xworm | 77b137f35801187a1a535c39b3b5dd78c230162b340e4aaadfb257436ac49f0a

General

Target

XClient.exe
Size

79KB
MD5

e75cd40b330ca27c53ad8adefa31945c
SHA1

09c81abe659f3c5878414034da93abe594db6d94
SHA256

77b137f35801187a1a535c39b3b5dd78c230162b340e4aaadfb257436ac49f0a
SHA512

434df96dd9fdb74aa9f312ed72534c96685afb405c7553ece45efd4a4a4fd5e9bd4a551eb37058098a9633c4ef7c187e2e8525c6e0a5b00fc706f11a257aad13
SSDEEP

1536:ll6VVj22yBq/RVoRWJ11bvEEHK7M6hOApu17y2in+x:GjXBJ11bvK73OApu5yd+x

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

12345555.openvpn.com:4444

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7704029346:AAHPre1lXQa0UfPCpOUXJZ9UXA9mFxvH4Gk/sendMessage?chat_id=7590668020

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2816-1-0x0000000000800000-0x000000000081A000-memory.dmp	family_xworm
behavioral2/files/0x000b000000023caf-56.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4280	powershell.exe
2896	powershell.exe
2520	powershell.exe
4544	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\security.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\security.lnk	XClient.exe

Executes dropped EXE 3 IoCs

pid	Process
1232	security
1732	security
3328	security

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\security = "C:\\Users\\Admin\\AppData\\Roaming\\security"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2712	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2816	XClient.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4280	powershell.exe
4280	powershell.exe
2896	powershell.exe
2896	powershell.exe
2520	powershell.exe
2520	powershell.exe
4544	powershell.exe
4544	powershell.exe
2816	XClient.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	XClient.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	2816	XClient.exe
Token: SeDebugPrivilege	1232	security
Token: SeDebugPrivilege	1732	security
Token: SeDebugPrivilege	3328	security

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	XClient.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4280	2816	XClient.exe	83
PID 2816 wrote to memory of 4280	2816	XClient.exe	83
PID 2816 wrote to memory of 2896	2816	XClient.exe	85
PID 2816 wrote to memory of 2896	2816	XClient.exe	85
PID 2816 wrote to memory of 2520	2816	XClient.exe	87
PID 2816 wrote to memory of 2520	2816	XClient.exe	87
PID 2816 wrote to memory of 4544	2816	XClient.exe	89
PID 2816 wrote to memory of 4544	2816	XClient.exe	89
PID 2816 wrote to memory of 2712	2816	XClient.exe	91
PID 2816 wrote to memory of 2712	2816	XClient.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\security'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'security'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "security" /tr "C:\Users\Admin\AppData\Roaming\security"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2712

C:\Users\Admin\AppData\Roaming\security
C:\Users\Admin\AppData\Roaming\security
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Users\Admin\AppData\Roaming\security
C:\Users\Admin\AppData\Roaming\security
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Users\Admin\AppData\Roaming\security
C:\Users\Admin\AppData\Roaming\security
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\security.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b2b265223b9e7ba1159b5029b850e6ec

SHA1
532f60b8baf9b07f1b341b7dcfed1b0cfd75c54b

SHA256
b727d46a8f2139302d1d12caf807a4ed4a34f623bd8cb8980c91fe9e76675e5c

SHA512
8d8c2a2597ac1898f8983db27e636750b2debea6e77aea40bab5b140931be06d3c8a7dcb13cfcb603dc652c3bd60d2790b5e2d1de51085e23222d4c582903edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bac0f9cb1a351c695bd25e0e682157d4

SHA1
afeb66106bc45e6ef86a4a2e032770fef7b402aa

SHA256
afe737893a554841306272880a59e7375705f03f42c41d50135aec4a9265cc14

SHA512
8e60e367e18f82df4084ab0d366942b59858bf6116aa2accaeb5514efb041cbcce6dc71fe292249179f4fa1c8e5c7f11f453830d63b065b49672f7b0818b61ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d068783b77a298ee29e81f4fc877c491

SHA1
7a4064efb4fd447ba5e1325f4679cc7d95a579cb

SHA256
deaf11837f96b3889092fa2709c9f69bd5207b9cb1761f951bdf3400d1037802

SHA512
95990e16368fd286ca48ff06003a97a5506f6f2bdf5058de40604c943cdb3605b9f33cfe9852093a35dc163341a6da4a5a20045f72d87461aa766b232194e923

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pdjetlp4.zpa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\security

Filesize
79KB

MD5
e75cd40b330ca27c53ad8adefa31945c

SHA1
09c81abe659f3c5878414034da93abe594db6d94

SHA256
77b137f35801187a1a535c39b3b5dd78c230162b340e4aaadfb257436ac49f0a

SHA512
434df96dd9fdb74aa9f312ed72534c96685afb405c7553ece45efd4a4a4fd5e9bd4a551eb37058098a9633c4ef7c187e2e8525c6e0a5b00fc706f11a257aad13

Download Submit
memory/2816-55-0x00007FFA13EF3000-0x00007FFA13EF5000-memory.dmp

Filesize
8KB

Download
memory/2816-54-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-0-0x00007FFA13EF3000-0x00007FFA13EF5000-memory.dmp

Filesize
8KB

Download
memory/2816-58-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-1-0x0000000000800000-0x000000000081A000-memory.dmp

Filesize
104KB

Download
memory/4280-16-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-13-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-12-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-11-0x0000022DDF4F0000-0x0000022DDF512000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads