xworm | e3aa28ea62f9c5bd93e5b0375617d3403500093759edef26ef0630457fa0cf6c

General

Target

Output.exe
Size

85KB
MD5

3d87d953dfaeba0d03b7e121f7dc61c0
SHA1

022b9c554d1b4eaa4bfa2a37f83b8d6bf1e50138
SHA256

e3aa28ea62f9c5bd93e5b0375617d3403500093759edef26ef0630457fa0cf6c
SHA512

866114ca2324d1caf746c7068ace685e775519f6df417a35b8ed7ca776f2162bde609bac256dae46e4cc72e9ac200cf5c0df502d19ffd28929ca90b1d6d95a88
SSDEEP

1536:Rv+mKGsH/BSvsSWU8bzZcAsxfs3CrYAAWhOu5KNWXxUMMjdeGtrfpk19Jz8AQehy:5vkzuAsxJY6hX5PyMabNpk19JY4q7

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

perfect-ringtones.gl.at.ply.gg:15597

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001225f-5.dat	family_xworm
behavioral1/memory/108-7-0x0000000001190000-0x00000000011A8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
108	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2868	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
108	XClient.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	108	XClient.exe
Token: SeDebugPrivilege	108	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
108	XClient.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 108	824	Output.exe	31
PID 824 wrote to memory of 108	824	Output.exe	31
PID 824 wrote to memory of 108	824	Output.exe	31
PID 108 wrote to memory of 2852	108	XClient.exe	32
PID 108 wrote to memory of 2852	108	XClient.exe	32
PID 108 wrote to memory of 2852	108	XClient.exe	32
PID 108 wrote to memory of 2268	108	XClient.exe	35
PID 108 wrote to memory of 2268	108	XClient.exe	35
PID 108 wrote to memory of 2268	108	XClient.exe	35
PID 108 wrote to memory of 772	108	XClient.exe	37
PID 108 wrote to memory of 772	108	XClient.exe	37
PID 108 wrote to memory of 772	108	XClient.exe	37
PID 772 wrote to memory of 2868	772	cmd.exe	39
PID 772 wrote to memory of 2868	772	cmd.exe	39
PID 772 wrote to memory of 2868	772	cmd.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2852
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows Defender"
    3⤵
    PID:2268
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D53.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6D53.tmp.bat

Filesize
156B

MD5
9ee170bf145b5145e0255dd56db8b751

SHA1
7b6de58a8db8d57cdee966e396fa333809373642

SHA256
f7b546abf061299c25a0bab55f602359b3deda5334dedb27d45462c1670a12e0

SHA512
be3f1c8b33c10abb99e0ba72e52fdc047189e3123273cca98492dc15a3608140339f9d772d308fb2d68c2d820bcba8b9e9da1c11128f5efa2f30acd2553a959b

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
70KB

MD5
05eebe47480a9a5c13c7b35229d4fe2d

SHA1
8c9e51bfb40382864cd1d5db738c9743c923c745

SHA256
f59fdbba08dad0ba86211e9e74086059721f8706a24c57c10867a33d9d421a6c

SHA512
87e2f3586b15175e6e375a6e0f7438fab2492f96a386b1780951a6741db69aacf0a18a493c91ccf3fe4c0a7439c68475935aba1db8b5248e53318700dc2fde6d

Download Submit
memory/108-7-0x0000000001190000-0x00000000011A8000-memory.dmp

Filesize
96KB

Download
memory/108-8-0x000007FEF65E0000-0x000007FEF6FCC000-memory.dmp

Filesize
9.9MB

Download
memory/108-12-0x000007FEF65E0000-0x000007FEF6FCC000-memory.dmp

Filesize
9.9MB

Download
memory/108-13-0x000007FEF65E0000-0x000007FEF6FCC000-memory.dmp

Filesize
9.9MB

Download
memory/108-14-0x000007FEF65E0000-0x000007FEF6FCC000-memory.dmp

Filesize
9.9MB

Download
memory/108-26-0x000007FEF65E0000-0x000007FEF6FCC000-memory.dmp

Filesize
9.9MB

Download
memory/824-0-0x000007FEF65E3000-0x000007FEF65E4000-memory.dmp

Filesize
4KB

Download
memory/824-1-0x0000000000E20000-0x0000000000E3C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads