xworm | 4644fee74d9836dae0e7083607ba473e0ff417637a73bde127aa8bcecfa724e5

General

Target

XClient.exe
Size

86KB
MD5

fd739632b35fe4c6619d875046de0977
SHA1

3fe14c2b2cdbaa8704a8d4c5ea69bee939db8dd8
SHA256

4644fee74d9836dae0e7083607ba473e0ff417637a73bde127aa8bcecfa724e5
SHA512

ae3391fd936fe943e9196bd6af664a62659529fa329a9dd74134b3ba6901b2ee50da74423c56f192e2fbf3ab149d29fdea7b3ae6e37a489a3fea1f675099f29b
SSDEEP

1536:+X9yT3O+aq7HgTiSCP19bB484JJT6x2SciO3+A+zn+B:u7lEgTaP19bBcc2UO3K+B

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

blood-pattern.gl.at.ply.gg:5353

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7704029346:AAHPre1lXQa0UfPCpOUXJZ9UXA9mFxvH4Gk/sendMessage?chat_id=7590668020

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2524-1-0x0000000000D20000-0x0000000000D3C000-memory.dmp	family_xworm
behavioral1/files/0x000a000000019228-35.dat	family_xworm
behavioral1/memory/2432-37-0x0000000000F30000-0x0000000000F4C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
2844	powershell.exe
2196	powershell.exe
2128	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\security.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\security.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
2432	security
2684	security

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\security = "C:\\Users\\Admin\\AppData\\Roaming\\security"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2524	XClient.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2128	powershell.exe
2700	powershell.exe
2844	powershell.exe
2196	powershell.exe
2524	XClient.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	XClient.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2524	XClient.exe
Token: SeDebugPrivilege	2432	security
Token: SeDebugPrivilege	2684	security

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2524	XClient.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2128	2524	XClient.exe	30
PID 2524 wrote to memory of 2128	2524	XClient.exe	30
PID 2524 wrote to memory of 2128	2524	XClient.exe	30
PID 2524 wrote to memory of 2700	2524	XClient.exe	32
PID 2524 wrote to memory of 2700	2524	XClient.exe	32
PID 2524 wrote to memory of 2700	2524	XClient.exe	32
PID 2524 wrote to memory of 2844	2524	XClient.exe	34
PID 2524 wrote to memory of 2844	2524	XClient.exe	34
PID 2524 wrote to memory of 2844	2524	XClient.exe	34
PID 2524 wrote to memory of 2196	2524	XClient.exe	36
PID 2524 wrote to memory of 2196	2524	XClient.exe	36
PID 2524 wrote to memory of 2196	2524	XClient.exe	36
PID 2524 wrote to memory of 2668	2524	XClient.exe	38
PID 2524 wrote to memory of 2668	2524	XClient.exe	38
PID 2524 wrote to memory of 2668	2524	XClient.exe	38
PID 376 wrote to memory of 2432	376	taskeng.exe	43
PID 376 wrote to memory of 2432	376	taskeng.exe	43
PID 376 wrote to memory of 2432	376	taskeng.exe	43
PID 376 wrote to memory of 2684	376	taskeng.exe	44
PID 376 wrote to memory of 2684	376	taskeng.exe	44
PID 376 wrote to memory of 2684	376	taskeng.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\security'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'security'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "security" /tr "C:\Users\Admin\AppData\Roaming\security"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2668

C:\Windows\system32\taskeng.exe
taskeng.exe {51E1564D-08AB-483A-99E3-617367DBC432} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Roaming\security
  C:\Users\Admin\AppData\Roaming\security
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Users\Admin\AppData\Roaming\security
  C:\Users\Admin\AppData\Roaming\security
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a28f1524dccd167e8a3efe5ab0b46e8d

SHA1
40db1af046d6b4dd7dc626a9ede59cb136568a4c

SHA256
80374e46fd8d445e61ec99cbb61b56bdde0cd30e7d5e1661e59e4f269c6c29e2

SHA512
3d24b4ffa52ee7cd91fac70fe7b5e234cd6bc6478f2b56917dbe00caaa0189c18cb95f6d373f26bbcabb1766ecd6bad3cc50516521809a9c74c54926123b1d31

Download Submit
C:\Users\Admin\AppData\Roaming\security

Filesize
86KB

MD5
fd739632b35fe4c6619d875046de0977

SHA1
3fe14c2b2cdbaa8704a8d4c5ea69bee939db8dd8

SHA256
4644fee74d9836dae0e7083607ba473e0ff417637a73bde127aa8bcecfa724e5

SHA512
ae3391fd936fe943e9196bd6af664a62659529fa329a9dd74134b3ba6901b2ee50da74423c56f192e2fbf3ab149d29fdea7b3ae6e37a489a3fea1f675099f29b

Download Submit
memory/2128-6-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2128-7-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2128-8-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/2432-37-0x0000000000F30000-0x0000000000F4C000-memory.dmp

Filesize
112KB

Download
memory/2524-31-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2524-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2524-32-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2524-33-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2524-1-0x0000000000D20000-0x0000000000D3C000-memory.dmp

Filesize
112KB

Download
memory/2700-15-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2700-14-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads