xworm | 40d127a2d334e18d6e80801667a5d1e356f8c8a142563e360ab4f15796737428

General

Target

Excellent2.0.exe
Size

77KB
MD5

fa9dbd782dfb5bf2f278c4bc6a73279e
SHA1

dc01ceae67b4983111677b421691903a6eba150b
SHA256

40d127a2d334e18d6e80801667a5d1e356f8c8a142563e360ab4f15796737428
SHA512

dc0a3c67ea86b7dba4016800ddb03c27cc87932fe9244658675c470c3cb8b41f6fb1d1fe87feaef60acc80d65de26ba3ea5e100382bfbdf9c8e6829c5c1c3c04
SSDEEP

1536:rdxon/N6GtnKEc2wP8UiQksF+bVMp23aYkFDoPjPT6HMXkzf2YyjjmO82C3hk:gnF6GtnKTB0Ckk+bVMS9TXU+biO8x3hk

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

africa-wins.gl.at.ply.gg:41663

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4088-1-0x0000000000750000-0x000000000076A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe
3032	powershell.exe
3912	powershell.exe
5008	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	Excellent2.0.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Excellent2.0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Excellent2.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Excellent2.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
400	timeout.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3912	powershell.exe
3912	powershell.exe
5008	powershell.exe
5008	powershell.exe
2992	powershell.exe
2992	powershell.exe
3032	powershell.exe
3032	powershell.exe
4088	Excellent2.0.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	Excellent2.0.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	4088	Excellent2.0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4088	Excellent2.0.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 3912	4088	Excellent2.0.exe	97
PID 4088 wrote to memory of 3912	4088	Excellent2.0.exe	97
PID 4088 wrote to memory of 5008	4088	Excellent2.0.exe	99
PID 4088 wrote to memory of 5008	4088	Excellent2.0.exe	99
PID 4088 wrote to memory of 2992	4088	Excellent2.0.exe	102
PID 4088 wrote to memory of 2992	4088	Excellent2.0.exe	102
PID 4088 wrote to memory of 3032	4088	Excellent2.0.exe	104
PID 4088 wrote to memory of 3032	4088	Excellent2.0.exe	104
PID 4088 wrote to memory of 3932	4088	Excellent2.0.exe	119
PID 4088 wrote to memory of 3932	4088	Excellent2.0.exe	119
PID 3932 wrote to memory of 400	3932	cmd.exe	121
PID 3932 wrote to memory of 400	3932	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\Excellent2.0.exe
"C:\Users\Admin\AppData\Local\Temp\Excellent2.0.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Excellent2.0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Excellent2.0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e095cbf24e40a1982450f68ccc431fbb

SHA1
cece19f2d70f2424a11cf649bd560cf187a307de

SHA256
032ece7d72e0d163f98aefea6e469099aea386c7a5ce389d0aac291279ff4259

SHA512
2eedc9194ceb2a3fa99cc2b8ce912c971fdb040552c19c0678acc7ac8357ffede3e9e8ada49bb96360ae0571b3e92a7bb41e3a023daef4a48628639da294af98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2469412a273a348e14b8b350c7a8e03

SHA1
ca91a3ad9c45bcf6297d4c00c12c3ff635596de9

SHA256
4daad0a4261fde94a041e40b294321be8fa6b64f53f6764a3be360ab2b15995d

SHA512
ccfb48fd50230a9d7537ae181ad1f2825a55cede93e27911397f26ef4233f2a1e91973221785503702d2e424d0e0aa18add192bb2f0ce8eca624f51a9494d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_unvg1rpv.ivo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.bat

Filesize
164B

MD5
dec7f65a1fe0860b49fa1ef198378bb1

SHA1
442a05f6fb61a4fbf8f0e3e95fcd13171746a85a

SHA256
c3f970983586da534b10458356dfdfab632bde2903fbfebe042a83cf510bf2b0

SHA512
eae20328aef897eaefcd3dbd51118249c0a185b5e11eed8d798fc3f5ec2deb6e10e69b7c6bdd3c8cb83c88b9c90478072a735d01b2baff98f7c9ec3ab4905053

Download Submit
memory/3912-12-0x00007FFE28CD0000-0x00007FFE29791000-memory.dmp

Filesize
10.8MB

Download
memory/3912-17-0x00007FFE28CD0000-0x00007FFE29791000-memory.dmp

Filesize
10.8MB

Download
memory/3912-14-0x00007FFE28CD0000-0x00007FFE29791000-memory.dmp

Filesize
10.8MB

Download
memory/3912-13-0x00007FFE28CD0000-0x00007FFE29791000-memory.dmp

Filesize
10.8MB

Download
memory/3912-2-0x000001483D600000-0x000001483D622000-memory.dmp

Filesize
136KB

Download
memory/4088-0-0x00007FFE28CD3000-0x00007FFE28CD5000-memory.dmp

Filesize
8KB

Download
memory/4088-56-0x00007FFE28CD0000-0x00007FFE29791000-memory.dmp

Filesize
10.8MB

Download
memory/4088-57-0x00007FFE28CD0000-0x00007FFE29791000-memory.dmp

Filesize
10.8MB

Download
memory/4088-58-0x000000001B380000-0x000000001B38C000-memory.dmp

Filesize
48KB

Download
memory/4088-1-0x0000000000750000-0x000000000076A000-memory.dmp

Filesize
104KB

Download
memory/4088-67-0x00007FFE28CD0000-0x00007FFE29791000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads