xworm | 7a3d86182ae45a6be17ef36d1f12463b398c165a7e6fe4aa80e56ceab7f036eb

General

Target

ExcellentFree.exe
Size

76KB
MD5

8cc568f48114422b0ca792dc8ce6009a
SHA1

bbe67dabd894ac2e45dc8027c6e3000f73ec97d7
SHA256

7a3d86182ae45a6be17ef36d1f12463b398c165a7e6fe4aa80e56ceab7f036eb
SHA512

45fe66a17c0473c0a4967d501d6f28f7a41fdce03ec31c46fb11ffd5fd848493578effbc36b4247ae49b987c41c3a559a9185dfdd0fd42468f30c310bea7bcc4
SSDEEP

1536:p1TUp7kYt63AuSN5z5UJrh+bILdScPA6BiHGOwKZRWX2emk:1YY32Uf+bmMe7OHZRvemk

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

cameras-happen.gl.at.ply.gg:23386

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2532-1-0x0000000000920000-0x000000000093A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2328	powershell.exe
2836	powershell.exe
2860	powershell.exe
2608	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ExcellentFree.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ExcellentFree.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	ExcellentFree.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2328	powershell.exe
2836	powershell.exe
2860	powershell.exe
2608	powershell.exe
2532	ExcellentFree.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	ExcellentFree.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2532	ExcellentFree.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2532	ExcellentFree.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2328	2532	ExcellentFree.exe	31
PID 2532 wrote to memory of 2328	2532	ExcellentFree.exe	31
PID 2532 wrote to memory of 2328	2532	ExcellentFree.exe	31
PID 2532 wrote to memory of 2836	2532	ExcellentFree.exe	33
PID 2532 wrote to memory of 2836	2532	ExcellentFree.exe	33
PID 2532 wrote to memory of 2836	2532	ExcellentFree.exe	33
PID 2532 wrote to memory of 2860	2532	ExcellentFree.exe	35
PID 2532 wrote to memory of 2860	2532	ExcellentFree.exe	35
PID 2532 wrote to memory of 2860	2532	ExcellentFree.exe	35
PID 2532 wrote to memory of 2608	2532	ExcellentFree.exe	37
PID 2532 wrote to memory of 2608	2532	ExcellentFree.exe	37
PID 2532 wrote to memory of 2608	2532	ExcellentFree.exe	37

C:\Users\Admin\AppData\Local\Temp\ExcellentFree.exe
"C:\Users\Admin\AppData\Local\Temp\ExcellentFree.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ExcellentFree.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ExcellentFree.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608

Network

DNS

cameras-happen.gl.at.ply.gg

ExcellentFree.exe

Remote address:

8.8.8.8:53

Request

cameras-happen.gl.at.ply.gg

IN A

Response

cameras-happen.gl.at.ply.gg

IN A

147.185.221.20

147.185.221.20:23386

cameras-happen.gl.at.ply.gg

ExcellentFree.exe

152 B
3
147.185.221.20:23386

cameras-happen.gl.at.ply.gg

ExcellentFree.exe

152 B
3
147.185.221.20:23386

cameras-happen.gl.at.ply.gg

ExcellentFree.exe

152 B
3
147.185.221.20:23386

cameras-happen.gl.at.ply.gg

ExcellentFree.exe

152 B
3
147.185.221.20:23386

cameras-happen.gl.at.ply.gg

ExcellentFree.exe

152 B
3

8.8.8.8:53

cameras-happen.gl.at.ply.gg

dns

ExcellentFree.exe

73 B
89 B
1
1

DNS Request

cameras-happen.gl.at.ply.gg

DNS Response

147.185.221.20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2075320a9091d5de6dbaaa3935954810

SHA1
bd0c03966e3a8d7ad5b04d3c0b93f55097b75046

SHA256
e95fe4ecfe9c507424f1dbd97c2209ccc6f74510b6a143a3aa19b4e3f87e16d4

SHA512
1d7a2f525524d8565536db5e601bbc5efba64e66b1beefc781e419cdf04597ea7f41b2ffe55a8afe692cbaec25323c71ee10fd459ff00459a73b95e749caa3c6

Download Submit
memory/2328-7-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2328-8-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2328-9-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2532-0-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

Filesize
4KB

Download
memory/2532-1-0x0000000000920000-0x000000000093A000-memory.dmp

Filesize
104KB

Download
memory/2532-2-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

Filesize
4KB

Download
memory/2532-31-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/2532-32-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/2836-16-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2836-15-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.