xworm | fa71ca5766a5e57642af4006f1b240811e22fc5ff4df26d5edf994525814333d

Analysis

max time kernel
141s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa71ca5766a5e57642af4006f1b240811e22fc5ff4df26d5edf994525814333d.exe
Size

287KB
MD5

8be246099b3ff1d9e8b2e2c14f6b286e
SHA1

b1e6b5dcb351d755fbc7abdd66f9228a597731cb
SHA256

fa71ca5766a5e57642af4006f1b240811e22fc5ff4df26d5edf994525814333d
SHA512

08501fd417f39764b0633ef86aea0adf05ffb239f48f99b10cc34dd6ca76cfe3c86a33b690a99c71aafbcf059f620653144a229e2dcd3ec93b4c242821f09ca0
SSDEEP

6144:JtjL9PYIoG/hZbv5NziERtMyXbkurBIuPnBTtr2PG/i4K:JtjyIoG/PbvLziERu2VrBI6nBTJ1m

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

FDifYDumKCtsXZEN

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b92-8.dat	family_xworm
behavioral2/memory/3012-16-0x0000000000A40000-0x0000000000A4E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fa71ca5766a5e57642af4006f1b240811e22fc5ff4df26d5edf994525814333d.exe

Executes dropped EXE 1 IoCs

pid	Process
3012	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fa71ca5766a5e57642af4006f1b240811e22fc5ff4df26d5edf994525814333d.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3472	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3012	4508	fa71ca5766a5e57642af4006f1b240811e22fc5ff4df26d5edf994525814333d.exe	86
PID 4508 wrote to memory of 3012	4508	fa71ca5766a5e57642af4006f1b240811e22fc5ff4df26d5edf994525814333d.exe	86

C:\Users\Admin\AppData\Local\Temp\fa71ca5766a5e57642af4006f1b240811e22fc5ff4df26d5edf994525814333d.exe
"C:\Users\Admin\AppData\Local\Temp\fa71ca5766a5e57642af4006f1b240811e22fc5ff4df26d5edf994525814333d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
32KB

MD5
c8adc1201433e732c762f4cca0ef59d5

SHA1
0ef49322427eee1735d2cd943d645453edbbc173

SHA256
0a66ae70b388aaa6ca8228d829345728739b631586440672faf0f9dd894cb994

SHA512
8f5d476a637da21a37f6b160b7a6281bc2aa952905ef06a61aa8b2851c5edf67b1528a7c46b6295856751b79de079aa05aea371cb7211074adcd97b3e537295e

Download Submit
memory/3012-16-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/4508-0-0x00007FFF2B5F3000-0x00007FFF2B5F5000-memory.dmp

Filesize
8KB

Download
memory/4508-1-0x0000000000710000-0x000000000075E000-memory.dmp

Filesize
312KB

Download