xworm | 80a2ae9b77c4eafc3da22fac6025b340793c2bdbfef7b061cdc88bdea330e11a

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

34KB
MD5

606d9b179157736ea5acad71ad50c0c7
SHA1

dd88b6e09b9be71fe98ee1fa76c5f14f5e9ef84c
SHA256

80a2ae9b77c4eafc3da22fac6025b340793c2bdbfef7b061cdc88bdea330e11a
SHA512

c81d9e0e6f28869f6618c2904d317eb113514db2685621c674c0697e76c187249fd50a365cf07f6972c2a43970b4081e470a18dc631ca74cd1f606307fcdd2c7
SSDEEP

768:OtH6rNd7AtFPNhzIgtoFk9Fy9Yx/Ojhe/Vcg:OtuNJyF0gtowFy9Yx/OjItcg

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

MellowFishy-29478.portmap.host:29478

Mutex

k1tzVGcrL1gP53ej

Attributes

Install_directory
%AppData%
install_file
Realtek Audio Driver.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1420-1-0x00000000003F0000-0x00000000003FE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Deletes itself 1 IoCs

pid	Process
2872	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek Audio Driver.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek Audio Driver.lnk	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Realtek Audio Driver.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2896	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	XClient.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2872	1420	XClient.exe	31
PID 1420 wrote to memory of 2872	1420	XClient.exe	31
PID 1420 wrote to memory of 2872	1420	XClient.exe	31
PID 2872 wrote to memory of 2896	2872	cmd.exe	33
PID 2872 wrote to memory of 2896	2872	cmd.exe	33
PID 2872 wrote to memory of 2896	2872	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA812.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA812.tmp.bat

Filesize
159B

MD5
0d14a371b0e7dfe5cc7b84cd7fb89481

SHA1
d7b05cc061768729a20b556308b2be1d510babc0

SHA256
459a1cc2830db9476b083c579f7db4f005763388e2e428c288ad154cc4ae7eea

SHA512
cb0a9d201d2541fd8246b290cb4b308787519f49909c7d1c2ca5a518d0ba06b79697f895ec011be27b8f15e8f22026fd49f073d4f2c594a2d3e1df76e8006a69

Download Submit
memory/1420-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1420-1-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1420-6-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1420-7-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1420-8-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1420-20-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads