xworm | bcd0ac1f3df9c064c81fdae2cdd838ab757144ec0737ea494bc9b705b09c0de5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe
Size

1.1MB
MD5

30a5ad6d62e4cd603673a9e3b3e77631
SHA1

c8d42f3efe983add08b190325239290e4fb79631
SHA256

fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090
SHA512

a0a87ea2374a4d3f8dd014011a0373f6302aa04d8dc70e9bda0e78221486057ac26ef09c3702e6ee80a3f738bcee7c8fb62363b5cd238ed36b9fb068d35113bc
SSDEEP

24576:0zAW5Wy3XuH/pR0+9vwe5oc78dBDaiMo9mRCYDwECvw:0NWHH/Dt55l4jaYKIEcw

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

senior-adopted.gl.at.ply.gg:56758

Mutex

Bz7AHGcWuERgvPvx

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

xworm

147.185.221.23:25808

Attributes

Install_directory
%LocalAppData%
install_file
Realtek HD Audio Universal Service.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b88-6.dat	family_xworm
behavioral2/memory/3532-20-0x0000000000690000-0x00000000006A0000-memory.dmp	family_xworm
behavioral2/files/0x000b000000023b8b-28.dat	family_xworm
behavioral2/memory/4904-41-0x00000000008C0000-0x00000000008DA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2440	powershell.exe
3016	powershell.exe
2072	powershell.exe
1480	powershell.exe
3468	powershell.exe
2128	powershell.exe
4420	powershell.exe
3060	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	FREE BYPASS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Realtek HD Audio Universal Service.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	2.exe

Executes dropped EXE 4 IoCs

pid	Process
3532	2.exe
2808	FREE BYPASS.exe
4904	Realtek HD Audio Universal Service.exe
4288	SAM CHEAT bypass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Local\\Realtek HD Audio Universal Service.exe"	Realtek HD Audio Universal Service.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FREE BYPASS.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000d000000023b25-16.dat	nsis_installer_1
behavioral2/files/0x000d000000023b25-16.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3468	powershell.exe
3468	powershell.exe
2128	powershell.exe
2128	powershell.exe
2128	powershell.exe
4420	powershell.exe
4420	powershell.exe
4420	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
3016	powershell.exe
3016	powershell.exe
3016	powershell.exe
2072	powershell.exe
2072	powershell.exe
2072	powershell.exe
1480	powershell.exe
1480	powershell.exe
3532	2.exe
4904	Realtek HD Audio Universal Service.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	2.exe
Token: SeDebugPrivilege	4904	Realtek HD Audio Universal Service.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	3532	2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2808	FREE BYPASS.exe
3532	2.exe
4904	Realtek HD Audio Universal Service.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 3532	5084	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe	83
PID 5084 wrote to memory of 3532	5084	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe	83
PID 5084 wrote to memory of 2808	5084	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe	85
PID 5084 wrote to memory of 2808	5084	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe	85
PID 5084 wrote to memory of 2808	5084	fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe	85
PID 2808 wrote to memory of 4904	2808	FREE BYPASS.exe	87
PID 2808 wrote to memory of 4904	2808	FREE BYPASS.exe	87
PID 2808 wrote to memory of 4288	2808	FREE BYPASS.exe	88
PID 2808 wrote to memory of 4288	2808	FREE BYPASS.exe	88
PID 3532 wrote to memory of 3468	3532	2.exe	94
PID 3532 wrote to memory of 3468	3532	2.exe	94
PID 3532 wrote to memory of 2128	3532	2.exe	98
PID 3532 wrote to memory of 2128	3532	2.exe	98
PID 3532 wrote to memory of 4420	3532	2.exe	100
PID 3532 wrote to memory of 4420	3532	2.exe	100
PID 4904 wrote to memory of 3060	4904	Realtek HD Audio Universal Service.exe	102
PID 4904 wrote to memory of 3060	4904	Realtek HD Audio Universal Service.exe	102
PID 3532 wrote to memory of 2440	3532	2.exe	104
PID 3532 wrote to memory of 2440	3532	2.exe	104
PID 4904 wrote to memory of 3016	4904	Realtek HD Audio Universal Service.exe	106
PID 4904 wrote to memory of 3016	4904	Realtek HD Audio Universal Service.exe	106
PID 4904 wrote to memory of 2072	4904	Realtek HD Audio Universal Service.exe	108
PID 4904 wrote to memory of 2072	4904	Realtek HD Audio Universal Service.exe	108
PID 4904 wrote to memory of 1480	4904	Realtek HD Audio Universal Service.exe	110
PID 4904 wrote to memory of 1480	4904	Realtek HD Audio Universal Service.exe	110

C:\Users\Admin\AppData\Local\Temp\fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe
"C:\Users\Admin\AppData\Local\Temp\fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe
  "C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
    "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe
    "C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe"
    3⤵
    - Executes dropped EXE
    PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a4db2a8eea384d533ccbb985ee5f9ae4

SHA1
6e02b9040fb183935ad9b7d5c275a38dedd8bbcb

SHA256
46addd3ed52002f573e9e13c1f177e50e6067f9f4987e64e18bb0733044e46af

SHA512
0a1ba4809aed0a7965875c7a56fccf9c715ff7d7c6b570b7b19dde498ed765d7c61a48e6fb53cf9577415933ce0974c17a820660829b1a4f11851b912ead1f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
380007fbdf9fef355db2afd71fce9cd1

SHA1
e98802ef10fac8ef96a3210930784c317ca76fa0

SHA256
6353a11014d2c1495ac7a5efef195d06d8e8b30a163c437263361deb5a28de03

SHA512
9790c6b4c16ed4f4e6cddf492d01a6b4963e20bde6ddf40017db20ffc672b0cfaea2ad6aebcb51e8e459682974be0d024b35546aad840051a1e9fe2d3e565bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bb812b3e31d6bcd9430e1859693c9856

SHA1
2e2fd106bd4c2cfb827a2db22cdfc12d9a2aebe1

SHA256
36d73bca447ed277c72b5af7fe1e4f8d076e857fa82a7dd00e485138b9da673b

SHA512
8bb6f11f4a69f6b1b0a2ff36f45c646cb726933a613e7c4d4b7c20e6c042616047beb4057675687d9f96e564c141b1a4b6f50fe793ec163393d57124a06319f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
38KB

MD5
8b2dcbe05d600ce494098fd501786fb5

SHA1
20dea1f20b8506d9703c12ebbac32eb89be0b5e3

SHA256
a3ddac32a27fe5da8c189519d6a9801cbf2f4bd38c6e85b2b8dcb54351e01649

SHA512
9338ae864d823ce397d853b3ca3e699270bbd8405654e9a84714aff43343a9e0c26c0594188ce2ca43a2e4a3548c5031dcd50e2c039ec9b27b66370eae4a6920

Download Submit
C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe

Filesize
758KB

MD5
d73c9e865143acd7ee7b526266109048

SHA1
86cd070de3e808bfa057daf04ca7286644e33e35

SHA256
d1179ff1ecadf6756288590c6c08420ec7b9e06aa9e0effc9b2c6b9b8ca5fa4e

SHA512
a3ba88e3418d68cac8bb7d96a29fa218605933696cf1489367062f8d85d5a6c701403b24e701c668dcfeb27abdd1fd907a9815691f47d6802087b409bdc66e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

Filesize
79KB

MD5
066d90fb1d671648842a3b46622eb7ce

SHA1
6d0949bd4f494c9f8d80b705a79cfa9038c80e51

SHA256
8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8

SHA512
b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe

Filesize
1.3MB

MD5
d46bcf5d90966c10fb75419041fae79f

SHA1
9db2c47dd39acd50983c963d370045fcb956d72a

SHA256
edcef9f0255fa29acdfd80bbfb03abea630eb152b19f20fca12fdd88ccf9b399

SHA512
26a241bb87b5abafbba8209135c49163e9ee97ef4f8eaa4dbaf5723b9ce7038b6bdfa9926da29ad3728a854d424168384605c3f494dc29f55249b96adcbe7fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojd4rpsi.1d1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3468-52-0x000001EA772C0000-0x000001EA772E2000-memory.dmp

Filesize
136KB

Download
memory/3532-20-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/3532-18-0x00007FFA20893000-0x00007FFA20895000-memory.dmp

Filesize
8KB

Download
memory/3532-137-0x00007FFA20890000-0x00007FFA21351000-memory.dmp

Filesize
10.8MB

Download
memory/3532-139-0x00007FFA20893000-0x00007FFA20895000-memory.dmp

Filesize
8KB

Download
memory/3532-140-0x00007FFA20890000-0x00007FFA21351000-memory.dmp

Filesize
10.8MB

Download
memory/4904-41-0x00000000008C0000-0x00000000008DA000-memory.dmp

Filesize
104KB

Download