xworm | e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264

General

Target

e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264.exe
Size

297KB
MD5

9b650b738d97c0e39717fe86401a6726
SHA1

34f361ab5024ad4390a3906cb3fff5a7b5f7e656
SHA256

e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
SHA512

a6664916c5c1bfd66e58face5c1811f95b6489c3e1d4728d4efee92233192fb145c8f0cca46582d560356b92732a8727794a7d8765d16c4df567eb5eb84b1e30
SSDEEP

6144:Ka4InuJg58BkgqPoDH49n8Bb/cQ/gW/tQtbgk3KlRWvWl/HrrACG7:Kat0EAH49n8BLgSZQKXW+l/HnACs

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

engineering-thoroughly.gl.at.ply.gg:32901

20.ip.gl.ply.gg:32901

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002346d-6.dat	family_xworm
behavioral2/files/0x00090000000234c9-16.dat	family_xworm
behavioral2/memory/1896-26-0x00000000004F0000-0x0000000000506000-memory.dmp	family_xworm
behavioral2/memory/1784-25-0x0000000000CC0000-0x0000000000CEE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	1Celestial.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	1Celestial.exe

Executes dropped EXE 2 IoCs

pid	Process
1896	XClient.exe
1784	1Celestial.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	1Celestial.exe
Token: SeDebugPrivilege	1896	XClient.exe
Token: SeDebugPrivilege	1784	1Celestial.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 1896	3596	e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264.exe	87
PID 3596 wrote to memory of 1896	3596	e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264.exe	87
PID 3596 wrote to memory of 1784	3596	e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264.exe	89
PID 3596 wrote to memory of 1784	3596	e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264.exe	89

C:\Users\Admin\AppData\Local\Temp\e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264.exe
"C:\Users\Admin\AppData\Local\Temp\e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\1Celestial.exe
  "C:\Users\Admin\AppData\Local\Temp\1Celestial.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1Celestial.exe

Filesize
162KB

MD5
d726f0f603538577a7e12448419fed1a

SHA1
1ea8047f9e825c9dd648a12c98689e1c6ad11c70

SHA256
e4d2faf2aa895163625ea12416ce945b256f0e13b8327152d6eb80f3ee9fc332

SHA512
a9643b891d7a092799ee032c032daa0e1303f639a1893fe1ea7e2830cbae12dbb0d754ebe7bbedcb2396f6bfed5539a932c8f8726b7ff13e217fc39f630b7dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
66KB

MD5
2c2bf7640b13839dcffc5524e9ff6972

SHA1
4e91d65f34a33498b39419dbffee5efd8703ca05

SHA256
58588e19dac77c6689a6167865f9ad8f0fe531afbe4d66243d55f3e0e5a555c4

SHA512
980afa1660da3522c5a0d6296fb1fe9ddcb53dfa829d6d64bd9c63714147536c090f12c9f533e67187d5250b5a219a9c9aa876ee375995a2e1cb1dac1e6de65e

Download Submit
memory/1784-25-0x0000000000CC0000-0x0000000000CEE000-memory.dmp

Filesize
184KB

Download
memory/1784-27-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-29-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-34-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-36-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/1896-24-0x00007FFE8FA03000-0x00007FFE8FA05000-memory.dmp

Filesize
8KB

Download
memory/1896-26-0x00000000004F0000-0x0000000000506000-memory.dmp

Filesize
88KB

Download
memory/1896-28-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/1896-35-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing