be2d861832db826ee67f03e6a9151dc6802481c3b5984ce457e43cebecd162f60460ccf7ac5893169d01eff77e2a863c5e323d68e07f2b1b3d6dab5884f7ac6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
38KB

MD5
8b2dcbe05d600ce494098fd501786fb5

SHA1
20dea1f20b8506d9703c12ebbac32eb89be0b5e3

SHA256
a3ddac32a27fe5da8c189519d6a9801cbf2f4bd38c6e85b2b8dcb54351e01649

SHA512
9338ae864d823ce397d853b3ca3e699270bbd8405654e9a84714aff43343a9e0c26c0594188ce2ca43a2e4a3548c5031dcd50e2c039ec9b27b66370eae4a6920

Download Submit
C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe

Filesize
758KB

MD5
d73c9e865143acd7ee7b526266109048

SHA1
86cd070de3e808bfa057daf04ca7286644e33e35

SHA256
d1179ff1ecadf6756288590c6c08420ec7b9e06aa9e0effc9b2c6b9b8ca5fa4e

SHA512
a3ba88e3418d68cac8bb7d96a29fa218605933696cf1489367062f8d85d5a6c701403b24e701c668dcfeb27abdd1fd907a9815691f47d6802087b409bdc66e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

Filesize
79KB

MD5
066d90fb1d671648842a3b46622eb7ce

SHA1
6d0949bd4f494c9f8d80b705a79cfa9038c80e51

SHA256
8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8

SHA512
b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe

Filesize
1.3MB

MD5
d46bcf5d90966c10fb75419041fae79f

SHA1
9db2c47dd39acd50983c963d370045fcb956d72a

SHA256
edcef9f0255fa29acdfd80bbfb03abea630eb152b19f20fca12fdd88ccf9b399

SHA512
26a241bb87b5abafbba8209135c49163e9ee97ef4f8eaa4dbaf5723b9ce7038b6bdfa9926da29ad3728a854d424168384605c3f494dc29f55249b96adcbe7fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fr01zws2.zoc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/456-52-0x000001766FBF0000-0x000001766FC12000-memory.dmp

Filesize
136KB

Download
memory/3148-40-0x0000000000F90000-0x0000000000FAA000-memory.dmp

Filesize
104KB

Download
memory/4972-19-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/4972-18-0x00007FF9D5293000-0x00007FF9D5295000-memory.dmp

Filesize
8KB

Download
memory/4972-136-0x00007FF9D5290000-0x00007FF9D5D51000-memory.dmp

Filesize
10.8MB

Download
memory/4972-139-0x00007FF9D5293000-0x00007FF9D5295000-memory.dmp

Filesize
8KB

Download
memory/4972-140-0x00007FF9D5290000-0x00007FF9D5D51000-memory.dmp

Filesize
10.8MB

Download