xworm | 4856b6b56eb3041a82eb27960edade517b4887278b634ef8e8a8af492c42565b

Analysis

max time kernel
30s
max time network
33s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20/11/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Admin_Tools.exe
Size

11.9MB
MD5

ba73b05ff9b01c18bf49fa758d75cee4
SHA1

b1166f33c0928fe811a735fb4b3b64eb70b8e0c0
SHA256

4856b6b56eb3041a82eb27960edade517b4887278b634ef8e8a8af492c42565b
SHA512

7cc0a3a100d0c70aa4e5bf6d363acb6fde489bcfbf5762afe9edb5aa636558671bb26fee2af1e1f26e1c34fc19a649b620b72c398d4424a5663d9cbdae5ce61a
SSDEEP

196608:+yvlodBDq/LLsnXe0Xb3Qsu3Sjd5+s8VINpkGNSN1Jyci9UcpLl5xJkNlulQqPR/:+nu/aXlgJCjd5I0Xo1Jy0Blulj1f

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

soon-console.gl.at.ply.gg:60222

127.0.0.1:7000

Mutex

uv0uHPhnJRlnE2ie

Attributes

Install_directory
%AppData%
install_file
Windows.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00290000000450c4-21.dat	family_xworm
behavioral1/memory/2236-35-0x0000000000740000-0x0000000000792000-memory.dmp	family_xworm
behavioral1/files/0x00280000000450ce-46.dat	family_xworm
behavioral1/memory/1900-57-0x0000000000D00000-0x0000000000D0E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3796	powershell.exe
548	powershell.exe
1256	powershell.exe
560	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	Admin_Tools.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	Admin Tools.rar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	Black - Copy (2).exe

Executes dropped EXE 3 IoCs

pid	Process
3572	Admin Tools.rar.exe
2236	Black - Copy (2).exe
1900	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Windows.exe"	Black - Copy (2).exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings	Admin Tools.rar.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3796	powershell.exe
3796	powershell.exe
548	powershell.exe
548	powershell.exe
1256	powershell.exe
1256	powershell.exe
560	powershell.exe
560	powershell.exe
2236	Black - Copy (2).exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	Black - Copy (2).exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	1900	XClient.exe
Token: SeIncreaseQuotaPrivilege	3796	powershell.exe
Token: SeSecurityPrivilege	3796	powershell.exe
Token: SeTakeOwnershipPrivilege	3796	powershell.exe
Token: SeLoadDriverPrivilege	3796	powershell.exe
Token: SeSystemProfilePrivilege	3796	powershell.exe
Token: SeSystemtimePrivilege	3796	powershell.exe
Token: SeProfSingleProcessPrivilege	3796	powershell.exe
Token: SeIncBasePriorityPrivilege	3796	powershell.exe
Token: SeCreatePagefilePrivilege	3796	powershell.exe
Token: SeBackupPrivilege	3796	powershell.exe
Token: SeRestorePrivilege	3796	powershell.exe
Token: SeShutdownPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeSystemEnvironmentPrivilege	3796	powershell.exe
Token: SeRemoteShutdownPrivilege	3796	powershell.exe
Token: SeUndockPrivilege	3796	powershell.exe
Token: SeManageVolumePrivilege	3796	powershell.exe
Token: 33	3796	powershell.exe
Token: 34	3796	powershell.exe
Token: 35	3796	powershell.exe
Token: 36	3796	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeIncreaseQuotaPrivilege	548	powershell.exe
Token: SeSecurityPrivilege	548	powershell.exe
Token: SeTakeOwnershipPrivilege	548	powershell.exe
Token: SeLoadDriverPrivilege	548	powershell.exe
Token: SeSystemProfilePrivilege	548	powershell.exe
Token: SeSystemtimePrivilege	548	powershell.exe
Token: SeProfSingleProcessPrivilege	548	powershell.exe
Token: SeIncBasePriorityPrivilege	548	powershell.exe
Token: SeCreatePagefilePrivilege	548	powershell.exe
Token: SeBackupPrivilege	548	powershell.exe
Token: SeRestorePrivilege	548	powershell.exe
Token: SeShutdownPrivilege	548	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeSystemEnvironmentPrivilege	548	powershell.exe
Token: SeRemoteShutdownPrivilege	548	powershell.exe
Token: SeUndockPrivilege	548	powershell.exe
Token: SeManageVolumePrivilege	548	powershell.exe
Token: 33	548	powershell.exe
Token: 34	548	powershell.exe
Token: 35	548	powershell.exe
Token: 36	548	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeIncreaseQuotaPrivilege	1256	powershell.exe
Token: SeSecurityPrivilege	1256	powershell.exe
Token: SeTakeOwnershipPrivilege	1256	powershell.exe
Token: SeLoadDriverPrivilege	1256	powershell.exe
Token: SeSystemProfilePrivilege	1256	powershell.exe
Token: SeSystemtimePrivilege	1256	powershell.exe
Token: SeProfSingleProcessPrivilege	1256	powershell.exe
Token: SeIncBasePriorityPrivilege	1256	powershell.exe
Token: SeCreatePagefilePrivilege	1256	powershell.exe
Token: SeBackupPrivilege	1256	powershell.exe
Token: SeRestorePrivilege	1256	powershell.exe
Token: SeShutdownPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeSystemEnvironmentPrivilege	1256	powershell.exe
Token: SeRemoteShutdownPrivilege	1256	powershell.exe
Token: SeUndockPrivilege	1256	powershell.exe
Token: SeManageVolumePrivilege	1256	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1304	OpenWith.exe
1304	OpenWith.exe
1304	OpenWith.exe
2236	Black - Copy (2).exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 3572	4432	Admin_Tools.exe	84
PID 4432 wrote to memory of 3572	4432	Admin_Tools.exe	84
PID 4432 wrote to memory of 2236	4432	Admin_Tools.exe	85
PID 4432 wrote to memory of 2236	4432	Admin_Tools.exe	85
PID 3572 wrote to memory of 1900	3572	Admin Tools.rar.exe	87
PID 3572 wrote to memory of 1900	3572	Admin Tools.rar.exe	87
PID 2236 wrote to memory of 3796	2236	Black - Copy (2).exe	92
PID 2236 wrote to memory of 3796	2236	Black - Copy (2).exe	92
PID 2236 wrote to memory of 548	2236	Black - Copy (2).exe	95
PID 2236 wrote to memory of 548	2236	Black - Copy (2).exe	95
PID 2236 wrote to memory of 1256	2236	Black - Copy (2).exe	98
PID 2236 wrote to memory of 1256	2236	Black - Copy (2).exe	98
PID 2236 wrote to memory of 560	2236	Black - Copy (2).exe	100
PID 2236 wrote to memory of 560	2236	Black - Copy (2).exe	100

C:\Users\Admin\AppData\Local\Temp\Admin_Tools.exe
"C:\Users\Admin\AppData\Local\Temp\Admin_Tools.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\Admin Tools.rar.exe
  "C:\Users\Admin\AppData\Local\Temp\Admin Tools.rar.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Users\Admin\AppData\Roaming\XClient.exe
    "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- C:\Users\Admin\AppData\Local\Temp\Black - Copy (2).exe
  "C:\Users\Admin\AppData\Local\Temp\Black - Copy (2).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Black - Copy (2).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Black - Copy (2).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f28ed8a37ce59680f33fdf468a8a98a0

SHA1
522ff3270882310ce903de9fa0e16b662bad509e

SHA256
167257a29e8b2a732a089ce0d1f8346b8629d587da8e056ecc9e9ff79ec76484

SHA512
3a8c1637068e0012c858ed8a2feb12acc83fcc854c6c911f1ebd3db2d4a620c9e6e5cfbea95eb690dfcaa46c6f4d11ed37144090b3830a5640a2294cf822c731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85e8121ba94480e293a66423841d414c

SHA1
4b2ccb305a86cc40082aca8e87e8f205347a456e

SHA256
ed29479ad5ba86b59f0088cebdb845862ad4cffc96ece1f4ff7de8e511fc5c17

SHA512
c9922c941f26be1f63ccb00106cc8b3e2025fc176e7a4f099a008fe3f89afebd6a1e99b73b3dd322c3b26a0aece60091ea48e433a1df586aa4fcda5cf666b692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin Tools.rar.exe

Filesize
11.8MB

MD5
ddcffb7143bb8073f53391fd44159950

SHA1
e55cfccc6eefd6c8079f6e18459a3eb509107bd2

SHA256
ddfe0cfb0d6ff02a67de60e59a1f212403d075eb1afebccb7e21e094d463a33a

SHA512
1538f3ee18787485e727904eeac50ea6dbf207ff5aa61620223a33aa5c7c743d17c1ab9c499f04cb6e3954c28434f0dd01ef94412e2a62a94e77d9f996a8db27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Black - Copy (2).exe

Filesize
304KB

MD5
97b59d26c02cb6ebabbf28cf875b01a1

SHA1
6a1714e85eef8d02fd30d38c6ff9be228d1e85ce

SHA256
2ddf37609abdde2f9487f78f1a4a61cd889af989d41be8690a5ff5163fad1491

SHA512
7d195750b6ad1afa7228f039c4d8d1b5027dd630c115f8c16c410e846b6ee499d5d09ca887b2e78b800e86f37b5bff1afd02771bdf96339c7ecd6021609521c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_glfkt2ov.ree.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Admin Tools.rar

Filesize
11.8MB

MD5
e1ea29674dd974b512bcbce795125c36

SHA1
692eb95e5ebd143e52469de9881468c84cfa716a

SHA256
42160df9a104bb4a287477af00672753be7bdec93badce0c766fafd88da0af3f

SHA512
a3659c3d6021f86af1cf8c4f35247e71c30cc5944c5029477636da6f384233b9d6babc82bf3fa92ae3374d91a0fe71be9b84fbf69fdfc2138e621e3d839de0a9

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
32KB

MD5
c8adc1201433e732c762f4cca0ef59d5

SHA1
0ef49322427eee1735d2cd943d645453edbbc173

SHA256
0a66ae70b388aaa6ca8228d829345728739b631586440672faf0f9dd894cb994

SHA512
8f5d476a637da21a37f6b160b7a6281bc2aa952905ef06a61aa8b2851c5edf67b1528a7c46b6295856751b79de079aa05aea371cb7211074adcd97b3e537295e

Download Submit
memory/1900-57-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/2236-108-0x0000000000F80000-0x0000000000FB4000-memory.dmp

Filesize
208KB

Download
memory/2236-36-0x00007FF807760000-0x00007FF808222000-memory.dmp

Filesize
10.8MB

Download
memory/2236-110-0x00007FF807760000-0x00007FF808222000-memory.dmp

Filesize
10.8MB

Download
memory/2236-59-0x00007FF807760000-0x00007FF808222000-memory.dmp

Filesize
10.8MB

Download
memory/2236-35-0x0000000000740000-0x0000000000792000-memory.dmp

Filesize
328KB

Download
memory/2236-109-0x00007FF807760000-0x00007FF808222000-memory.dmp

Filesize
10.8MB

Download
memory/2236-107-0x000000001BBB0000-0x000000001BCAF000-memory.dmp

Filesize
1020KB

Download
memory/3572-58-0x00007FF807760000-0x00007FF808222000-memory.dmp

Filesize
10.8MB

Download
memory/3572-32-0x00007FF807760000-0x00007FF808222000-memory.dmp

Filesize
10.8MB

Download
memory/3572-33-0x0000000000540000-0x000000000111C000-memory.dmp

Filesize
11.9MB

Download
memory/3796-65-0x000002B5FFCA0000-0x000002B5FFCC2000-memory.dmp

Filesize
136KB

Download
memory/4432-1-0x0000000000970000-0x000000000155E000-memory.dmp

Filesize
11.9MB

Download
memory/4432-7-0x00007FF807760000-0x00007FF808222000-memory.dmp

Filesize
10.8MB

Download
memory/4432-34-0x00007FF807760000-0x00007FF808222000-memory.dmp

Filesize
10.8MB

Download
memory/4432-0-0x00007FF807763000-0x00007FF807765000-memory.dmp

Filesize
8KB

Download