xworm | e98dc3272849a4feef91b79b5f4ceb5a5caeeb67c0ace7b951e719e4c56dc4b9

Reason

Machine shutdown

General

Target

XClient.exe
Size

197KB
MD5

947531e390d56a33db1c5fac201f3d6e
SHA1

6890af0bf097ca3dbf3a979251e8e9655a0d28c9
SHA256

e98dc3272849a4feef91b79b5f4ceb5a5caeeb67c0ace7b951e719e4c56dc4b9
SHA512

36c81a7b5ad59952e0e084df7601e14e2f4ac5530dd2937ab90f7f7693297f9776f6e970905f35cf058b76d5c3a465a112276d6426fe6527b8596504292df3e0
SSDEEP

3072:Qd9KkHFE9jNOjn8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnK:QrE92UhcX7elbKTuq9bfF/H9d9n

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

ohsorry-20836.portmap.host:20836

Mutex

p0RlYlnzEbgzdE3a

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/912-1-0x0000000000690000-0x00000000006C6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
3896	enyltc.exe
3180	xxrnpg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	enyltc.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "145"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2568	LogonUI.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 3896	912	XClient.exe	83
PID 912 wrote to memory of 3896	912	XClient.exe	83
PID 912 wrote to memory of 3896	912	XClient.exe	83
PID 912 wrote to memory of 3180	912	XClient.exe	87
PID 912 wrote to memory of 3180	912	XClient.exe	87

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\enyltc.exe
  "C:\Users\Admin\AppData\Local\Temp\enyltc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\xxrnpg.exe
  "C:\Users\Admin\AppData\Local\Temp\xxrnpg.exe"
  2⤵
  - Executes dropped EXE
  PID:3180

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2d855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\enyltc.exe

Filesize
53KB

MD5
d0a314fbbc8e3932366190b80d3a1d43

SHA1
9f5acdce5c4be66bce4d36d30dc0cc28cc607269

SHA256
b59b98e49c5a393691d1766623992d7b998b61a4f4420769c1431963146fdf6b

SHA512
15cda90b5bcd668b28a165cd83a165cb709b76cfcca21bd7918f6693022f93bafcb930dbbc8504c1ec9f47baa828ae47c58cf38b04ac1ec83911d126fe443d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxrnpg.exe

Filesize
10KB

MD5
424755b9f13cdb742d503836bf09e63e

SHA1
b4cdc234fdca58519edf14fa3b0bb3a522249440

SHA256
e0e95c4be30bc2199018c4a44b4df874ee991665d0aff048e39b1c905cc9da56

SHA512
29dd79ca6d2e451da0b0597c1d6b4cd860a8641438f139dcd3ecc02ecd0a638feb28e41b2088fc2e360b27f5c343b1843889686070307bdb26077593791972b7

Download Submit
memory/912-1-0x0000000000690000-0x00000000006C6000-memory.dmp

Filesize
216KB

Download
memory/912-2-0x00007FFE734F0000-0x00007FFE73FB2000-memory.dmp

Filesize
10.8MB

Download
memory/912-3-0x00007FFE734F0000-0x00007FFE73FB2000-memory.dmp

Filesize
10.8MB

Download
memory/912-4-0x00000000028D0000-0x00000000028DC000-memory.dmp

Filesize
48KB

Download
memory/912-36-0x00007FFE734F0000-0x00007FFE73FB2000-memory.dmp

Filesize
10.8MB

Download
memory/912-0-0x00007FFE734F3000-0x00007FFE734F5000-memory.dmp

Filesize
8KB

Download
memory/3180-35-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/3896-18-0x0000000004F90000-0x0000000005536000-memory.dmp

Filesize
5.6MB

Download
memory/3896-20-0x0000000074630000-0x0000000074DE1000-memory.dmp

Filesize
7.7MB

Download
memory/3896-21-0x0000000004A60000-0x0000000004A6A000-memory.dmp

Filesize
40KB

Download
memory/3896-23-0x0000000074630000-0x0000000074DE1000-memory.dmp

Filesize
7.7MB

Download
memory/3896-19-0x0000000004A80000-0x0000000004B12000-memory.dmp

Filesize
584KB

Download
memory/3896-17-0x00000000000C0000-0x00000000000D4000-memory.dmp

Filesize
80KB

Download
memory/3896-16-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors