xworm | f65c276f46ef90d4e70fd68e19db8f25af8810505bb832d8961d2a6e4caf17ae

Analysis

max time kernel
149s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

63KB
MD5

b80f607a11a29e9e7f3192a0ff95e33a
SHA1

484622864005f1c5e65b7657089e9554623fd613
SHA256

f65c276f46ef90d4e70fd68e19db8f25af8810505bb832d8961d2a6e4caf17ae
SHA512

433358edaea23d477d0624074c92134259c8f83802be7a57182fb13d475a9c630f644de1f9e0697d9500053b348c1ba02dd16045960393fad2e73c7c93a6a66e
SSDEEP

1536:e1TE0/4/Ja43jHy7b0ToCRPp56O+T7K28BR8:eFwxhHWb0k0p56Oa7K/8

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

paris-itself.gl.at.ply.gg:49485

Attributes

Install_directory
%Public%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral3/memory/5108-0-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xworm
C:\Users\Public\svchost family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

resource	yara_rule
behavioral3/memory/5108-0-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xworm
C:\Users\Public\svchost	family_xworm

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe

Executes dropped EXE 2 IoCs

Processes:

svchostsvchost

pid process

4652 svchost
2688 svchost
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

XClient.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost" XClient.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1384 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4076 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

XClient.exe

pid process

5108 XClient.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

XClient.exesvchostsvchost

description pid process

Token: SeDebugPrivilege 5108 XClient.exe
Token: SeDebugPrivilege 5108 XClient.exe
Token: SeDebugPrivilege 4652 svchost
Token: SeDebugPrivilege 2688 svchost
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

5108 XClient.exe

pid	process
4652	svchost
2688	svchost

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost"	XClient.exe

flow	ioc
1	ip-api.com

pid	process
1384	timeout.exe

pid	process
4076	schtasks.exe

pid	process
5108	XClient.exe

description	pid	process
Token: SeDebugPrivilege	5108	XClient.exe
Token: SeDebugPrivilege	5108	XClient.exe
Token: SeDebugPrivilege	4652	svchost
Token: SeDebugPrivilege	2688	svchost

pid	process
5108	XClient.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

XClient.execmd.exe

description	pid	process	target process
PID 5108 wrote to memory of 4076	5108	XClient.exe	schtasks.exe
PID 5108 wrote to memory of 4076	5108	XClient.exe	schtasks.exe
PID 5108 wrote to memory of 5048	5108	XClient.exe	schtasks.exe
PID 5108 wrote to memory of 5048	5108	XClient.exe	schtasks.exe
PID 5108 wrote to memory of 1080	5108	XClient.exe	cmd.exe
PID 5108 wrote to memory of 1080	5108	XClient.exe	cmd.exe
PID 1080 wrote to memory of 1384	1080	cmd.exe	timeout.exe
PID 1080 wrote to memory of 1384	1080	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
2⤵
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6A1A.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1384

C:\Users\Public\svchost
C:\Users\Public\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Users\Public\svchost
C:\Users\Public\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log
Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A1A.tmp.bat
Filesize
159B

MD5
4294fac59a5d53f922b3151fd6413539

SHA1
4a837210913b4dbe9644af63b2167f449e76ea8c

SHA256
4fc20c0c816b68d31ea05ca7de04789a6dd6e4f4fb2beefce6fa658514656d5e

SHA512
5b24d06bb69c8f02c9ca0e7e8558fd181ae83f84172d97f06230f08e3f16b72ffb1a52bf92f1e044e7fce2f97a7dcd774011226c2d5cbd072c3236e9670bde5e

Download Submit
C:\Users\Public\svchost
Filesize
63KB

MD5
b80f607a11a29e9e7f3192a0ff95e33a

SHA1
484622864005f1c5e65b7657089e9554623fd613

SHA256
f65c276f46ef90d4e70fd68e19db8f25af8810505bb832d8961d2a6e4caf17ae

SHA512
433358edaea23d477d0624074c92134259c8f83802be7a57182fb13d475a9c630f644de1f9e0697d9500053b348c1ba02dd16045960393fad2e73c7c93a6a66e

Download Submit
memory/4652-10-0x00007FFD929D0000-0x00007FFD93492000-memory.dmp

Filesize
10.8MB

Download
memory/4652-12-0x00007FFD929D0000-0x00007FFD93492000-memory.dmp

Filesize
10.8MB

Download
memory/5108-0-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5108-1-0x00007FFD929D3000-0x00007FFD929D5000-memory.dmp

Filesize
8KB

Download
memory/5108-2-0x00007FFD929D0000-0x00007FFD93492000-memory.dmp

Filesize
10.8MB

Download
memory/5108-6-0x00007FFD929D0000-0x00007FFD93492000-memory.dmp

Filesize
10.8MB

Download
memory/5108-20-0x00007FFD929D0000-0x00007FFD93492000-memory.dmp

Filesize
10.8MB

Download