xworm | 9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05

General

Target

ratka.exe
Size

80KB
MD5

39ffa7b287f2d822703a6deea560dcbd
SHA1

34ae6406ec73ad02955cb7676b37489fdab1695b
SHA256

9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05
SHA512

7efa49f3c9ba846d6382e7683d64a5b00232c459028a177b07c0e4f28f06682bd3a219421a355515766007bee9e0dfcce5e243afba73290487057542a644cc40
SSDEEP

1536:GeKbbG1+cDVWr5hLbwWV5hcEW07Z4E+bCXsEN9qtgq6rLs4ORpmcG1h:GeKbb60r5hLbwWVcPk1+b8JY4ORpmth

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

cause-indexes.gl.at.ply.gg:17210

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2104-1-0x0000000000F00000-0x0000000000F1A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2372	powershell.exe
2760	powershell.exe
2756	powershell.exe
2908	powershell.exe

Deletes itself 1 IoCs

pid	Process
1968	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	ratka.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	ratka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1576	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2372	powershell.exe
2760	powershell.exe
2756	powershell.exe
2908	powershell.exe
2104	ratka.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	ratka.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2104	ratka.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2104	ratka.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2372	2104	ratka.exe	30
PID 2104 wrote to memory of 2372	2104	ratka.exe	30
PID 2104 wrote to memory of 2372	2104	ratka.exe	30
PID 2104 wrote to memory of 2760	2104	ratka.exe	32
PID 2104 wrote to memory of 2760	2104	ratka.exe	32
PID 2104 wrote to memory of 2760	2104	ratka.exe	32
PID 2104 wrote to memory of 2756	2104	ratka.exe	34
PID 2104 wrote to memory of 2756	2104	ratka.exe	34
PID 2104 wrote to memory of 2756	2104	ratka.exe	34
PID 2104 wrote to memory of 2908	2104	ratka.exe	36
PID 2104 wrote to memory of 2908	2104	ratka.exe	36
PID 2104 wrote to memory of 2908	2104	ratka.exe	36
PID 2104 wrote to memory of 1968	2104	ratka.exe	40
PID 2104 wrote to memory of 1968	2104	ratka.exe	40
PID 2104 wrote to memory of 1968	2104	ratka.exe	40
PID 1968 wrote to memory of 1576	1968	cmd.exe	42
PID 1968 wrote to memory of 1576	1968	cmd.exe	42
PID 1968 wrote to memory of 1576	1968	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\ratka.exe
"C:\Users\Admin\AppData\Local\Temp\ratka.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ratka.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7022.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7022.tmp.bat

Filesize
157B

MD5
fc3ffe6190e0268fe501111777313996

SHA1
3374434444d10d4cb6c898b847fb839153aea7ea

SHA256
f5a6d1d5177a14c42fc5c520d3a5a6641834a437f3fff765fc42fe7428cade74

SHA512
34fbec0b9cab05bd3a0ae85c2512f4671aea24feec0e209f7324b33c6a24fc26ba1d3ee30401520f6c329da77ba93fcff1da6a3ea1890f65abf6afd745221ca7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
03237bd3e601cc889c96356e859a7064

SHA1
295e22a624ec32582791924e496f6dc6a4cc094c

SHA256
63ca0dc67fe603303c716fd3eba275bac76af8fdc4a47a9b1a49a27cddd6d76f

SHA512
a2f5c0e65b27e6545199ab5fbf4e3ed8e997e64ec0a57e0dbf7f188bd4c2826a22fb8b61085285ba5cc708b9b1289746d886dae5cf9a8eea07c7023f8bc9bb95

Download Submit
\Users\Admin\AppData\Local\Temp\tmp62B9.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/2104-32-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2104-1-0x0000000000F00000-0x0000000000F1A000-memory.dmp

Filesize
104KB

Download
memory/2104-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/2104-35-0x00000000023A0000-0x00000000023DA000-memory.dmp

Filesize
232KB

Download
memory/2104-34-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2104-30-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2104-31-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/2372-7-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2372-8-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2372-6-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2760-15-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2760-14-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads