xworm | 010c25e723fef619badbc922d34d0349b80d0686a7e7b34192bea76f28950ed4

General

Target

XClient.exe
Size

34KB
MD5

0e2d8453d25e0c10c837df17cee92794
SHA1

6e4f980c7a4813e385ac01b005b9eb7bb3a63267
SHA256

010c25e723fef619badbc922d34d0349b80d0686a7e7b34192bea76f28950ed4
SHA512

3bd1a07990765ddbf58692b031568630408f3a52576e029780e5d7231e19caada5dc5a571cd47479ede0d1c0c08c37bdc2a5deedf8f28d5b78350e9da00c5fff
SSDEEP

768:P8rdXxt2EkNFdG1U3Fyc9qXC6EOjhdyve:Pu0FdGCFh9qXC6EOjp

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

japanese-cross.gl.at.ply.gg:16828

Mutex

dKjXiw0bskOKO6JU

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2612-1-0x0000000000FA0000-0x0000000000FAE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe
2816	powershell.exe
2708	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2856	powershell.exe
2816	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	XClient.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2612	XClient.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2856	2612	XClient.exe	32
PID 2612 wrote to memory of 2856	2612	XClient.exe	32
PID 2612 wrote to memory of 2856	2612	XClient.exe	32
PID 2612 wrote to memory of 2816	2612	XClient.exe	34
PID 2612 wrote to memory of 2816	2612	XClient.exe	34
PID 2612 wrote to memory of 2816	2612	XClient.exe	34
PID 2612 wrote to memory of 2708	2612	XClient.exe	36
PID 2612 wrote to memory of 2708	2612	XClient.exe	36
PID 2612 wrote to memory of 2708	2612	XClient.exe	36

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets
1⤵
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
61015868fa346a5fc6c4c0ce1757cb9d

SHA1
4b6fe6bdc35a13620f6827a9bb0a0407c89b1d6f

SHA256
3f208caf7387f6318c8db0cac28c3c11a6c0b1e80efb49bdeee64148e72371c0

SHA512
34bff6573667abd5a6b7b3bfcfd3197f37de741de7edb276fb2379457242c65809a4fa5fa5833cb0ec2abcbed512dfc76d7008d70b761c95f8f76438b6c84e03

Download Submit
memory/2612-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2612-1-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

Filesize
56KB

Download
memory/2612-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-28-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-17-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2816-18-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2856-10-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2856-11-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing