xworm | 7ec4beaf8109398c4951d73659beb02b290acc7c1cc9759624aeea2302a9279b

General

Target

FZWHJ_XClient.exe
Size

40KB
MD5

f3d8b96931d1aa9f0c31f92f2db6c903
SHA1

7aea8c37bb34cadef6ea87630c5b6c525cfad509
SHA256

7ec4beaf8109398c4951d73659beb02b290acc7c1cc9759624aeea2302a9279b
SHA512

2e7bf4813fbdf426115ee2f69523765b83aab30dba9d679adb90dceb040515872ae9ff9739e39e4294580557c542b0e2f21683596e3c6894871f6a484b99e082
SSDEEP

768:rIDwCrxY4mpc9i32v6hCuuJf27ZZfFWPG9/OQ6OOwhujGb8:cDwCFY4gckGwCuuJfKFv9/OQ6OOwoCY

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

10.9.248.138:29647

Mutex

bqj2YDk3d9XilFuu

Attributes

Install_directory
%AppData%
install_file
$77MicrosoftDefender.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/3056-1-0x0000000000250000-0x0000000000260000-memory.dmp	family_xworm
behavioral1/memory/2800-36-0x00000000000D0000-0x00000000000E0000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120f9-35.dat	family_xworm
behavioral1/memory/1332-39-0x00000000013A0000-0x00000000013B0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2832	powershell.exe
2524	powershell.exe
2260	powershell.exe
2996	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2636	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	FZWHJ_XClient.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2524	3056	FZWHJ_XClient.exe	30
PID 3056 wrote to memory of 2524	3056	FZWHJ_XClient.exe	30
PID 3056 wrote to memory of 2524	3056	FZWHJ_XClient.exe	30

C:\Users\Admin\AppData\Local\Temp\FZWHJ_XClient.exe
"C:\Users\Admin\AppData\Local\Temp\FZWHJ_XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FZWHJ_XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FZWHJ_XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77MicrosoftDefender.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2832
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77MicrosoftDefender" /tr "C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2636

C:\Windows\system32\taskeng.exe
taskeng.exe {311BEF29-D3D4-4E75-AA3A-EE56A7F3B5C5} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:2896
- C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe
  C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe
  2⤵
  PID:2800
- C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe
  C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe
  2⤵
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe

Filesize
40KB

MD5
f3d8b96931d1aa9f0c31f92f2db6c903

SHA1
7aea8c37bb34cadef6ea87630c5b6c525cfad509

SHA256
7ec4beaf8109398c4951d73659beb02b290acc7c1cc9759624aeea2302a9279b

SHA512
2e7bf4813fbdf426115ee2f69523765b83aab30dba9d679adb90dceb040515872ae9ff9739e39e4294580557c542b0e2f21683596e3c6894871f6a484b99e082

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XNVBV30XSRTSUVWTF9ZS.temp

Filesize
7KB

MD5
d1cefde97bfa9e5dfbf353d04b68f91f

SHA1
0eb292201ef17a58fda20feb3bd9e5cc0c04fbfd

SHA256
658d109baba58e9a8aa9a87411f29bd7606fb6d550e962fb0d6606d2a36aaae7

SHA512
24e0851418457210b48daf20083b5dbdbf828c809416dc42ad8c5f82bb8a21f067c565c6b52bdde2abe087cc38b3453e09f101e0e217cc63a9b5095e6976e90d

Download Submit
memory/1332-39-0x00000000013A0000-0x00000000013B0000-memory.dmp

Filesize
64KB

Download
memory/2260-14-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2260-15-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2524-8-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2524-7-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2524-6-0x0000000002BC0000-0x0000000002C40000-memory.dmp

Filesize
512KB

Download
memory/2800-36-0x00000000000D0000-0x00000000000E0000-memory.dmp

Filesize
64KB

Download
memory/3056-0-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

Filesize
4KB

Download
memory/3056-30-0x000000001B3C0000-0x000000001B440000-memory.dmp

Filesize
512KB

Download
memory/3056-31-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

Filesize
4KB

Download
memory/3056-32-0x000000001B3C0000-0x000000001B440000-memory.dmp

Filesize
512KB

Download
memory/3056-1-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads