xworm | fa3e16bad6c760764b0f4e412c07e720800f6fdf5fd331aec6c3d0b738dc1a9a

Analysis

max time kernel
30s
max time network
33s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22/11/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ratty_win32_directx11.exe
Size

14.0MB
MD5

33b005cbccacb156bda997661e03c1ce
SHA1

7e478775ce68281845f34350db43d8ae13f310fa
SHA256

fa3e16bad6c760764b0f4e412c07e720800f6fdf5fd331aec6c3d0b738dc1a9a
SHA512

898b4e5bf17a58fbcd7356d3bc07ab0c0a98c19600249d8d274602a0739509c6bd7e73da4506ab8737406370d4aed5168cc77c04317b926b1c5f978a50404e3c
SSDEEP

49152:tTF+E5GDNTBnGoefQ/mF/IdtxkQhmon0pNzvlsY6EWd:tTF+EAQQO/62wmXNzvmY6j

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

45.141.26.214:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002900000004504f-6.dat	family_xworm
behavioral1/memory/4232-16-0x0000000000980000-0x0000000000998000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4428	powershell.exe
4356	powershell.exe
2948	powershell.exe
2988	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Ratty_win32_directx11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
4232	svchost.exe
3816	Ratty_win32_directx11.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4428	powershell.exe
4428	powershell.exe
4356	powershell.exe
4356	powershell.exe
2948	powershell.exe
2948	powershell.exe
2988	powershell.exe
2988	powershell.exe
4232	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4232	svchost.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeIncreaseQuotaPrivilege	4428	powershell.exe
Token: SeSecurityPrivilege	4428	powershell.exe
Token: SeTakeOwnershipPrivilege	4428	powershell.exe
Token: SeLoadDriverPrivilege	4428	powershell.exe
Token: SeSystemProfilePrivilege	4428	powershell.exe
Token: SeSystemtimePrivilege	4428	powershell.exe
Token: SeProfSingleProcessPrivilege	4428	powershell.exe
Token: SeIncBasePriorityPrivilege	4428	powershell.exe
Token: SeCreatePagefilePrivilege	4428	powershell.exe
Token: SeBackupPrivilege	4428	powershell.exe
Token: SeRestorePrivilege	4428	powershell.exe
Token: SeShutdownPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeSystemEnvironmentPrivilege	4428	powershell.exe
Token: SeRemoteShutdownPrivilege	4428	powershell.exe
Token: SeUndockPrivilege	4428	powershell.exe
Token: SeManageVolumePrivilege	4428	powershell.exe
Token: 33	4428	powershell.exe
Token: 34	4428	powershell.exe
Token: 35	4428	powershell.exe
Token: 36	4428	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeIncreaseQuotaPrivilege	4356	powershell.exe
Token: SeSecurityPrivilege	4356	powershell.exe
Token: SeTakeOwnershipPrivilege	4356	powershell.exe
Token: SeLoadDriverPrivilege	4356	powershell.exe
Token: SeSystemProfilePrivilege	4356	powershell.exe
Token: SeSystemtimePrivilege	4356	powershell.exe
Token: SeProfSingleProcessPrivilege	4356	powershell.exe
Token: SeIncBasePriorityPrivilege	4356	powershell.exe
Token: SeCreatePagefilePrivilege	4356	powershell.exe
Token: SeBackupPrivilege	4356	powershell.exe
Token: SeRestorePrivilege	4356	powershell.exe
Token: SeShutdownPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeSystemEnvironmentPrivilege	4356	powershell.exe
Token: SeRemoteShutdownPrivilege	4356	powershell.exe
Token: SeUndockPrivilege	4356	powershell.exe
Token: SeManageVolumePrivilege	4356	powershell.exe
Token: 33	4356	powershell.exe
Token: 34	4356	powershell.exe
Token: 35	4356	powershell.exe
Token: 36	4356	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeIncreaseQuotaPrivilege	2948	powershell.exe
Token: SeSecurityPrivilege	2948	powershell.exe
Token: SeTakeOwnershipPrivilege	2948	powershell.exe
Token: SeLoadDriverPrivilege	2948	powershell.exe
Token: SeSystemProfilePrivilege	2948	powershell.exe
Token: SeSystemtimePrivilege	2948	powershell.exe
Token: SeProfSingleProcessPrivilege	2948	powershell.exe
Token: SeIncBasePriorityPrivilege	2948	powershell.exe
Token: SeCreatePagefilePrivilege	2948	powershell.exe
Token: SeBackupPrivilege	2948	powershell.exe
Token: SeRestorePrivilege	2948	powershell.exe
Token: SeShutdownPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeSystemEnvironmentPrivilege	2948	powershell.exe
Token: SeRemoteShutdownPrivilege	2948	powershell.exe
Token: SeUndockPrivilege	2948	powershell.exe
Token: SeManageVolumePrivilege	2948	powershell.exe
Token: 33	2948	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4232	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 4232	2480	Ratty_win32_directx11.exe	82
PID 2480 wrote to memory of 4232	2480	Ratty_win32_directx11.exe	82
PID 2480 wrote to memory of 3816	2480	Ratty_win32_directx11.exe	84
PID 2480 wrote to memory of 3816	2480	Ratty_win32_directx11.exe	84
PID 4232 wrote to memory of 4428	4232	svchost.exe	86
PID 4232 wrote to memory of 4428	4232	svchost.exe	86
PID 4232 wrote to memory of 4356	4232	svchost.exe	91
PID 4232 wrote to memory of 4356	4232	svchost.exe	91
PID 4232 wrote to memory of 2948	4232	svchost.exe	94
PID 4232 wrote to memory of 2948	4232	svchost.exe	94
PID 4232 wrote to memory of 2988	4232	svchost.exe	96
PID 4232 wrote to memory of 2988	4232	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\Ratty_win32_directx11.exe
"C:\Users\Admin\AppData\Local\Temp\Ratty_win32_directx11.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2480
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2988
- C:\ProgramData\Ratty_win32_directx11.exe
  "C:\ProgramData\Ratty_win32_directx11.exe"
  2⤵
  - Executes dropped EXE
  PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Ratty_win32_directx11.exe

Filesize
13.9MB

MD5
d3565f59bbadcceded3d00831af9b9e9

SHA1
dbec6b8026bb9c1c5500c185c7f6f69b8839450b

SHA256
efec9245e0fd8b7f0074eaa849ea0ff77da68d01597e3dcca3109f9c421e5d3e

SHA512
d5a047f9d2136886f51162ed4f2394f8a269ac99f903014b8cb6f42b86a0fd1214fc5b2f9d55ce4ef011661bb924f46b305141a1e841472f65248e0c9cd9f528

Download Submit
C:\ProgramData\svchost.exe

Filesize
72KB

MD5
b7713a0dee9c14c95784d48da1bbdf3e

SHA1
2490e9230bfd4272b19ec436553d0a8762421357

SHA256
641b6534026bcf1973680d6c22073bdaa66883ead238f972a0b9221806782c1c

SHA512
ec98add419c036179dee3623bab122018542397546dd67563e99822bfa5ff4947780d4f76af873a6551cb8b9a43a39bed72832f8db13ed8000e08a789121e3ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a71fc7cf666e075526f31ce9187bf58c

SHA1
45e0fe0b87e16c071b267a4f83f50298c8044d69

SHA256
18c6174dc005ac6c41e9550e30426fbb72ce01a3b796f27459fb96056c148740

SHA512
922c8dd4c3f81ae773225e204f3b9c84c2b018d1cb2e964af1f30898462df4e4c5f0e42a5f42018d1be329f01af0d047643fe04e1d6313c8a04f006a3073ebde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f30545b81f94298fd50bc25470e391f6

SHA1
e19cbb012083aac67f89969be00c735fa47aa3fa

SHA256
973302bdd80ebd8362d519b4ee24ba89ef98b8e72748b917f121df68ead8253b

SHA512
d00057a75f9c093c2f0ef96744af1dce21c63da3ff4a73a19aaa76046d7bfb73290834dee486e91dbcdf91844d941c2c9c53b6ec02fe31046e5f516c25b4fdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbk1mshz.hes.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2480-1-0x0000000000190000-0x0000000000F9E000-memory.dmp

Filesize
14.1MB

Download
memory/2480-0-0x00007FFFA5893000-0x00007FFFA5895000-memory.dmp

Filesize
8KB

Download
memory/4232-16-0x0000000000980000-0x0000000000998000-memory.dmp

Filesize
96KB

Download
memory/4232-17-0x00007FFFA5890000-0x00007FFFA6352000-memory.dmp

Filesize
10.8MB

Download
memory/4232-80-0x00007FFFA5890000-0x00007FFFA6352000-memory.dmp

Filesize
10.8MB

Download
memory/4428-38-0x000002AC96CA0000-0x000002AC96CC2000-memory.dmp

Filesize
136KB

Download