xworm | 0e2ec9b0d60ba6bfc32a86dce7ed5e60d67fb142d4d14bb4a11956fe8b19d7d9

Resubmissions

01/03/2025, 15:56

250301-tdehysvvhz 10

Analysis

max time kernel
32s
max time network
80s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XCli1ent.exe
Size

36KB
MD5

3d8ec94b7dcfaf52bb472918378b49a3
SHA1

f868a911a25973f330ec2b56e50a746e6f32b14d
SHA256

0e2ec9b0d60ba6bfc32a86dce7ed5e60d67fb142d4d14bb4a11956fe8b19d7d9
SHA512

a57ac00fdc6377469d3a95bdc2715e68ca408aecf8b7e46444f401f8d93e787a5c1485886109f833b9771d07e9866610e808ba756167f55eef13750ff81f59d7
SSDEEP

768:DeVXtHcDQZS9rc50UZmx/F89RF6OOMh6QJP:D8dH+o51OF89RF6OOMQy

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

database-victoria.gl.at.ply.gg:55358

Mutex

eIDPhmFNz0rAKYvF

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2708-1-0x00000000003A0000-0x00000000003B0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2872	powershell.exe
2532	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2872	powershell.exe
2532	powershell.exe
2708	XCli1ent.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	XCli1ent.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2708	XCli1ent.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2872	2708	XCli1ent.exe	30
PID 2708 wrote to memory of 2872	2708	XCli1ent.exe	30
PID 2708 wrote to memory of 2872	2708	XCli1ent.exe	30
PID 2708 wrote to memory of 2532	2708	XCli1ent.exe	32
PID 2708 wrote to memory of 2532	2708	XCli1ent.exe	32
PID 2708 wrote to memory of 2532	2708	XCli1ent.exe	32

C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe
"C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XCli1ent.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b512707995c00410cc5d7c142025fe52

SHA1
f80670b8d296d9bd35c3765b2dd3d9c13d0008d3

SHA256
a5ee31278547b29494c7adb6365d632cc4f5f0434264b41b37ed44fcc60c549b

SHA512
8db738b36d7d85aec3855acb1b2ef2edfb84999b773cfebb6571417bd36bbcf4e4ccbb6beb2e5773b32c4f786d0a9ecdc19d9b3b631e3b18eb64ead522fb3b1f

Download Submit
memory/2532-14-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2532-15-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2708-0-0x000007FEF5073000-0x000007FEF5074000-memory.dmp

Filesize
4KB

Download
memory/2708-1-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2708-16-0x000000001A5F0000-0x000000001A670000-memory.dmp

Filesize
512KB

Download
memory/2708-17-0x000007FEF5073000-0x000007FEF5074000-memory.dmp

Filesize
4KB

Download
memory/2708-18-0x000000001A5F0000-0x000000001A670000-memory.dmp

Filesize
512KB

Download
memory/2872-6-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2872-7-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2872-8-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download