xworm | 5d27d172d7910c67b668b31ed29826e973f1a78fb217b0dd4f40dcafe86bb6a2

General

Target

XClient.sfx.exe
Size

427KB
MD5

5435de027987f5f1f608719b0c8a752b
SHA1

b341e00d0bce1b8e085aaa7880c1e130bb6b3976
SHA256

5d27d172d7910c67b668b31ed29826e973f1a78fb217b0dd4f40dcafe86bb6a2
SHA512

fa75b2b27a2f1696b6dfac5fc6944f2501200eae3daaa449db3721d34c185435e82cf7c900b5f4c477185c5c9a410290e2ba9c93f7375e6810e90e61651d5d87
SSDEEP

6144:x5aMJNLwL73PZPkFr1jilzqqVWk6855JKSFtIooEbQYT+t1PNmSiqqvCr:xOxPkPjQeqQ1Y53KRYT+t1PABqv

Score

10^/10

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001739b-4.dat	family_xworm
behavioral1/memory/2368-12-0x00000000009E0000-0x00000000009FA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe
2844	powershell.exe
1924	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
2368	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\XClient.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1808	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1924	powershell.exe
2816	powershell.exe
2844	powershell.exe
2368	XClient.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	XClient.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2368	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2368	XClient.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2368	2484	XClient.sfx.exe	30
PID 2484 wrote to memory of 2368	2484	XClient.sfx.exe	30
PID 2484 wrote to memory of 2368	2484	XClient.sfx.exe	30
PID 2368 wrote to memory of 1924	2368	XClient.exe	31
PID 2368 wrote to memory of 1924	2368	XClient.exe	31
PID 2368 wrote to memory of 1924	2368	XClient.exe	31
PID 2368 wrote to memory of 2816	2368	XClient.exe	33
PID 2368 wrote to memory of 2816	2368	XClient.exe	33
PID 2368 wrote to memory of 2816	2368	XClient.exe	33
PID 2368 wrote to memory of 2844	2368	XClient.exe	35
PID 2368 wrote to memory of 2844	2368	XClient.exe	35
PID 2368 wrote to memory of 2844	2368	XClient.exe	35
PID 2368 wrote to memory of 2832	2368	XClient.exe	37
PID 2368 wrote to memory of 2832	2368	XClient.exe	37
PID 2368 wrote to memory of 2832	2368	XClient.exe	37
PID 2368 wrote to memory of 572	2368	XClient.exe	41
PID 2368 wrote to memory of 572	2368	XClient.exe	41
PID 2368 wrote to memory of 572	2368	XClient.exe	41
PID 2368 wrote to memory of 832	2368	XClient.exe	43
PID 2368 wrote to memory of 832	2368	XClient.exe	43
PID 2368 wrote to memory of 832	2368	XClient.exe	43
PID 832 wrote to memory of 1808	832	cmd.exe	45
PID 832 wrote to memory of 1808	832	cmd.exe	45
PID 832 wrote to memory of 1808	832	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.sfx.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Local\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2832
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
    3⤵
    PID:572
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1390.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\XClient.exe

Filesize
80KB

MD5
bee4a56d9ba0426d3c95dde1970f6429

SHA1
2bfa99521d4a4f2ed6f9b457074ecf1fae7cd712

SHA256
d6684b27eb3b9913fd9742bf3ce9c38e5f089211b0c105893e44eeaf79f691a2

SHA512
294855ac413dec844467c23ddef1dd87334d0f83f5053a6e9e0b66f032d48e748351f4fa95e166d33c4385c4734d4f4af27365d3379d480a5b5a8ecb30e5f660

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1390.tmp.bat

Filesize
167B

MD5
26d32ba9db1c1bd486d88f0acde702f8

SHA1
eaa851864e8eec72dbea9d16fc286c1fcaf42a92

SHA256
e63b8933007e1178e91617aa909190bc04cdaae95a19777ed0b39670210ffe32

SHA512
b4f36f78571a1816a1cfd77f522ff3de660fd3be9b119af96f63223a0319989a5538af67654e1c82dde17cd90dd9f4d99560b960821d157fb7e69b798613f978

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
975adaa2cde347ba1957a3ac38446002

SHA1
a95f1b39f8f3861e6f0b3a5eed9f4da3573d0df9

SHA256
2db8d7c3a7199496edd1127e34a0b2476f87deb9e6050ccf99af6792d6392bbd

SHA512
87dac62c3248b7594e37c9c1a1dcaa5a92114c8374b65c3ddba601d15e1c9b84dd420447bfe0ab030c063ee5e016dba691599332285198ef67fa4a2de891fbb8

Download Submit
memory/1924-17-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1924-18-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2368-40-0x000007FEF5503000-0x000007FEF5504000-memory.dmp

Filesize
4KB

Download
memory/2368-39-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2368-12-0x00000000009E0000-0x00000000009FA000-memory.dmp

Filesize
104KB

Download
memory/2368-41-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2368-11-0x000007FEF5503000-0x000007FEF5504000-memory.dmp

Filesize
4KB

Download
memory/2368-53-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2816-24-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2816-25-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads