xworm | 6044f92bdc0a3b4bc81146ab4df57428a0e106777131b8ffca1ee9f1a8d2962e

Analysis

max time kernel
136s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno.exe
Size

60KB
MD5

5f83231a9defe33363c22c05cb083d4c
SHA1

13cfab281b4d730a591f81adc0ae6c237675a65b
SHA256

6044f92bdc0a3b4bc81146ab4df57428a0e106777131b8ffca1ee9f1a8d2962e
SHA512

fdc814b0154dc517c14082ca9f658f8c490d09a08171eb6425e9394e01195b8474e229731811ad313ddabe020aa41a8778c705159b31d93b7e646b1f7942b959
SSDEEP

1536:nFFgs2DJZRprX9iLX7al8Gq+bMIRWIEqcN6tOfVg8TB:n3h48Xp+bMfqOfVpTB

Score

10^/10

xworm bootkit defense_evasion discovery execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

cause-indexes.gl.at.ply.gg:17210

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2684-34-0x0000000000610000-0x000000000061E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2684-1-0x0000000000CA0000-0x0000000000CB4000-memory.dmp	family_xworm

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mdzacy.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2788	powershell.exe
2564	powershell.exe
2612	powershell.exe
348	powershell.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	mdzacy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdzacy.exe"	mdzacy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	mdzacy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdzacy.exe"	mdzacy.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Xeno.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Xeno.exe

Executes dropped EXE 2 IoCs

pid	Process
2492	mdzacy.exe
848	mdzacy.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Xeno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdzacy.exe"	mdzacy.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mdzacy.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mdzacy.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2492-41-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/files/0x0008000000015dac-40.dat	upx
behavioral1/memory/848-44-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/848-45-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2492-64-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2492-67-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2492-88-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2492-110-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2492-132-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2492-153-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2492-174-0x0000000000400000-0x00000000006D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdzacy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdzacy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2788	powershell.exe
2564	powershell.exe
2612	powershell.exe
348	powershell.exe
2684	Xeno.exe
2684	Xeno.exe
2684	Xeno.exe
2684	Xeno.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe
2492	mdzacy.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2492	mdzacy.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	Xeno.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	2684	Xeno.exe
Token: SeBackupPrivilege	2492	mdzacy.exe
Token: SeRestorePrivilege	2492	mdzacy.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2684	Xeno.exe
2492	mdzacy.exe
848	mdzacy.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2788	2684	Xeno.exe	30
PID 2684 wrote to memory of 2788	2684	Xeno.exe	30
PID 2684 wrote to memory of 2788	2684	Xeno.exe	30
PID 2684 wrote to memory of 2564	2684	Xeno.exe	32
PID 2684 wrote to memory of 2564	2684	Xeno.exe	32
PID 2684 wrote to memory of 2564	2684	Xeno.exe	32
PID 2684 wrote to memory of 2612	2684	Xeno.exe	34
PID 2684 wrote to memory of 2612	2684	Xeno.exe	34
PID 2684 wrote to memory of 2612	2684	Xeno.exe	34
PID 2684 wrote to memory of 348	2684	Xeno.exe	36
PID 2684 wrote to memory of 348	2684	Xeno.exe	36
PID 2684 wrote to memory of 348	2684	Xeno.exe	36
PID 2684 wrote to memory of 2492	2684	Xeno.exe	39
PID 2684 wrote to memory of 2492	2684	Xeno.exe	39
PID 2684 wrote to memory of 2492	2684	Xeno.exe	39
PID 2684 wrote to memory of 2492	2684	Xeno.exe	39

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mdzacy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mdzacy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	mdzacy.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xeno.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xeno.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- C:\Users\Admin\AppData\Local\Temp\mdzacy.exe
  "C:\Users\Admin\AppData\Local\Temp\mdzacy.exe"
  2⤵
  - UAC bypass
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2492

C:\Users\Admin\AppData\Local\Temp\mdzacy.exe
C:\Users\Admin\AppData\Local\Temp\mdzacy.exe explorer.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mdzacy.exe

Filesize
1.7MB

MD5
6e628c5531010f1053fff090a7699659

SHA1
237e5b8870092dd0e9a3b0fb76da93fcfce56516

SHA256
52d65a486dd027d9d6e3ca10ea808815ff0fda4e5032695333b7c2d5a5f95e41

SHA512
53eb023d70038b2820a6c0ed0a453307f90b22279e521fa8af3b6ef240ce022300a1d05794bf02d52f472c5adeb87c814373c5e29b3f13102c0128af06d5f0e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c18e3f07818adf14a365a8fbcdfa69c

SHA1
eaf7b488907f41eb5cc2bc7e31d00e20f6c89137

SHA256
d2f58a0bbfc9d89cf193d65db20f1c6ebd71e1e17d9c9151aede05c9a85be7e5

SHA512
40b8a125787fc00881b593c60fae0d0c560788310d3158b9d0d554af28694d0e2e54cf1ad4ce54e7812eb124a450fd2e418197aa5525a5f7b1fccbe5af39fcd1

Download Submit
memory/848-45-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/848-44-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2492-41-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2492-174-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2492-153-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2492-132-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2492-110-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2492-88-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2492-67-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2492-64-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2564-14-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2564-15-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2684-0-0x000007FEF6453000-0x000007FEF6454000-memory.dmp

Filesize
4KB

Download
memory/2684-32-0x0000000000290000-0x0000000000310000-memory.dmp

Filesize
512KB

Download
memory/2684-31-0x000007FEF6453000-0x000007FEF6454000-memory.dmp

Filesize
4KB

Download
memory/2684-30-0x0000000000290000-0x0000000000310000-memory.dmp

Filesize
512KB

Download
memory/2684-33-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2684-34-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/2684-109-0x0000000000640000-0x0000000000676000-memory.dmp

Filesize
216KB

Download
memory/2684-125-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/2684-1-0x0000000000CA0000-0x0000000000CB4000-memory.dmp

Filesize
80KB

Download
memory/2788-8-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2788-7-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2788-6-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download