xworm | d65824b6d2c191eb48d040261d408ecb3f1d0cf6ef9ceac096543b184582aded

General

Target

XClient.exe
Size

34KB
MD5

420aaab8a4e68d5730a9e19422a0fe96
SHA1

f4dd350f797169f22c8efd7de8a252b7d2fcf8ae
SHA256

d65824b6d2c191eb48d040261d408ecb3f1d0cf6ef9ceac096543b184582aded
SHA512

fa1ccd03397231387559381aa7762e786b98fa89c02a8b09b6804a14ed0a3ce45ba11bb6b5f7a112a2420a3bd25f708f2ebc4afb281c377dc372fca563e63f98
SSDEEP

768:0e749/qEkLACVVickCVFy19JZ6aO/hoq/:XaCEk8hcdF49JZ6aO/CQ

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

association-lectures.gl.at.ply.gg:32463

Mutex

Gpg1PP1lxuWY9X4X

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2444-1-0x00000000009E0000-0x00000000009EE000-memory.dmp	family_xworm
behavioral1/files/0x0034000000011c23-27.dat	family_xworm
behavioral1/memory/1712-35-0x0000000000050000-0x000000000005E000-memory.dmp	family_xworm
behavioral1/memory/1824-40-0x00000000000A0000-0x00000000000AE000-memory.dmp	family_xworm
behavioral1/memory/1228-42-0x0000000000200000-0x000000000020E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2496	powershell.exe
3028	powershell.exe
2280	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 3 IoCs

pid	Process
1712	XClient.exe
1824	XClient.exe
1228	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3028	powershell.exe
2280	powershell.exe
2496	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	XClient.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2444	XClient.exe
Token: SeDebugPrivilege	1712	XClient.exe
Token: SeDebugPrivilege	1824	XClient.exe
Token: SeDebugPrivilege	1228	XClient.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 3028	2444	XClient.exe	31
PID 2444 wrote to memory of 3028	2444	XClient.exe	31
PID 2444 wrote to memory of 3028	2444	XClient.exe	31
PID 2444 wrote to memory of 2280	2444	XClient.exe	33
PID 2444 wrote to memory of 2280	2444	XClient.exe	33
PID 2444 wrote to memory of 2280	2444	XClient.exe	33
PID 2444 wrote to memory of 2496	2444	XClient.exe	35
PID 2444 wrote to memory of 2496	2444	XClient.exe	35
PID 2444 wrote to memory of 2496	2444	XClient.exe	35
PID 2444 wrote to memory of 2400	2444	XClient.exe	37
PID 2444 wrote to memory of 2400	2444	XClient.exe	37
PID 2444 wrote to memory of 2400	2444	XClient.exe	37
PID 1752 wrote to memory of 1712	1752	taskeng.exe	41
PID 1752 wrote to memory of 1712	1752	taskeng.exe	41
PID 1752 wrote to memory of 1712	1752	taskeng.exe	41
PID 1752 wrote to memory of 1824	1752	taskeng.exe	42
PID 1752 wrote to memory of 1824	1752	taskeng.exe	42
PID 1752 wrote to memory of 1824	1752	taskeng.exe	42
PID 1752 wrote to memory of 1228	1752	taskeng.exe	43
PID 1752 wrote to memory of 1228	1752	taskeng.exe	43
PID 1752 wrote to memory of 1228	1752	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2400

C:\Windows\system32\taskeng.exe
taskeng.exe {1848BF3D-FBC4-47DD-86CA-0A80BC8CA51B} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8efd925b36ffcd692d3e8448dc6d5c2

SHA1
c14bba45782e194519ac1695474f586d9b3ee535

SHA256
6c2f9eff0f58d72fab2419ea87bf9de3283b5fa39702a382ab9ff1c27dbcb1cc

SHA512
9f8fdee0d48f7207b534683c217fcb5a3f3130b910b7d8ff21807e865ac65f59cfeebd3738b16666e19d677a856224e620e5a3d77d79bc9765fab438c2e87692

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
34KB

MD5
420aaab8a4e68d5730a9e19422a0fe96

SHA1
f4dd350f797169f22c8efd7de8a252b7d2fcf8ae

SHA256
d65824b6d2c191eb48d040261d408ecb3f1d0cf6ef9ceac096543b184582aded

SHA512
fa1ccd03397231387559381aa7762e786b98fa89c02a8b09b6804a14ed0a3ce45ba11bb6b5f7a112a2420a3bd25f708f2ebc4afb281c377dc372fca563e63f98

Download Submit
memory/1228-42-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/1712-35-0x0000000000050000-0x000000000005E000-memory.dmp

Filesize
56KB

Download
memory/1824-40-0x00000000000A0000-0x00000000000AE000-memory.dmp

Filesize
56KB

Download
memory/2280-15-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2280-14-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2444-30-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2444-29-0x000000001AE10000-0x000000001AE90000-memory.dmp

Filesize
512KB

Download
memory/2444-31-0x000000001AE10000-0x000000001AE90000-memory.dmp

Filesize
512KB

Download
memory/2444-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2444-36-0x0000000001FB0000-0x0000000001FBA000-memory.dmp

Filesize
40KB

Download
memory/2444-38-0x000000001A7B0000-0x000000001A832000-memory.dmp

Filesize
520KB

Download
memory/2444-1-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/3028-6-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/3028-8-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/3028-7-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads