xworm | aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340

General

Target

aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340.exe
Size

190KB
MD5

180735cd524d00759a5f261123a6c0d0
SHA1

cdb05596dd091c51525e573fb061ef15bfd9ae83
SHA256

aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340
SHA512

9fdd5fe3dd1a01f20e524138aa4b4d2daca206d666b4978a5bf73538d0810edee81b353decbdc5fa534870c68ff5d05e8bbe9f1fec8bf6ffff6125a1dc46cf5f
SSDEEP

3072:l/Wr3qjGBaMWrmS24qBZDhAxPWUMWkZoGv/rFVHvTQINontDme41OOjluUnd2bzD:l/ckr6HBZDONv1jmHHvHNonlm+OZBe

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7777

Mutex

tEPO2T8ayqFvBb4T

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000019329-10.dat	family_xworm
behavioral1/memory/952-12-0x0000000001120000-0x0000000001130000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2808	powershell.exe
636	powershell.exe
1248	powershell.exe
2776	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
2160	Xeno.exe
952	XClient.exe

Loads dropped DLL 1 IoCs

pid	Process
2396	aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2776	powershell.exe
2808	powershell.exe
636	powershell.exe
1248	powershell.exe
952	XClient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	XClient.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	952	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
952	XClient.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2160	2396	aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340.exe	30
PID 2396 wrote to memory of 2160	2396	aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340.exe	30
PID 2396 wrote to memory of 2160	2396	aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340.exe	30
PID 2396 wrote to memory of 952	2396	aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340.exe	31
PID 2396 wrote to memory of 952	2396	aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340.exe	31
PID 2396 wrote to memory of 952	2396	aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340.exe	31
PID 952 wrote to memory of 2776	952	XClient.exe	33
PID 952 wrote to memory of 2776	952	XClient.exe	33
PID 952 wrote to memory of 2776	952	XClient.exe	33
PID 952 wrote to memory of 2808	952	XClient.exe	35
PID 952 wrote to memory of 2808	952	XClient.exe	35
PID 952 wrote to memory of 2808	952	XClient.exe	35
PID 952 wrote to memory of 636	952	XClient.exe	38
PID 952 wrote to memory of 636	952	XClient.exe	38
PID 952 wrote to memory of 636	952	XClient.exe	38
PID 952 wrote to memory of 1248	952	XClient.exe	40
PID 952 wrote to memory of 1248	952	XClient.exe	40
PID 952 wrote to memory of 1248	952	XClient.exe	40

C:\Users\Admin\AppData\Local\Temp\aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340.exe
"C:\Users\Admin\AppData\Local\Temp\aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Roaming\Xeno.exe
  "C:\Users\Admin\AppData\Roaming\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f6f401afd8831fd5cb2a26bff11b643f

SHA1
0728badbb09c438cf64ee66ea4e86c1ae2de3bf6

SHA256
3d0943c5748636ce96cd3ad3ea84cc4aaabaff2bc1dcc70955bafdc27946b356

SHA512
0e61936146594b40e2689ebc93dde3a889acc61e2ce0cc7fab73d7d57e1c9c8ab333038c76f608d32f770e1ca36846deaf126f6eda8f4377de3be503c46f55d9

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
40KB

MD5
7c11c3608097aa68293957a238d0f45b

SHA1
ffe743918c5bcebd8cb437585783d6f736ee17e8

SHA256
fe6be0dde482a38dae1b63b9b26dde9e45bf46ab90c42faf64006eb550e60672

SHA512
753c5343b052224c4a0bf3016150f2b9b5410ed23af292e3fc7b4dc2b26e45087eb29e091b915493199a2210e6ab0ff741dce043db9f9c6203f3ba0ea3e88298

Download Submit
\Users\Admin\AppData\Roaming\Xeno.exe

Filesize
140KB

MD5
f0d6a8ef8299c5f15732a011d90b0be1

SHA1
5d2e6cc0bd4f1e810808f2a284f6c2a30b21edcf

SHA256
326bae0bd1398234dcef4c3d71f00e30cc9b447fa963e21d6f29605f42bb7e5b

SHA512
5b9f1517949a7fa9fdb7413146632d21a4208dc92823b673af85963ae5cc7f827b3ba27f3e9c5554c45e726ad159aac77d30306acc3559bd8712534e41ff0f27

Download Submit
memory/952-12-0x0000000001120000-0x0000000001130000-memory.dmp

Filesize
64KB

Download
memory/952-13-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

Filesize
9.9MB

Download
memory/952-14-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

Filesize
9.9MB

Download
memory/952-39-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

Filesize
9.9MB

Download
memory/952-40-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

Filesize
9.9MB

Download
memory/2396-0-0x000007FEF5F53000-0x000007FEF5F54000-memory.dmp

Filesize
4KB

Download
memory/2396-1-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2776-19-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2776-20-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2808-27-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/2808-26-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing