xworm | e667b46eeae63c0bfe3b4afdf674f88a3fede9b69fd01fae3ccb298841ae052a

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

36KB
MD5

cae4f0fe50b987b855a556fb34778f8f
SHA1

bb51d9895c5a0ac8f87d0ab4ff5dce7c4bf0e332
SHA256

e667b46eeae63c0bfe3b4afdf674f88a3fede9b69fd01fae3ccb298841ae052a
SHA512

6a34663d6c9b557f596b7ca4b0ed828b55ca519405ffacabfe827fc003272c991ca3539d5ee14fe5f8dd3e58a8df026547afd8380a5c8cf300012c67a37faf1a
SSDEEP

768:veVXtHcDQZS9LR50UZmx/F89R36OOMhm7QJR:v8dH+t51OF89R36OOMc78

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

database-victoria.gl.at.ply.gg:55358

Mutex

D3IBrkox4lu2QKJO

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2680-1-0x00000000012A0000-0x00000000012B0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2776	powershell.exe
2848	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2776	powershell.exe
2848	powershell.exe
2680	XClient.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	XClient.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2680	XClient.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2776	2680	XClient.exe	30
PID 2680 wrote to memory of 2776	2680	XClient.exe	30
PID 2680 wrote to memory of 2776	2680	XClient.exe	30
PID 2680 wrote to memory of 2848	2680	XClient.exe	32
PID 2680 wrote to memory of 2848	2680	XClient.exe	32
PID 2680 wrote to memory of 2848	2680	XClient.exe	32

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a71efa3f8fbbee9e536069868f48db76

SHA1
11369a7a0add7e770403a9d372d02946de9437f9

SHA256
bf796a2ef8d55090c40225f2efdf09500f1cb5405294fe5a4334e8c19f362a16

SHA512
1a0a9a4d34d0e826f77f4657ac4bea89216d4292e37c31203c6ea1399e4aa39818650cbd020b4cea46a5721bb12d53090a0576a008f1147adccd99c44b24976f

Download Submit
memory/2680-0-0x000007FEF4D23000-0x000007FEF4D24000-memory.dmp

Filesize
4KB

Download
memory/2680-1-0x00000000012A0000-0x00000000012B0000-memory.dmp

Filesize
64KB

Download
memory/2680-16-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2680-17-0x000007FEF4D23000-0x000007FEF4D24000-memory.dmp

Filesize
4KB

Download
memory/2680-18-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2776-6-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2776-7-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2776-8-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2848-14-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2848-15-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download