xworm | 4cf0d3b4f17461a2db0bbdda11e738916e6a91ebdfd9074d4b8938b241b44aaa

Resubmissions

01/10/2023, 16:02

231001-tg7znsdd48 10

01/10/2023, 15:57

231001-ted9ksdd43 10

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2023, 16:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

devos_paid.exe
Size

93KB
MD5

62797685038affa3508fc6b17867f45b
SHA1

b0d960377d241c36eea6ec8e12c9e8ad7b722784
SHA256

4cf0d3b4f17461a2db0bbdda11e738916e6a91ebdfd9074d4b8938b241b44aaa
SHA512

c21efdbf7b58d9c47ae954b91a4415ef916261e1b0d598b3524a8a32a3e7cd6f7cccf7f1deaf9fc225f1b17fc4641593283ee1cdd1d0e312b711948e30102be0
SSDEEP

1536:PpZ8bmSOVacbMK5bLDB81an8zs9oe/mL1WyNhl/yEm8bRUC66f6B8oThutK2StGk:S2a1K5b3B81fzCoLLQE3KC6C6B8oFu1s

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

8.tcp.ngrok.io:19077

Mutex

4QysStVHR2TepCEM

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000600000001dbf2-7.dat	family_xworm
behavioral2/files/0x000600000001dbf2-13.dat	family_xworm
behavioral2/files/0x000600000001dbf2-14.dat	family_xworm
behavioral2/memory/4700-24-0x00000000007F0000-0x00000000007FE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	devos_paid.exe

Executes dropped EXE 2 IoCs

pid	Process
4700	DEVOS MENU PAID V1.exe
4580	injector.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	DEVOS MENU PAID V1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 4700	2156	devos_paid.exe	88
PID 2156 wrote to memory of 4700	2156	devos_paid.exe	88
PID 2156 wrote to memory of 4580	2156	devos_paid.exe	89
PID 2156 wrote to memory of 4580	2156	devos_paid.exe	89

C:\Users\Admin\AppData\Local\Temp\devos_paid.exe
"C:\Users\Admin\AppData\Local\Temp\devos_paid.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\DEVOS MENU PAID V1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEVOS MENU PAID V1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\injector.exe
  "C:\Users\Admin\AppData\Local\Temp\injector.exe"
  2⤵
  - Executes dropped EXE
  PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEVOS MENU PAID V1.exe

Filesize
32KB

MD5
868371404a71960ea4d9fcc3ae0d12d5

SHA1
32a153308ef92b9cffcce3ba0ad1514878b68dcd

SHA256
523f4ebb278b1787be8cae3e650b1bc5ca0f0c005ec37b7aae7581d911620642

SHA512
b96279f578ac4f307337b133660daf7c2e4a304ed4d6d37c778f61bcf5fabb30ade7a84790bd68efa2c98345fea231d9cc8bf9d8a173120a1ba64120541c0b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEVOS MENU PAID V1.exe

Filesize
32KB

MD5
868371404a71960ea4d9fcc3ae0d12d5

SHA1
32a153308ef92b9cffcce3ba0ad1514878b68dcd

SHA256
523f4ebb278b1787be8cae3e650b1bc5ca0f0c005ec37b7aae7581d911620642

SHA512
b96279f578ac4f307337b133660daf7c2e4a304ed4d6d37c778f61bcf5fabb30ade7a84790bd68efa2c98345fea231d9cc8bf9d8a173120a1ba64120541c0b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEVOS MENU PAID V1.exe

Filesize
32KB

MD5
868371404a71960ea4d9fcc3ae0d12d5

SHA1
32a153308ef92b9cffcce3ba0ad1514878b68dcd

SHA256
523f4ebb278b1787be8cae3e650b1bc5ca0f0c005ec37b7aae7581d911620642

SHA512
b96279f578ac4f307337b133660daf7c2e4a304ed4d6d37c778f61bcf5fabb30ade7a84790bd68efa2c98345fea231d9cc8bf9d8a173120a1ba64120541c0b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\injector.exe

Filesize
146KB

MD5
cb6db1fed2da243529f80411f8b25aeb

SHA1
0ceaaa98c45ca42b8aeef24b001bfa3fff8eceb4

SHA256
cb0aabe8bfff9c02d13f1a88c9fc01644134c3cba9421ff110140fbe35a918ca

SHA512
743875f33ab5212759a0242159b08578921b79eacc31c9e1e14c795b6dfa47fe48904c081c7ee3252d72dbce315959354bcaace638afc11176faf7df45bac977

Download Submit
C:\Users\Admin\AppData\Local\Temp\injector.exe

Filesize
146KB

MD5
cb6db1fed2da243529f80411f8b25aeb

SHA1
0ceaaa98c45ca42b8aeef24b001bfa3fff8eceb4

SHA256
cb0aabe8bfff9c02d13f1a88c9fc01644134c3cba9421ff110140fbe35a918ca

SHA512
743875f33ab5212759a0242159b08578921b79eacc31c9e1e14c795b6dfa47fe48904c081c7ee3252d72dbce315959354bcaace638afc11176faf7df45bac977

Download Submit
C:\Users\Admin\AppData\Local\Temp\injector.exe

Filesize
146KB

MD5
cb6db1fed2da243529f80411f8b25aeb

SHA1
0ceaaa98c45ca42b8aeef24b001bfa3fff8eceb4

SHA256
cb0aabe8bfff9c02d13f1a88c9fc01644134c3cba9421ff110140fbe35a918ca

SHA512
743875f33ab5212759a0242159b08578921b79eacc31c9e1e14c795b6dfa47fe48904c081c7ee3252d72dbce315959354bcaace638afc11176faf7df45bac977

Download Submit
memory/2156-3-0x000000001B190000-0x000000001B1A0000-memory.dmp

Filesize
64KB

Download
memory/2156-1-0x00007FFE36960000-0x00007FFE37421000-memory.dmp

Filesize
10.8MB

Download
memory/2156-0-0x0000000000540000-0x000000000055E000-memory.dmp

Filesize
120KB

Download
memory/2156-29-0x00007FFE36960000-0x00007FFE37421000-memory.dmp

Filesize
10.8MB

Download
memory/4700-24-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/4700-25-0x00007FFE36960000-0x00007FFE37421000-memory.dmp

Filesize
10.8MB

Download
memory/4700-27-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4700-30-0x00007FFE36960000-0x00007FFE37421000-memory.dmp

Filesize
10.8MB

Download
memory/4700-31-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4700-33-0x00007FFE36960000-0x00007FFE37421000-memory.dmp

Filesize
10.8MB

Download