xworm | f65c276f46ef90d4e70fd68e19db8f25af8810505bb832d8961d2a6e4caf17ae

Analysis

max time kernel
149s
max time network
152s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

63KB
MD5

b80f607a11a29e9e7f3192a0ff95e33a
SHA1

484622864005f1c5e65b7657089e9554623fd613
SHA256

f65c276f46ef90d4e70fd68e19db8f25af8810505bb832d8961d2a6e4caf17ae
SHA512

433358edaea23d477d0624074c92134259c8f83802be7a57182fb13d475a9c630f644de1f9e0697d9500053b348c1ba02dd16045960393fad2e73c7c93a6a66e
SSDEEP

1536:e1TE0/4/Ja43jHy7b0ToCRPp56O+T7K28BR8:eFwxhHWb0k0p56Oa7K/8

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

paris-itself.gl.at.ply.gg:49485

Attributes

Install_directory
%Public%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/2216-1-0x0000000000740000-0x0000000000756000-memory.dmp family_xworm
C:\Users\Public\svchost family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

resource	yara_rule
behavioral1/memory/2216-1-0x0000000000740000-0x0000000000756000-memory.dmp	family_xworm
C:\Users\Public\svchost	family_xworm

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe

Executes dropped EXE 2 IoCs

Processes:

svchostsvchost

pid process

4740 svchost
1868 svchost
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

XClient.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost" XClient.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4980 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4836 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

XClient.exe

pid process

2216 XClient.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

XClient.exesvchostsvchost

description pid process

Token: SeDebugPrivilege 2216 XClient.exe
Token: SeDebugPrivilege 2216 XClient.exe
Token: SeDebugPrivilege 4740 svchost
Token: SeDebugPrivilege 1868 svchost
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

2216 XClient.exe

pid	process
4740	svchost
1868	svchost

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost"	XClient.exe

flow	ioc
1	ip-api.com

pid	process
4980	timeout.exe

pid	process
4836	schtasks.exe

pid	process
2216	XClient.exe

description	pid	process
Token: SeDebugPrivilege	2216	XClient.exe
Token: SeDebugPrivilege	2216	XClient.exe
Token: SeDebugPrivilege	4740	svchost
Token: SeDebugPrivilege	1868	svchost

pid	process
2216	XClient.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

XClient.execmd.exe

description	pid	process	target process
PID 2216 wrote to memory of 4836	2216	XClient.exe	schtasks.exe
PID 2216 wrote to memory of 4836	2216	XClient.exe	schtasks.exe
PID 2216 wrote to memory of 3004	2216	XClient.exe	schtasks.exe
PID 2216 wrote to memory of 3004	2216	XClient.exe	schtasks.exe
PID 2216 wrote to memory of 1872	2216	XClient.exe	cmd.exe
PID 2216 wrote to memory of 1872	2216	XClient.exe	cmd.exe
PID 1872 wrote to memory of 4980	1872	cmd.exe	timeout.exe
PID 1872 wrote to memory of 4980	1872	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
2⤵
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC20E.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4980

C:\Users\Public\svchost
C:\Users\Public\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Users\Public\svchost
C:\Users\Public\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log
Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC20E.tmp.bat
Filesize
159B

MD5
c31b77218caf541ace86599c4133751d

SHA1
a6572be015605514e63e2b91bc8179a9c97b6d04

SHA256
d6bb521f04ab11d9289d4e229f363f9e7a3b3b5cf5a55937e833f1f0325f0d8f

SHA512
d8639a02a61da6efd9aec4357b4cc6ecdd5ba2362fbce0cbd7a3123261dbc2ff2f23b895d2027a05632b312259ece5aee862b11d49f7cf5f54a841384c40103c

Download Submit
C:\Users\Public\svchost
Filesize
63KB

MD5
b80f607a11a29e9e7f3192a0ff95e33a

SHA1
484622864005f1c5e65b7657089e9554623fd613

SHA256
f65c276f46ef90d4e70fd68e19db8f25af8810505bb832d8961d2a6e4caf17ae

SHA512
433358edaea23d477d0624074c92134259c8f83802be7a57182fb13d475a9c630f644de1f9e0697d9500053b348c1ba02dd16045960393fad2e73c7c93a6a66e

Download Submit
memory/2216-0-0x00007FFFE5E03000-0x00007FFFE5E04000-memory.dmp

Filesize
4KB

Download
memory/2216-1-0x0000000000740000-0x0000000000756000-memory.dmp

Filesize
88KB

Download
memory/2216-2-0x00007FFFE5E00000-0x00007FFFE67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-6-0x00007FFFE5E03000-0x00007FFFE5E04000-memory.dmp

Filesize
4KB

Download
memory/2216-7-0x00007FFFE5E00000-0x00007FFFE67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-21-0x00007FFFE5E00000-0x00007FFFE67EC000-memory.dmp

Filesize
9.9MB

Download
memory/4740-11-0x00007FFFE5E00000-0x00007FFFE67EC000-memory.dmp

Filesize
9.9MB

Download
memory/4740-13-0x00007FFFE5E00000-0x00007FFFE67EC000-memory.dmp

Filesize
9.9MB

Download