xworm | 477c5ee702c71036f0bd3d9610c98c3b95231e586d98b9595a13bca8a9719ada

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-01-2025 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

30KB
MD5

cc5d15bc880b21e4912741f3146847fe
SHA1

864f8e552e145f4119cf87d2cd313c28e5922190
SHA256

477c5ee702c71036f0bd3d9610c98c3b95231e586d98b9595a13bca8a9719ada
SHA512

c989affb9a05f369d6c7dd37ca135cb99c0792a1265e6e4f73f5af8c4f75e0177529e783652cb6b9d93f67b857ea59fb7c7abbed0db84481d549204c8e948740
SSDEEP

384:K7wTA+5OfPgEBQqWvfcQLZe3s80hYACSqR/inw2uRugtFuBLTIOZw/WVnvn9IkV3:UrgECfLH8MYAoR/iw2uBFE9RiOqh0bl

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

airport-forums.gl.at.ply.gg:20417

Mutex

ZPSZiwa5h9FUM0MJ

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3124-1-0x0000000000DD0000-0x0000000000DDE000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adofvc.exe"	adofvc.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
4884	adofvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adofvc.exe"	adofvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adofvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	XClient.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe
4884	adofvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 4884	3124	XClient.exe	80
PID 3124 wrote to memory of 4884	3124	XClient.exe	80
PID 3124 wrote to memory of 4884	3124	XClient.exe	80

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\Temp\adofvc.exe
  "C:\Users\Admin\AppData\Local\Temp\adofvc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4884

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adofvc.exe

Filesize
436KB

MD5
22ba54cbf5c8a41d64acc90f467c1fb5

SHA1
5f61b932b5e151a4a460ada8e5ae8b268093a98f

SHA256
c02c44870579dcd8208b140dd85066bd7a468934d49b227aa24e6e62b951c35d

SHA512
cc62b9edaff1fc771e721acef84e854d93b5210f2148fa62dc4a0e3f3c8548e0686a8c250aad4292f380fdf4c50d746ef1309f3b9995518faa3d0fc207102295

Download Submit
memory/3124-0-0x00007FF9F68C3000-0x00007FF9F68C5000-memory.dmp

Filesize
8KB

Download
memory/3124-1-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

Filesize
56KB

Download
memory/3124-2-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/3124-3-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/3124-4-0x000000001BA60000-0x000000001BA6A000-memory.dmp

Filesize
40KB

Download
memory/4884-13-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4884-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4884-15-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4884-16-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4884-17-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download