xworm | 00e046b8e0f101d7bec1bffc118caec12e8c87b635ddcf069bf8a886cffb068f

General

Target

XC23lient.exe
Size

41KB
MD5

149dc99ba79a2a64d3ee5c3328037e08
SHA1

db9790265a2b1f02c9b3eadc88520377be615489
SHA256

00e046b8e0f101d7bec1bffc118caec12e8c87b635ddcf069bf8a886cffb068f
SHA512

3abd9ed5602f4af1c37f901565d728b4f9e8a4c5690f15a0f61e423dea91d6d6d563fc8447e3ca36696ca1e87befc8b24e89f8f3f3847fc2f9fa4dbb3a75991e
SSDEEP

768:sgruLFKR9XO06kICp+pXAfNouatF5Pa9+XOwhP3/uXn:sId1ACMVAzuF49+XOwJGXn

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

jenoks-52356.portmap.host:52356

Mutex

RENMODhndjCDtqzz

Attributes

Install_directory
%AppData%
install_file
winconfig.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3172-1-0x0000000000010000-0x0000000000020000-memory.dmp	family_xworm
behavioral1/files/0x0007000000023c65-9.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	XC23lient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winconfig.lnk	XC23lient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winconfig.lnk	XC23lient.exe

Executes dropped EXE 3 IoCs

pid	Process
5092	winconfig.exe
8	winconfig.exe
3376	winconfig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winconfig = "C:\\Users\\Admin\\AppData\\Roaming\\winconfig.exe"	XC23lient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3172	XC23lient.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	XC23lient.exe
Token: SeDebugPrivilege	3172	XC23lient.exe
Token: SeDebugPrivilege	5092	winconfig.exe
Token: SeDebugPrivilege	8	winconfig.exe
Token: SeDebugPrivilege	3376	winconfig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3172	XC23lient.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 3400	3172	XC23lient.exe	83
PID 3172 wrote to memory of 3400	3172	XC23lient.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XC23lient.exe
"C:\Users\Admin\AppData\Local\Temp\XC23lient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winconfig" /tr "C:\Users\Admin\AppData\Roaming\winconfig.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3400

C:\Users\Admin\AppData\Roaming\winconfig.exe
C:\Users\Admin\AppData\Roaming\winconfig.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Users\Admin\AppData\Roaming\winconfig.exe
C:\Users\Admin\AppData\Roaming\winconfig.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Users\Admin\AppData\Roaming\winconfig.exe
C:\Users\Admin\AppData\Roaming\winconfig.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winconfig.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Roaming\winconfig.exe

Filesize
41KB

MD5
149dc99ba79a2a64d3ee5c3328037e08

SHA1
db9790265a2b1f02c9b3eadc88520377be615489

SHA256
00e046b8e0f101d7bec1bffc118caec12e8c87b635ddcf069bf8a886cffb068f

SHA512
3abd9ed5602f4af1c37f901565d728b4f9e8a4c5690f15a0f61e423dea91d6d6d563fc8447e3ca36696ca1e87befc8b24e89f8f3f3847fc2f9fa4dbb3a75991e

Download Submit
memory/3172-0-0x00007FF9184C3000-0x00007FF9184C5000-memory.dmp

Filesize
8KB

Download
memory/3172-1-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/3172-2-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-3-0x00007FF9184C3000-0x00007FF9184C5000-memory.dmp

Filesize
8KB

Download
memory/3172-4-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/5092-11-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download
memory/5092-13-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads