xworm | b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe
Size

159KB
MD5

f2d8c3dec1e9985bc659d18341b573bf
SHA1

d0e7b2fe9fc1aaadc0ef2c1256c7754f3bbe6e8f
SHA256

b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913
SHA512

415e0955db51117127d9440ff5cdae98cf6b7c16e46cc1aa8772d4631cb3d0c8338c016480b276b41a2c570be4d6f956286d5a054e2c76749b45336c4d0b7c4a
SSDEEP

3072:0325N7aVopufIeZuVGoFkfAylFYOKYoGCllFhdoH3hZ9Roe2eX9pxK:j1U8peZuVDRkClAXhT2eF9O

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

indian-tall.gl.at.ply.gg:65520

Attributes

Install_directory
%Temp%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/wXYjM7Vm

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015685-11.dat	family_xworm
behavioral1/memory/2228-14-0x0000000000AF0000-0x0000000000B0A000-memory.dmp	family_xworm
behavioral1/files/0x00130000000054ab-17.dat	family_xworm
behavioral1/memory/2668-20-0x00000000011C0000-0x00000000011D8000-memory.dmp	family_xworm
behavioral1/memory/2016-73-0x0000000001180000-0x0000000001198000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
328	powershell.exe
900	powershell.exe
1652	powershell.exe
596	powershell.exe
2436	powershell.exe
1232	powershell.exe
2844	powershell.exe
2160	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\keyauth.lnk	xclient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\keyauth.lnk	xclient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XwormLoader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XwormLoader.exe

Executes dropped EXE 4 IoCs

pid	Process
2228	XwormLoader.exe
2668	xclient.exe
2016	keyauth.exe
2816	keyauth.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\keyauth = "C:\\Users\\Admin\\AppData\\Roaming\\keyauth.exe"	xclient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 34 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
10	pastebin.com
24	pastebin.com
38	pastebin.com
17	pastebin.com
26	pastebin.com
28	pastebin.com
31	pastebin.com
33	pastebin.com
47	pastebin.com
11	pastebin.com
27	pastebin.com
35	pastebin.com
37	pastebin.com
15	pastebin.com
21	pastebin.com
40	pastebin.com
43	pastebin.com
46	pastebin.com
16	pastebin.com
18	pastebin.com
20	pastebin.com
25	pastebin.com
30	pastebin.com
22	pastebin.com
29	pastebin.com
34	pastebin.com
44	pastebin.com
45	pastebin.com
19	pastebin.com
36	pastebin.com
39	pastebin.com
12	pastebin.com
41	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
5	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2900	powershell.exe
1652	powershell.exe
596	powershell.exe
2436	powershell.exe
1232	powershell.exe
2844	powershell.exe
2160	powershell.exe
2668	xclient.exe
328	powershell.exe
900	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	XwormLoader.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2668	xclient.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2668	xclient.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2016	keyauth.exe
Token: SeDebugPrivilege	2816	keyauth.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2668	xclient.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2900	2460	b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe	31
PID 2460 wrote to memory of 2900	2460	b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe	31
PID 2460 wrote to memory of 2900	2460	b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe	31
PID 2460 wrote to memory of 2228	2460	b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe	33
PID 2460 wrote to memory of 2228	2460	b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe	33
PID 2460 wrote to memory of 2228	2460	b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe	33
PID 2460 wrote to memory of 2668	2460	b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe	34
PID 2460 wrote to memory of 2668	2460	b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe	34
PID 2460 wrote to memory of 2668	2460	b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe	34
PID 2668 wrote to memory of 1652	2668	xclient.exe	36
PID 2668 wrote to memory of 1652	2668	xclient.exe	36
PID 2668 wrote to memory of 1652	2668	xclient.exe	36
PID 2668 wrote to memory of 596	2668	xclient.exe	38
PID 2668 wrote to memory of 596	2668	xclient.exe	38
PID 2668 wrote to memory of 596	2668	xclient.exe	38
PID 2668 wrote to memory of 2436	2668	xclient.exe	40
PID 2668 wrote to memory of 2436	2668	xclient.exe	40
PID 2668 wrote to memory of 2436	2668	xclient.exe	40
PID 2668 wrote to memory of 1232	2668	xclient.exe	42
PID 2668 wrote to memory of 1232	2668	xclient.exe	42
PID 2668 wrote to memory of 1232	2668	xclient.exe	42
PID 2228 wrote to memory of 2844	2228	XwormLoader.exe	44
PID 2228 wrote to memory of 2844	2228	XwormLoader.exe	44
PID 2228 wrote to memory of 2844	2228	XwormLoader.exe	44
PID 2668 wrote to memory of 2052	2668	xclient.exe	46
PID 2668 wrote to memory of 2052	2668	xclient.exe	46
PID 2668 wrote to memory of 2052	2668	xclient.exe	46
PID 2228 wrote to memory of 2160	2228	XwormLoader.exe	48
PID 2228 wrote to memory of 2160	2228	XwormLoader.exe	48
PID 2228 wrote to memory of 2160	2228	XwormLoader.exe	48
PID 2228 wrote to memory of 328	2228	XwormLoader.exe	50
PID 2228 wrote to memory of 328	2228	XwormLoader.exe	50
PID 2228 wrote to memory of 328	2228	XwormLoader.exe	50
PID 2228 wrote to memory of 900	2228	XwormLoader.exe	52
PID 2228 wrote to memory of 900	2228	XwormLoader.exe	52
PID 2228 wrote to memory of 900	2228	XwormLoader.exe	52
PID 1808 wrote to memory of 2016	1808	taskeng.exe	55
PID 1808 wrote to memory of 2016	1808	taskeng.exe	55
PID 1808 wrote to memory of 2016	1808	taskeng.exe	55
PID 1808 wrote to memory of 2816	1808	taskeng.exe	56
PID 1808 wrote to memory of 2816	1808	taskeng.exe	56
PID 1808 wrote to memory of 2816	1808	taskeng.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe
"C:\Users\Admin\AppData\Local\Temp\b73b703df104bdc6a6088d0096448ba4312938bc738791a50d55792788b46913.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAcgB0ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHcAeAB5ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByAF8AYwBvAGQAZQBfADAAeAAxACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB2AHcAZwAjAD4A"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XwormLoader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- C:\Users\Admin\AppData\Local\Temp\xclient.exe
  "C:\Users\Admin\AppData\Local\Temp\xclient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\xclient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'xclient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\keyauth.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'keyauth.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "keyauth" /tr "C:\Users\Admin\AppData\Roaming\keyauth.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2052

C:\Windows\system32\taskeng.exe
taskeng.exe {8B03A71D-C82F-4F8E-84E6-E1E96DCD928C} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Roaming\keyauth.exe
  C:\Users\Admin\AppData\Roaming\keyauth.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Users\Admin\AppData\Roaming\keyauth.exe
  C:\Users\Admin\AppData\Roaming\keyauth.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe

Filesize
77KB

MD5
e7525a2d46d78f6ea17a3c32815cc1a2

SHA1
734b924697ddfd032ae0f2467b404b91650d72f3

SHA256
c388c156025273419447629bfb28728b32c785a47968c7bce227adb31a66ffa3

SHA512
cb38565d63a429517493a5093ab93861744b4584594221c7fb558e9f5832b3feaf3f52f902079f7e7299ce2008fa03cb1ff59118469ce6461d9319ae2d5b2d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\xclient.exe

Filesize
74KB

MD5
8f0fab5837f63b48e3d0bf98013ecde6

SHA1
03e392b90a808f77595f571dd01c8ce864e87d2c

SHA256
703c26b59e5eefc02cc93db1f440a7ed273cdb8928f082105f41120adc41964d

SHA512
d980674a3343c51c77b8a05b264e2c01a38f8e4ffa300763dbb2ff11e66dcce0555437e5b4ced5a6fffd0793577c9c816403987b5affccf1639bbf1338f7884d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d31c6de5d47f33e3eca98dacdabdebb

SHA1
520fcf852ef6f7f7fbe25c6bdccd0bd6206414bf

SHA256
cb39a75dd4e311b315337f5bbf1c5a7f6465268e90fcf91e94dd7dd6286a0c39

SHA512
8c9a6442e9ce9a1319c05f4760b9cf18722268cfb9c0aff5a906d6c20a1e6a7f817074301e1437bab3f6177c393112e787cff8c356ca13df85c37962ebfcb537

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AQQ60L46IND7PTA5WSBV.temp

Filesize
7KB

MD5
765a4cabf87a27f0b4fca6d4302f7312

SHA1
42296861169830364f554b7999d60d9c30fa77ff

SHA256
8d185abd52010727eacb0dbf6d8065bf36a0230d155da0084a877fd32b8d601d

SHA512
c76ebd7aed8e282fed53a6c3e2defee260e49a9702a06bb6edc819ff0ef563b5febd45c562f26ed2630d3c5cb2aece6501dda9c3ff8001073b3a0f14288e2906

Download Submit
memory/1652-28-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1652-29-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2016-73-0x0000000001180000-0x0000000001198000-memory.dmp

Filesize
96KB

Download
memory/2228-14-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download
memory/2460-4-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2460-19-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2460-1-0x0000000000AA0000-0x0000000000ACE000-memory.dmp

Filesize
184KB

Download
memory/2460-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

Filesize
4KB

Download
memory/2668-20-0x00000000011C0000-0x00000000011D8000-memory.dmp

Filesize
96KB

Download
memory/2900-10-0x0000000002BE0000-0x0000000002C60000-memory.dmp

Filesize
512KB

Download
memory/2900-22-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2900-21-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download