xworm | 13998cf5ce3fc1b1fb20635ef2c1e476c880d72eec7afb7e8ec74808928700da

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528.exe
Size

513KB
MD5

bee8b480b0eaca7a667e7167fb8a90d9
SHA1

9f313636052c520f376c1dd78db8965206828a49
SHA256

a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528
SHA512

4307592c42fc62376d5ca68dc877160ce78ab6521ac14ef8a17f0acaae3b2751ffee7100b555f8027142ad1e5992b80d9c5a012ffebd8c02804090c9244e3f76
SSDEEP

12288:47eq029boZJl4K5qFy8Q3txiiCsi6usc6JPE7G/7Btt:4eqAjIF8WsShAPEQ7

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral21/files/0x000d00000001226b-5.dat	family_xworm
behavioral21/memory/2748-9-0x0000000000E50000-0x0000000000E62000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 26 IoCs

pid	Process
2748	XClient.exe
2664	Output.exe
2620	Output.exe
2824	XClient.exe
2548	Output.exe
2528	XClient.exe
3056	Output.exe
3044	XClient.exe
3028	Output.exe
2944	XClient.exe
1260	XClient.exe
2852	Output.exe
1684	Output.exe
1252	XClient.exe
592	XClient.exe
2900	Output.exe
2740	XClient.exe
1624	Output.exe
1660	XClient.exe
2084	Output.exe
2156	XClient.exe
1292	Output.exe
2184	XClient.exe
1092	Output.exe
1384	Output.exe
2208	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	XClient.exe
Token: SeDebugPrivilege	2824	XClient.exe
Token: SeDebugPrivilege	2528	XClient.exe
Token: SeDebugPrivilege	3044	XClient.exe
Token: SeDebugPrivilege	2944	XClient.exe
Token: SeDebugPrivilege	1260	XClient.exe
Token: SeDebugPrivilege	1252	XClient.exe
Token: SeDebugPrivilege	592	XClient.exe
Token: SeDebugPrivilege	2740	XClient.exe
Token: SeDebugPrivilege	1660	XClient.exe
Token: SeDebugPrivilege	2156	XClient.exe
Token: SeDebugPrivilege	2184	XClient.exe
Token: SeDebugPrivilege	2208	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2748	2672	a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528.exe	30
PID 2672 wrote to memory of 2748	2672	a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528.exe	30
PID 2672 wrote to memory of 2748	2672	a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528.exe	30
PID 2672 wrote to memory of 2664	2672	a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528.exe	31
PID 2672 wrote to memory of 2664	2672	a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528.exe	31
PID 2672 wrote to memory of 2664	2672	a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528.exe	31
PID 2664 wrote to memory of 2824	2664	Output.exe	32
PID 2664 wrote to memory of 2824	2664	Output.exe	32
PID 2664 wrote to memory of 2824	2664	Output.exe	32
PID 2664 wrote to memory of 2620	2664	Output.exe	33
PID 2664 wrote to memory of 2620	2664	Output.exe	33
PID 2664 wrote to memory of 2620	2664	Output.exe	33
PID 2620 wrote to memory of 2528	2620	Output.exe	34
PID 2620 wrote to memory of 2528	2620	Output.exe	34
PID 2620 wrote to memory of 2528	2620	Output.exe	34
PID 2620 wrote to memory of 2548	2620	Output.exe	35
PID 2620 wrote to memory of 2548	2620	Output.exe	35
PID 2620 wrote to memory of 2548	2620	Output.exe	35
PID 2548 wrote to memory of 3044	2548	Output.exe	36
PID 2548 wrote to memory of 3044	2548	Output.exe	36
PID 2548 wrote to memory of 3044	2548	Output.exe	36
PID 2548 wrote to memory of 3056	2548	Output.exe	37
PID 2548 wrote to memory of 3056	2548	Output.exe	37
PID 2548 wrote to memory of 3056	2548	Output.exe	37
PID 3056 wrote to memory of 2944	3056	Output.exe	38
PID 3056 wrote to memory of 2944	3056	Output.exe	38
PID 3056 wrote to memory of 2944	3056	Output.exe	38
PID 3056 wrote to memory of 3028	3056	Output.exe	39
PID 3056 wrote to memory of 3028	3056	Output.exe	39
PID 3056 wrote to memory of 3028	3056	Output.exe	39
PID 3028 wrote to memory of 1260	3028	Output.exe	40
PID 3028 wrote to memory of 1260	3028	Output.exe	40
PID 3028 wrote to memory of 1260	3028	Output.exe	40
PID 3028 wrote to memory of 2852	3028	Output.exe	41
PID 3028 wrote to memory of 2852	3028	Output.exe	41
PID 3028 wrote to memory of 2852	3028	Output.exe	41
PID 2852 wrote to memory of 1252	2852	Output.exe	42
PID 2852 wrote to memory of 1252	2852	Output.exe	42
PID 2852 wrote to memory of 1252	2852	Output.exe	42
PID 2852 wrote to memory of 1684	2852	Output.exe	43
PID 2852 wrote to memory of 1684	2852	Output.exe	43
PID 2852 wrote to memory of 1684	2852	Output.exe	43
PID 1684 wrote to memory of 592	1684	Output.exe	44
PID 1684 wrote to memory of 592	1684	Output.exe	44
PID 1684 wrote to memory of 592	1684	Output.exe	44
PID 1684 wrote to memory of 2900	1684	Output.exe	45
PID 1684 wrote to memory of 2900	1684	Output.exe	45
PID 1684 wrote to memory of 2900	1684	Output.exe	45
PID 2900 wrote to memory of 2740	2900	Output.exe	46
PID 2900 wrote to memory of 2740	2900	Output.exe	46
PID 2900 wrote to memory of 2740	2900	Output.exe	46
PID 2900 wrote to memory of 1624	2900	Output.exe	47
PID 2900 wrote to memory of 1624	2900	Output.exe	47
PID 2900 wrote to memory of 1624	2900	Output.exe	47
PID 1624 wrote to memory of 1660	1624	Output.exe	48
PID 1624 wrote to memory of 1660	1624	Output.exe	48
PID 1624 wrote to memory of 1660	1624	Output.exe	48
PID 1624 wrote to memory of 2084	1624	Output.exe	49
PID 1624 wrote to memory of 2084	1624	Output.exe	49
PID 1624 wrote to memory of 2084	1624	Output.exe	49
PID 2084 wrote to memory of 2156	2084	Output.exe	50
PID 2084 wrote to memory of 2156	2084	Output.exe	50
PID 2084 wrote to memory of 2156	2084	Output.exe	50
PID 2084 wrote to memory of 1292	2084	Output.exe	51

C:\Users\Admin\AppData\Local\Temp\a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528.exe
"C:\Users\Admin\AppData\Local\Temp\a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Users\Admin\AppData\Roaming\Output.exe
  "C:\Users\Admin\AppData\Roaming\Output.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Roaming\XClient.exe
    "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Users\Admin\AppData\Roaming\Output.exe
    "C:\Users\Admin\AppData\Roaming\Output.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2528
  - - C:\Users\Admin\AppData\Roaming\Output.exe
      "C:\Users\Admin\AppData\Roaming\Output.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Users\Admin\AppData\Roaming\Output.exe
        
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
      - C:\Users\Admin\AppData\Roaming\Output.exe
        
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\Output.exe
        
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\Output.exe
        
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Users\Admin\AppData\Roaming\Output.exe
        
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\Output.exe
        
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Output.exe
        
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Output.exe
        
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        12⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Output.exe
        
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        13⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Output.exe
        
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        14⤵
        Executes dropped EXE
        
        PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Output.exe

Filesize
446KB

MD5
68e298b36db386382e7dfbe5bd784699

SHA1
123700bc8004ee6c9967a6818689658c23cf4996

SHA256
342f2b5aa4fb4c3d9bfa18f7ff3e96ac5a21db19b8635b92ca789dfcb4e55875

SHA512
879f41008ddd3464026b5c93338246fddfcc640e2790bf3d106555e22103dde1bfc33e23125e891a676daa263635518142cbf481f91b0671adfadce63222a562

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
50KB

MD5
e0918682feb10b28a39a9cfbf4d2d90c

SHA1
c33f8518747e96955387bac3c8299eea24357fe0

SHA256
8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01

SHA512
dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7

Download Submit
memory/2664-13-0x00000000003A0000-0x0000000000416000-memory.dmp

Filesize
472KB

Download
memory/2672-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

Filesize
4KB

Download
memory/2672-1-0x0000000000380000-0x0000000000406000-memory.dmp

Filesize
536KB

Download
memory/2748-9-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/2748-25-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-39-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-40-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-41-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download