xworm | 0e2ec9b0d60ba6bfc32a86dce7ed5e60d67fb142d4d14bb4a11956fe8b19d7d9

Analysis

max time kernel
866s
max time network
869s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XCli1ent.exe
Size

36KB
MD5

3d8ec94b7dcfaf52bb472918378b49a3
SHA1

f868a911a25973f330ec2b56e50a746e6f32b14d
SHA256

0e2ec9b0d60ba6bfc32a86dce7ed5e60d67fb142d4d14bb4a11956fe8b19d7d9
SHA512

a57ac00fdc6377469d3a95bdc2715e68ca408aecf8b7e46444f401f8d93e787a5c1485886109f833b9771d07e9866610e808ba756167f55eef13750ff81f59d7
SSDEEP

768:DeVXtHcDQZS9rc50UZmx/F89RF6OOMh6QJP:D8dH+o51OF89RF6OOMQy

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

database-victoria.gl.at.ply.gg:55358

Mutex

eIDPhmFNz0rAKYvF

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2520-1-0x0000000000160000-0x0000000000170000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2228	powershell.exe
2280	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2228	powershell.exe
2280	powershell.exe
2520	XCli1ent.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	XCli1ent.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2520	XCli1ent.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2228	2520	XCli1ent.exe	30
PID 2520 wrote to memory of 2228	2520	XCli1ent.exe	30
PID 2520 wrote to memory of 2228	2520	XCli1ent.exe	30
PID 2520 wrote to memory of 2280	2520	XCli1ent.exe	32
PID 2520 wrote to memory of 2280	2520	XCli1ent.exe	32
PID 2520 wrote to memory of 2280	2520	XCli1ent.exe	32

C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe
"C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XCli1ent.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ad1c8b0520b0b0310f57d2e6ea5dce0b

SHA1
b9393c244610ff65ca0f0c6b807aa76208f2c5ec

SHA256
ecdb6589e24fbde59572e43c58e24ec9cdf077f63070d26ca34bedc2521e9108

SHA512
f17c2f8ffa509a55c17609551b56d12b1cad1fedb96670aa62770cff129cd48da7895525f384c1c8c207cd0bd747f15deb4a03874b3986fb166942c315ed0f66

Download Submit
memory/2228-6-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2228-7-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2228-8-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2280-14-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2280-15-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2520-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2520-16-0x000000001AE50000-0x000000001AED0000-memory.dmp

Filesize
512KB

Download
memory/2520-17-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2520-18-0x000000001AE50000-0x000000001AED0000-memory.dmp

Filesize
512KB

Download
memory/2520-19-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download