xworm | 49c4484aee2c2d16b940cb5e47e908cc894ececf443569f0f127e0c8df2ab832

Analysis

max time kernel
562s
max time network
482s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox theme.exe
Size

1013KB
MD5

f9692e37bd7d64a1d5458f39d5730308
SHA1

4984464e640fe749391e4819300b615eb4c85c6a
SHA256

49c4484aee2c2d16b940cb5e47e908cc894ececf443569f0f127e0c8df2ab832
SHA512

4fb5d6dff3d3da8013f8e618a5f65d70156229ee47d214541b04a56fe29d6e7d026aa4eb6870ea19a57ec2cf20042af91c8f62d30a7158bb8a6f77d9be5044d6
SSDEEP

24576:lOtT5xDVDvwVqYdVpqVfuMSOYw3Y+JBbUX/S/6Hv9rO5gUa:lOtT57MdhHMxvY+fUPSCH69a

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

java-mas.gl.at.ply.gg:23199

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm
behavioral2/memory/4468-36-0x0000000000040000-0x0000000000072000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3860 powershell.exe
1964 powershell.exe
396 powershell.exe
3968 powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Roaming\XClient.exe	family_xworm
behavioral2/memory/4468-36-0x0000000000040000-0x0000000000072000-memory.dmp	family_xworm

pid	process
3860	powershell.exe
1964	powershell.exe
396	powershell.exe
3968	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Roblox theme.exeXClient.sfx.exeXClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Roblox theme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	XClient.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe

Executes dropped EXE 12 IoCs

Processes:

XClient.sfx.exeRTC_Launcher11.exeXClient.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
3528	XClient.sfx.exe
3352	RTC_Launcher11.exe
4468	XClient.exe
3592	svchost.exe
1968	svchost.exe
3380	svchost.exe
1456	svchost.exe
4884	svchost.exe
1976	svchost.exe
3180	svchost.exe
4628	svchost.exe
3976	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

688 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXClient.exe

pid process

3860 powershell.exe
3860 powershell.exe
1964 powershell.exe
1964 powershell.exe
396 powershell.exe
396 powershell.exe
3968 powershell.exe
3968 powershell.exe
4468 XClient.exe

flow	ioc
4	ip-api.com

pid	process
688	schtasks.exe

pid	process
3860	powershell.exe
3860	powershell.exe
1964	powershell.exe
1964	powershell.exe
396	powershell.exe
396	powershell.exe
3968	powershell.exe
3968	powershell.exe
4468	XClient.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

XClient.exeRTC_Launcher11.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4468	XClient.exe
Token: SeDebugPrivilege	3352	RTC_Launcher11.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	4468	XClient.exe
Token: SeDebugPrivilege	3592	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	3380	svchost.exe
Token: SeDebugPrivilege	1456	svchost.exe
Token: SeDebugPrivilege	4884	svchost.exe
Token: SeDebugPrivilege	1976	svchost.exe
Token: SeDebugPrivilege	3180	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	3976	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RTC_Launcher11.exe

pid process

3352 RTC_Launcher11.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

4468 XClient.exe

pid	process
3352	RTC_Launcher11.exe

pid	process
4468	XClient.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Roblox theme.exeXClient.sfx.exeXClient.exe

description	pid	process	target process
PID 4464 wrote to memory of 3528	4464	Roblox theme.exe	XClient.sfx.exe
PID 4464 wrote to memory of 3528	4464	Roblox theme.exe	XClient.sfx.exe
PID 4464 wrote to memory of 3528	4464	Roblox theme.exe	XClient.sfx.exe
PID 4464 wrote to memory of 3352	4464	Roblox theme.exe	RTC_Launcher11.exe
PID 4464 wrote to memory of 3352	4464	Roblox theme.exe	RTC_Launcher11.exe
PID 3528 wrote to memory of 4468	3528	XClient.sfx.exe	XClient.exe
PID 3528 wrote to memory of 4468	3528	XClient.sfx.exe	XClient.exe
PID 4468 wrote to memory of 3860	4468	XClient.exe	powershell.exe
PID 4468 wrote to memory of 3860	4468	XClient.exe	powershell.exe
PID 4468 wrote to memory of 1964	4468	XClient.exe	powershell.exe
PID 4468 wrote to memory of 1964	4468	XClient.exe	powershell.exe
PID 4468 wrote to memory of 396	4468	XClient.exe	powershell.exe
PID 4468 wrote to memory of 396	4468	XClient.exe	powershell.exe
PID 4468 wrote to memory of 3968	4468	XClient.exe	powershell.exe
PID 4468 wrote to memory of 3968	4468	XClient.exe	powershell.exe
PID 4468 wrote to memory of 688	4468	XClient.exe	schtasks.exe
PID 4468 wrote to memory of 688	4468	XClient.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Roblox theme.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox theme.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Roaming\XClient.sfx.exe
"C:\Users\Admin\AppData\Roaming\XClient.sfx.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
4⤵
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
"C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2140

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pro34ilr.vjq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
Filesize
758KB

MD5
cb1929328dea316fcb34f3486697d16e

SHA1
8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b

SHA256
7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9

SHA512
90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe
Filesize
174KB

MD5
df3b4775708fd5ad9f3b1e2701ea4eaf

SHA1
42ff8fdf99a432f494594e6c9badb38385d77b12

SHA256
2ea99f3355f04bef152f0558aaa2719d9b9dcb6552297ab766069a4e1a314f73

SHA512
9140213342fac4579d74c405c182dccd1ee9756a545d3cec5101167a4868215048e8189d1e7c0e4b81f8d42ccf3e17252b57d9d6ceb997d69b10da218e9aa2b1

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.sfx.exe
Filesize
346KB

MD5
a09245eb66f7a82aaf5a41e20c9b0d63

SHA1
84fff1520784316b3fdcbaa44efb67e7d4e26ea4

SHA256
9d0ab230077ee742e2a1c4c68ebcf7f2039f0729d6ac03ef49c00389a79ad5dc

SHA512
7257a33b0d5c2e14376197b5673413557961ce2d2bb5ad672642ea52f8bec08cccab56c9cecdc1f3ca5f893dba955541cacee5f5e1a7561f749a32002ee67456

Download Submit
memory/3352-50-0x000001BABBE30000-0x000001BABBEA6000-memory.dmp

Filesize
472KB

Download
memory/3352-35-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-22-0x000001BAA0E30000-0x000001BAA0EF4000-memory.dmp

Filesize
784KB

Download
memory/3352-21-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmp

Filesize
8KB

Download
memory/3352-89-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmp

Filesize
8KB

Download
memory/3352-90-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

Filesize
10.8MB

Download
memory/3860-43-0x00000247AFA90000-0x00000247AFAB2000-memory.dmp

Filesize
136KB

Download
memory/4468-36-0x0000000000040000-0x0000000000072000-memory.dmp

Filesize
200KB

Download