xworm | 39f4f4ada4e89a0d825d16d021bd5a369f938bfc15c034765e3e51265a0c13ea

General

Target

XClient.exe
Size

72KB
MD5

15f74e14febfd737f68a48ab7ce58e84
SHA1

50ecde07de7aaa79821f68f1ddf29c856981ac76
SHA256

39f4f4ada4e89a0d825d16d021bd5a369f938bfc15c034765e3e51265a0c13ea
SHA512

08a36014ef4016d4d0bd638e85a8229fe5121e1b037a7764bb64d66fcd393d251390ca5f0930ea2337013019880d967a3811260f2ef146719e5c944f4700d5e5
SSDEEP

1536:CQNBCgR59ubFHFISnb+7ppbhNzaCzjI8MZHB6nQpOvWx9N:jNAIubFHFlqbhN73GOvWfN

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:41701

equipment-rep.gl.at.ply.gg:41701

Attributes

Install_directory
%AppData%
install_file
Runtime Broker.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2552-1-0x0000000000CE0000-0x0000000000CF8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
672	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4548	mspaint.exe
4548	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3528	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	XClient.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4548	mspaint.exe
3528	OpenWith.exe
672	POWERPNT.EXE
672	POWERPNT.EXE
672	POWERPNT.EXE
672	POWERPNT.EXE

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\TraceSet.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\LimitMeasure.potm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/672-29-0x00007FFF9F150000-0x00007FFF9F160000-memory.dmp

Filesize
64KB

Download
memory/672-27-0x00007FFF9F150000-0x00007FFF9F160000-memory.dmp

Filesize
64KB

Download
memory/672-25-0x00007FFF9F150000-0x00007FFF9F160000-memory.dmp

Filesize
64KB

Download
memory/672-26-0x00007FFF9F150000-0x00007FFF9F160000-memory.dmp

Filesize
64KB

Download
memory/672-379-0x00007FFF9F150000-0x00007FFF9F160000-memory.dmp

Filesize
64KB

Download
memory/672-380-0x00007FFF9F150000-0x00007FFF9F160000-memory.dmp

Filesize
64KB

Download
memory/672-28-0x00007FFF9F150000-0x00007FFF9F160000-memory.dmp

Filesize
64KB

Download
memory/672-381-0x00007FFF9F150000-0x00007FFF9F160000-memory.dmp

Filesize
64KB

Download
memory/672-378-0x00007FFF9F150000-0x00007FFF9F160000-memory.dmp

Filesize
64KB

Download
memory/672-31-0x00007FFF9CE50000-0x00007FFF9CE60000-memory.dmp

Filesize
64KB

Download
memory/672-30-0x00007FFF9CE50000-0x00007FFF9CE60000-memory.dmp

Filesize
64KB

Download
memory/2552-3-0x00007FFFC0F00000-0x00007FFFC19C1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-0-0x00007FFFC0F03000-0x00007FFFC0F05000-memory.dmp

Filesize
8KB

Download
memory/2552-2-0x00007FFFC0F00000-0x00007FFFC19C1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-1-0x0000000000CE0000-0x0000000000CF8000-memory.dmp

Filesize
96KB

Download
memory/3908-15-0x00000236F6D00000-0x00000236F6D01000-memory.dmp

Filesize
4KB

Download
memory/3908-23-0x00000236F6E20000-0x00000236F6E21000-memory.dmp

Filesize
4KB

Download
memory/3908-22-0x00000236F6E20000-0x00000236F6E21000-memory.dmp

Filesize
4KB

Download
memory/3908-21-0x00000236F6E10000-0x00000236F6E11000-memory.dmp

Filesize
4KB

Download
memory/3908-20-0x00000236F6E10000-0x00000236F6E11000-memory.dmp

Filesize
4KB

Download
memory/3908-19-0x00000236F6D80000-0x00000236F6D81000-memory.dmp

Filesize
4KB

Download
memory/3908-17-0x00000236F6D80000-0x00000236F6D81000-memory.dmp

Filesize
4KB

Download
memory/3908-8-0x00000236EE1B0000-0x00000236EE1C0000-memory.dmp

Filesize
64KB

Download
memory/3908-4-0x00000236EE170000-0x00000236EE180000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads