xworm | d65824b6d2c191eb48d040261d408ecb3f1d0cf6ef9ceac096543b184582aded

Analysis

max time kernel
895s
max time network
891s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

34KB
MD5

420aaab8a4e68d5730a9e19422a0fe96
SHA1

f4dd350f797169f22c8efd7de8a252b7d2fcf8ae
SHA256

d65824b6d2c191eb48d040261d408ecb3f1d0cf6ef9ceac096543b184582aded
SHA512

fa1ccd03397231387559381aa7762e786b98fa89c02a8b09b6804a14ed0a3ce45ba11bb6b5f7a112a2420a3bd25f708f2ebc4afb281c377dc372fca563e63f98
SSDEEP

768:0e749/qEkLACVVickCVFy19JZ6aO/hoq/:XaCEk8hcdF49JZ6aO/CQ

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

association-lectures.gl.at.ply.gg:32463

Mutex

Gpg1PP1lxuWY9X4X

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 9 IoCs

resource	yara_rule
behavioral1/memory/2324-1-0x0000000000BA0000-0x0000000000BAE000-memory.dmp	family_xworm
behavioral1/files/0x0009000000016d69-28.dat	family_xworm
behavioral1/memory/1924-35-0x0000000001250000-0x000000000125E000-memory.dmp	family_xworm
behavioral1/memory/2312-41-0x00000000013D0000-0x00000000013DE000-memory.dmp	family_xworm
behavioral1/memory/2708-45-0x00000000000C0000-0x00000000000CE000-memory.dmp	family_xworm
behavioral1/memory/2944-47-0x0000000000A90000-0x0000000000A9E000-memory.dmp	family_xworm
behavioral1/memory/1612-50-0x0000000000FA0000-0x0000000000FAE000-memory.dmp	family_xworm
behavioral1/memory/2080-52-0x0000000000FF0000-0x0000000000FFE000-memory.dmp	family_xworm
behavioral1/memory/296-56-0x0000000001260000-0x000000000126E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2084	powershell.exe
2152	powershell.exe
2804	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 15 IoCs

pid	Process
1924	XClient.exe
560	XClient.exe
1752	XClient.exe
908	XClient.exe
2312	XClient.exe
1596	XClient.exe
2892	XClient.exe
2708	XClient.exe
2944	XClient.exe
2256	XClient.exe
1612	XClient.exe
2080	XClient.exe
988	XClient.exe
1636	XClient.exe
296	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2084	powershell.exe
2152	powershell.exe
2804	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	XClient.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2324	XClient.exe
Token: SeDebugPrivilege	1924	XClient.exe
Token: SeDebugPrivilege	560	XClient.exe
Token: SeDebugPrivilege	1752	XClient.exe
Token: SeDebugPrivilege	908	XClient.exe
Token: SeDebugPrivilege	2312	XClient.exe
Token: SeDebugPrivilege	1596	XClient.exe
Token: SeDebugPrivilege	2892	XClient.exe
Token: SeDebugPrivilege	2708	XClient.exe
Token: SeDebugPrivilege	2944	XClient.exe
Token: SeDebugPrivilege	2256	XClient.exe
Token: SeDebugPrivilege	1612	XClient.exe
Token: SeDebugPrivilege	2080	XClient.exe
Token: SeDebugPrivilege	988	XClient.exe
Token: SeDebugPrivilege	1636	XClient.exe
Token: SeDebugPrivilege	296	XClient.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2084	2324	XClient.exe	30
PID 2324 wrote to memory of 2084	2324	XClient.exe	30
PID 2324 wrote to memory of 2084	2324	XClient.exe	30
PID 2324 wrote to memory of 2152	2324	XClient.exe	33
PID 2324 wrote to memory of 2152	2324	XClient.exe	33
PID 2324 wrote to memory of 2152	2324	XClient.exe	33
PID 2324 wrote to memory of 2804	2324	XClient.exe	35
PID 2324 wrote to memory of 2804	2324	XClient.exe	35
PID 2324 wrote to memory of 2804	2324	XClient.exe	35
PID 2324 wrote to memory of 2948	2324	XClient.exe	37
PID 2324 wrote to memory of 2948	2324	XClient.exe	37
PID 2324 wrote to memory of 2948	2324	XClient.exe	37
PID 1080 wrote to memory of 1924	1080	taskeng.exe	41
PID 1080 wrote to memory of 1924	1080	taskeng.exe	41
PID 1080 wrote to memory of 1924	1080	taskeng.exe	41
PID 1080 wrote to memory of 560	1080	taskeng.exe	42
PID 1080 wrote to memory of 560	1080	taskeng.exe	42
PID 1080 wrote to memory of 560	1080	taskeng.exe	42
PID 1080 wrote to memory of 1752	1080	taskeng.exe	43
PID 1080 wrote to memory of 1752	1080	taskeng.exe	43
PID 1080 wrote to memory of 1752	1080	taskeng.exe	43
PID 1080 wrote to memory of 908	1080	taskeng.exe	44
PID 1080 wrote to memory of 908	1080	taskeng.exe	44
PID 1080 wrote to memory of 908	1080	taskeng.exe	44
PID 1080 wrote to memory of 2312	1080	taskeng.exe	45
PID 1080 wrote to memory of 2312	1080	taskeng.exe	45
PID 1080 wrote to memory of 2312	1080	taskeng.exe	45
PID 1080 wrote to memory of 1596	1080	taskeng.exe	46
PID 1080 wrote to memory of 1596	1080	taskeng.exe	46
PID 1080 wrote to memory of 1596	1080	taskeng.exe	46
PID 1080 wrote to memory of 2892	1080	taskeng.exe	47
PID 1080 wrote to memory of 2892	1080	taskeng.exe	47
PID 1080 wrote to memory of 2892	1080	taskeng.exe	47
PID 1080 wrote to memory of 2708	1080	taskeng.exe	49
PID 1080 wrote to memory of 2708	1080	taskeng.exe	49
PID 1080 wrote to memory of 2708	1080	taskeng.exe	49
PID 1080 wrote to memory of 2944	1080	taskeng.exe	50
PID 1080 wrote to memory of 2944	1080	taskeng.exe	50
PID 1080 wrote to memory of 2944	1080	taskeng.exe	50
PID 1080 wrote to memory of 2256	1080	taskeng.exe	51
PID 1080 wrote to memory of 2256	1080	taskeng.exe	51
PID 1080 wrote to memory of 2256	1080	taskeng.exe	51
PID 1080 wrote to memory of 1612	1080	taskeng.exe	52
PID 1080 wrote to memory of 1612	1080	taskeng.exe	52
PID 1080 wrote to memory of 1612	1080	taskeng.exe	52
PID 1080 wrote to memory of 2080	1080	taskeng.exe	53
PID 1080 wrote to memory of 2080	1080	taskeng.exe	53
PID 1080 wrote to memory of 2080	1080	taskeng.exe	53
PID 1080 wrote to memory of 988	1080	taskeng.exe	54
PID 1080 wrote to memory of 988	1080	taskeng.exe	54
PID 1080 wrote to memory of 988	1080	taskeng.exe	54
PID 1080 wrote to memory of 1636	1080	taskeng.exe	55
PID 1080 wrote to memory of 1636	1080	taskeng.exe	55
PID 1080 wrote to memory of 1636	1080	taskeng.exe	55
PID 1080 wrote to memory of 296	1080	taskeng.exe	56
PID 1080 wrote to memory of 296	1080	taskeng.exe	56
PID 1080 wrote to memory of 296	1080	taskeng.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2948

C:\Windows\system32\taskeng.exe
taskeng.exe {7245D03D-5DEA-4C61-9FE2-AE8AE376C3F4} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7d460e64a50a1a3c08c98007c4127928

SHA1
7da62d1c5c87078f28d283bc827185ffe54c75d8

SHA256
ad3cbd9e2d2932072282110b3855bd386556ef7f66a006209a85dc1887c642c8

SHA512
09e736545fec43bb18f63d1ec2c3ab9fdc8b99692289f5be0f81907bef11130f2b2897cca36eb19e210261e0b4d8e6027c133a9a9233bc6f5c4ba8e77733c095

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
34KB

MD5
420aaab8a4e68d5730a9e19422a0fe96

SHA1
f4dd350f797169f22c8efd7de8a252b7d2fcf8ae

SHA256
d65824b6d2c191eb48d040261d408ecb3f1d0cf6ef9ceac096543b184582aded

SHA512
fa1ccd03397231387559381aa7762e786b98fa89c02a8b09b6804a14ed0a3ce45ba11bb6b5f7a112a2420a3bd25f708f2ebc4afb281c377dc372fca563e63f98

Download Submit
memory/296-56-0x0000000001260000-0x000000000126E000-memory.dmp

Filesize
56KB

Download
memory/1612-50-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

Filesize
56KB

Download
memory/1924-35-0x0000000001250000-0x000000000125E000-memory.dmp

Filesize
56KB

Download
memory/2080-52-0x0000000000FF0000-0x0000000000FFE000-memory.dmp

Filesize
56KB

Download
memory/2084-8-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2084-7-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2084-6-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2152-15-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2152-14-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2312-41-0x00000000013D0000-0x00000000013DE000-memory.dmp

Filesize
56KB

Download
memory/2324-23-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2324-30-0x000000001A6E0000-0x000000001A760000-memory.dmp

Filesize
512KB

Download
memory/2324-31-0x000000001A6E0000-0x000000001A760000-memory.dmp

Filesize
512KB

Download
memory/2324-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2324-1-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/2708-45-0x00000000000C0000-0x00000000000CE000-memory.dmp

Filesize
56KB

Download
memory/2944-47-0x0000000000A90000-0x0000000000A9E000-memory.dmp

Filesize
56KB

Download