xworm | 0e2ec9b0d60ba6bfc32a86dce7ed5e60d67fb142d4d14bb4a11956fe8b19d7d9

Analysis

max time kernel
118s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XCli1ent.exe
Size

36KB
MD5

3d8ec94b7dcfaf52bb472918378b49a3
SHA1

f868a911a25973f330ec2b56e50a746e6f32b14d
SHA256

0e2ec9b0d60ba6bfc32a86dce7ed5e60d67fb142d4d14bb4a11956fe8b19d7d9
SHA512

a57ac00fdc6377469d3a95bdc2715e68ca408aecf8b7e46444f401f8d93e787a5c1485886109f833b9771d07e9866610e808ba756167f55eef13750ff81f59d7
SSDEEP

768:DeVXtHcDQZS9rc50UZmx/F89RF6OOMh6QJP:D8dH+o51OF89RF6OOMQy

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

database-victoria.gl.at.ply.gg:55358

Mutex

eIDPhmFNz0rAKYvF

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2776-1-0x0000000000EC0000-0x0000000000ED0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe
2708	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3052	powershell.exe
2708	powershell.exe
2776	XCli1ent.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	XCli1ent.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2776	XCli1ent.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3052	2776	XCli1ent.exe	30
PID 2776 wrote to memory of 3052	2776	XCli1ent.exe	30
PID 2776 wrote to memory of 3052	2776	XCli1ent.exe	30
PID 2776 wrote to memory of 2708	2776	XCli1ent.exe	32
PID 2776 wrote to memory of 2708	2776	XCli1ent.exe	32
PID 2776 wrote to memory of 2708	2776	XCli1ent.exe	32

C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe
"C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XCli1ent.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9c385002dc11e21fa3ef9026087fcd29

SHA1
bbf80d7a8e3e9fdc0d4b389d94f42b839ce01f4c

SHA256
8a82a56dba15aef2c3b2ee6753d19aa4a40e583fa343c9f95b523f48b9ac7fe3

SHA512
9cb835bf42f68f1e4f5f0e8e907c19746908ed3ae0f8d4541498dfde019a320e9a35777fe130a825662a5ddededa19eeac0517d266addd35735bb987e94af24a

Download Submit
memory/2708-14-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/2708-15-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2776-0-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2776-1-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/2776-16-0x000000001ACB0000-0x000000001AD30000-memory.dmp

Filesize
512KB

Download
memory/2776-17-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2776-18-0x000000001ACB0000-0x000000001AD30000-memory.dmp

Filesize
512KB

Download
memory/3052-6-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/3052-7-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/3052-8-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download