xworm | 74f56ab8a7adca5ed563d4470174c4ef3a9b76c602cfa7dbd8e0968d57cedf0b

Analysis

max time kernel
92s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoof.exe
Size

22.1MB
MD5

3ab3b8d9ef3880ff690c2a38f84ebe71
SHA1

63d2ab1dac880d914fa1aade280c0b5a21df58e0
SHA256

74f56ab8a7adca5ed563d4470174c4ef3a9b76c602cfa7dbd8e0968d57cedf0b
SHA512

1de61ad6e319d5c665e038624efe8bf62667c5a84f795be3a8bd6ac2df061c33dc49e41ad7adb4ef7b484b6e164debc345316bf233502aa4a6dbd0a72d766be2
SSDEEP

393216:r8Yi2Iyv2bga8hcPF0avZpcy09opX4T4shLDXIY+ApCzJiY6mJjFi0ogw8Bc6sSl:AYEyubggPFzv/09oBDsL1+I+JiYhJxi0

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.20:15984

chinese-lens.gl.at.ply.gg:15984

Mutex

tvYpp7NasWPrWmlc

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Spoofer.exe	family_xworm
behavioral2/memory/4900-12-0x00000000006A0000-0x00000000006B0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Spoof.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation Spoof.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Spoof.exe

Drops startup file 2 IoCs

Processes:

Spoofer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Spoofer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Spoofer.exe

Executes dropped EXE 2 IoCs

Processes:

Spoofer.exe335B0B9F8BA.exe

pid process

4900 Spoofer.exe
4864 335B0B9F8BA.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Spoofer.exe

description pid process

Token: SeDebugPrivilege 4900 Spoofer.exe

pid	process
4900	Spoofer.exe
4864	335B0B9F8BA.exe

flow	ioc
14	ip-api.com

description	pid	process
Token: SeDebugPrivilege	4900	Spoofer.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Spoof.exe

description	pid	process	target process
PID 4592 wrote to memory of 4900	4592	Spoof.exe	Spoofer.exe
PID 4592 wrote to memory of 4900	4592	Spoof.exe	Spoofer.exe
PID 4592 wrote to memory of 4864	4592	Spoof.exe	335B0B9F8BA.exe
PID 4592 wrote to memory of 4864	4592	Spoof.exe	335B0B9F8BA.exe

C:\Users\Admin\AppData\Local\Temp\Spoof.exe
"C:\Users\Admin\AppData\Local\Temp\Spoof.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Users\Admin\AppData\Local\Temp\335B0B9F8BA.exe
"C:\Users\Admin\AppData\Local\Temp\335B0B9F8BA.exe"
2⤵
- Executes dropped EXE
PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\335B0B9F8BA.exe
Filesize
22.1MB

MD5
68eca888cb479f840503bcdbda3acc88

SHA1
609c73cd16d6a483dafb76179b21f329ea1fef00

SHA256
0f7ff1dda72f7da756a8efb610c9bba0a574442a8a8b48413dda54981d28c4af

SHA512
557b9c3743e5286ab3f21026dfab97c2608f47855a456aaf7cc893b39cfa57dc0df3000715b5da1f0993c4e6d06e84713329e2b190fd10f0d5a67b045da344db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
Filesize
36KB

MD5
9e5098fe32abdb06e3245f4ac8de9c9f

SHA1
f0dc06a99f7c40fef4f104494a5c70d4142676cf

SHA256
bf49f61f7454f0c50a28c8856c4dfeb2c6884b9fe5ff9335a28725b530f9a9a3

SHA512
6323f16ffcfc1e7ec6a799d6d0e642183d48376cc1a48757ac11f2918cccba39bc3094c4103f2bcce357e909fcb4c6a8e7ccd19341188f429fed6dc0dc736568

Download Submit
memory/4900-11-0x00007FFCDB593000-0x00007FFCDB595000-memory.dmp

Filesize
8KB

Download
memory/4900-12-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/4900-21-0x00007FFCDB590000-0x00007FFCDC051000-memory.dmp

Filesize
10.8MB

Download
memory/4900-26-0x00007FFCDB593000-0x00007FFCDB595000-memory.dmp

Filesize
8KB

Download
memory/4900-27-0x00007FFCDB590000-0x00007FFCDC051000-memory.dmp

Filesize
10.8MB

Download