xworm | 1558720751a4d37a2074f66f8ea7a65b1e3dff9e0c6cc395e6bcbd072fba690a

Analysis

max time kernel
3s
max time network
108s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

60KB
MD5

107166f06c0965273058e6489798265a
SHA1

d43d853647183243b372248d4d0961d02157857e
SHA256

1558720751a4d37a2074f66f8ea7a65b1e3dff9e0c6cc395e6bcbd072fba690a
SHA512

208f998921ba32e015b046fd767ab682f9a4fce22655ac993b0e60886b6dcd8ed3cb7d710835c576a7233bc56bf116771d8bdda81e7d31d0a98f98eaac57fce2
SSDEEP

768:Wwjm6MDIGIt41FrtzWGDaCZrFcHubobWoYu2m6AzPyOKwJv7h3MSghzA3eny:nMkGuaTBWqrFHbobWofR6C6OKQ7pjuy

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

0.tcp.eu.ngrok.io::12233

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/1716-0-0x0000000000F30000-0x0000000000F46000-memory.dmp family_xworm
C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3752 powershell.exe
1364 powershell.exe
3792 powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2476 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

XClient.exe

description pid process

Token: SeDebugPrivilege 1716 XClient.exe

resource	yara_rule
behavioral1/memory/1716-0-0x0000000000F30000-0x0000000000F46000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\XClient.exe	family_xworm

pid	process
3752	powershell.exe
1364	powershell.exe
3792	powershell.exe

flow	ioc
1	ip-api.com

pid	process
2476	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1716	XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1364

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:4880

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
80b42fe4c6cf64624e6c31e5d7f2d3b3

SHA1
1f93e7dd83b86cb900810b7e3e43797868bf7d93

SHA256
ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d

SHA512
83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymdc2bcr.4vs.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe
Filesize
60KB

MD5
107166f06c0965273058e6489798265a

SHA1
d43d853647183243b372248d4d0961d02157857e

SHA256
1558720751a4d37a2074f66f8ea7a65b1e3dff9e0c6cc395e6bcbd072fba690a

SHA512
208f998921ba32e015b046fd767ab682f9a4fce22655ac993b0e60886b6dcd8ed3cb7d710835c576a7233bc56bf116771d8bdda81e7d31d0a98f98eaac57fce2

Download Submit
memory/1716-1-0x00007FFE0ABB3000-0x00007FFE0ABB5000-memory.dmp

Filesize
8KB

Download
memory/1716-2-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

Filesize
10.8MB

Download
memory/1716-0-0x0000000000F30000-0x0000000000F46000-memory.dmp

Filesize
88KB

Download
memory/1716-47-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

Filesize
10.8MB

Download
memory/3792-11-0x000002C179CF0000-0x000002C179D12000-memory.dmp

Filesize
136KB

Download
memory/3792-17-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

Filesize
10.8MB

Download
memory/3792-16-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

Filesize
10.8MB

Download
memory/3792-13-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

Filesize
10.8MB

Download
memory/3792-12-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads