xworm | 0cea3395a719813d0a1bab5a21ded480f70b6da0cff2b8ff632a0d42bee303fe

General

Target

X64v1.4.exe
Size

76KB
MD5

1a6ce13e6ca5801d773725074d8127a6
SHA1

abc2d87c256950524ea6bc06466b7ad63dec042f
SHA256

0cea3395a719813d0a1bab5a21ded480f70b6da0cff2b8ff632a0d42bee303fe
SHA512

461708a2a62701c4af06d54e0c86fa5380c12a464a1e208c539f7835f4c5b0f3d4064377674759e0f9b237971b9414f9c39acf9da455aabacdb8ca2ea1018d10
SSDEEP

1536:F01NQngfiQr1jx9/9EBeJKYamex+3tDUUGcDl3nIAd7CK8byIMn:y1KgF/9+FYajk3tDUUGCBIa7CK8by1

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

80.76.49.15:1111

Attributes

Install_directory
%AppData%
install_file
Xclient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000011c28-5.dat	family_xworm
behavioral1/memory/2936-8-0x0000000000910000-0x0000000000926000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1104	powershell.exe
2392	powershell.exe
2752	powershell.exe
3056	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xclient.lnk	x64 Loader1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xclient.lnk	x64 Loader1.exe

Executes dropped EXE 1 IoCs

pid	Process
2936	x64 Loader1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2928	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2752	powershell.exe
3056	powershell.exe
1104	powershell.exe
2392	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	x64 Loader1.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2936	x64 Loader1.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2936	2644	X64v1.4.exe	30
PID 2644 wrote to memory of 2936	2644	X64v1.4.exe	30
PID 2644 wrote to memory of 2936	2644	X64v1.4.exe	30
PID 2644 wrote to memory of 2928	2644	X64v1.4.exe	31
PID 2644 wrote to memory of 2928	2644	X64v1.4.exe	31
PID 2644 wrote to memory of 2928	2644	X64v1.4.exe	31
PID 2936 wrote to memory of 2752	2936	x64 Loader1.exe	32
PID 2936 wrote to memory of 2752	2936	x64 Loader1.exe	32
PID 2936 wrote to memory of 2752	2936	x64 Loader1.exe	32
PID 2936 wrote to memory of 3056	2936	x64 Loader1.exe	34
PID 2936 wrote to memory of 3056	2936	x64 Loader1.exe	34
PID 2936 wrote to memory of 3056	2936	x64 Loader1.exe	34
PID 2936 wrote to memory of 1104	2936	x64 Loader1.exe	36
PID 2936 wrote to memory of 1104	2936	x64 Loader1.exe	36
PID 2936 wrote to memory of 1104	2936	x64 Loader1.exe	36
PID 2936 wrote to memory of 2392	2936	x64 Loader1.exe	38
PID 2936 wrote to memory of 2392	2936	x64 Loader1.exe	38
PID 2936 wrote to memory of 2392	2936	x64 Loader1.exe	38

C:\Users\Admin\AppData\Local\Temp\X64v1.4.exe
"C:\Users\Admin\AppData\Local\Temp\X64v1.4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Roaming\x64 Loader1.exe
  "C:\Users\Admin\AppData\Roaming\x64 Loader1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x64 Loader1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x64 Loader1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Xclient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xclient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\thankyou.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
06820d19d67c099bf1f4603d432c7049

SHA1
5bed887ea5f0f4e438f0c6b9d256997391e3d325

SHA256
617b1ccde2bde811e0c335583a092966c81f3a024559e44a3bf032d382437fdd

SHA512
feaab61d25394e7a9a60f3179a81bc9a86dfe8fa2d6d9e564f59c889fa537881fcbd095bcef3216b1faa5ba5171c9176a0a1af59b8aae1b4fb2e034f4ca10739

Download Submit
C:\Users\Admin\AppData\Roaming\thankyou.txt

Filesize
96B

MD5
56dda8c046c5eb736b67cf2c14ce4c0a

SHA1
15e0bd23b36d009de50aad2960845a4fcc7eb6bc

SHA256
b1bd21a766847c9fc97f742a485db33d204b3af8b836735fdb0e2a3131889b95

SHA512
7615c3b639b879489f66e5251a21a02a9bb3fb4bf270e770857959e881abad26697c954ce06c83f76911fe8e9303fd4cd2e795f0036b6e73da6e2e4b356c66b4

Download Submit
C:\Users\Admin\AppData\Roaming\x64 Loader1.exe

Filesize
62KB

MD5
e23391d72658e5472a976b0e98b18722

SHA1
58a608aa7e854d6e68217b7e8a1b7e03685caf11

SHA256
e744dd225012b9e99b02f3495a3d78810e67ca0fb1b0a327ff522594051d6fea

SHA512
c3fbd633a59674ea46175290cf8a8e676c2854af510c1978be88a747a2b2ac1a8f3a9599bffa50f80edf2d636bf9d01384fbbb99cd971c511acc755f2f820cb7

Download Submit
memory/2644-1-0x0000000000DA0000-0x0000000000DBA000-memory.dmp

Filesize
104KB

Download
memory/2644-0-0x000007FEF6453000-0x000007FEF6454000-memory.dmp

Filesize
4KB

Download
memory/2752-16-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2752-15-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-8-0x0000000000910000-0x0000000000926000-memory.dmp

Filesize
88KB

Download
memory/2936-10-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-38-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-39-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-40-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-22-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/3056-23-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing