xworm | 4bb7d508bf673c704a2e32e0a377cb22dca7bcce49926c70e1a31b0c49a3799c

General

Target

SolaraCheats.exe
Size

43KB
MD5

d3ff8047aca44c123aee05f1b70461de
SHA1

32103819ba9a8147321492701539b024c475f3e9
SHA256

4bb7d508bf673c704a2e32e0a377cb22dca7bcce49926c70e1a31b0c49a3799c
SHA512

a951d7e84ab2ad049de3c28faae48fb2797fdd71b038b4520db3139972ad5af489e62de648ce93d16e4bc8dfd228b281f4fe672ccf4bcd6d301ab10299d3a925
SSDEEP

768:Ypv/mHz9gP9C6Mt7ZDIeEb/chpbTW/gjSoqqa2K1zs1Qk2GmgNjPYfh6hb:av+cC6YbEYLnJSod41uBYy

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

without-excited.gl.at.ply.gg:14454

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2680-9-0x0000000001030000-0x0000000001044000-memory.dmp	family_xworm
behavioral1/files/0x000c00000001226d-5.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2692	powershell.exe
2708	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2692	powershell.exe
2708	powershell.exe
2680	XClient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	XClient.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2680	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2680	XClient.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2680	2336	SolaraCheats.exe	30
PID 2336 wrote to memory of 2680	2336	SolaraCheats.exe	30
PID 2336 wrote to memory of 2680	2336	SolaraCheats.exe	30
PID 2680 wrote to memory of 2692	2680	XClient.exe	31
PID 2680 wrote to memory of 2692	2680	XClient.exe	31
PID 2680 wrote to memory of 2692	2680	XClient.exe	31
PID 2680 wrote to memory of 2708	2680	XClient.exe	33
PID 2680 wrote to memory of 2708	2680	XClient.exe	33
PID 2680 wrote to memory of 2708	2680	XClient.exe	33

C:\Users\Admin\AppData\Local\Temp\SolaraCheats.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraCheats.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
56KB

MD5
1b1108346597faf7fc22b24c8f95c1ec

SHA1
d67990fa879ac4d5f392df7b653672eae0d5b6bc

SHA256
65f9150da83f99c14cd2ba4d8a9fb6d7360166a5770cff7fe6d41204c2910aa8

SHA512
f5bc3ff2301b9555136e51b67cdb8c9524b94d256c7fb9f21bfccc42c2432434c658b15aa2b77aa3f3f6306ea6ab47dc227d35540efb13a17ca5d557a721b308

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A0KN8HH9X6G69TQQ5RKI.temp

Filesize
7KB

MD5
2d7c28ad2eb70d6fed9da907063a60e4

SHA1
152e0e095fca71ec3af36806a22f3800a0d81130

SHA256
baeb221a1652095d5b1b5ee4405c695e44255295d78ea7a59c3d19b5bade7640

SHA512
4e575c05280b8e6b86a37dcecb112b2f738b27d2b829f1b5a77e2e9f085826cb591fa72b8cf8c4dc1bc456047611a2b6a696828af79828875db892cd4e8bc6ac

Download Submit
memory/2336-1-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2336-10-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-0-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

Filesize
4KB

Download
memory/2680-11-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-9-0x0000000001030000-0x0000000001044000-memory.dmp

Filesize
80KB

Download
memory/2680-27-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-26-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-25-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-17-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2692-16-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2708-24-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2708-23-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing