xworm | c311cf252c921f62bdb62ec764fe72e9bb58e6d73d32de213ba78943a76ab9b7

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba93f77d1a5ea6e0167b22431de94d20N.exe
Size

189KB
MD5

ba93f77d1a5ea6e0167b22431de94d20
SHA1

1295d9118cf67f4e068319d72138a80494630b02
SHA256

c311cf252c921f62bdb62ec764fe72e9bb58e6d73d32de213ba78943a76ab9b7
SHA512

8e4068f8f3f37684eea71e65b319841bb49c9067bca21efb3e5e61219dbce7d0660fe5ec88585d9a521cfafb2f5d88f6eb09643ed26eb4b9c040fbe119090340
SSDEEP

3072:KBf5OYpgK2+49WqfOIbA099oey1r45340VJ96dLtMW1d73bR7SgOBzvVg6UU62:afjpgFP9W+bAWoesrU40p61tL73blqKK

Score

10^/10

xworm discovery rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3940-7-0x0000000000400000-0x0000000000437000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ba93f77d1a5ea6e0167b22431de94d20N.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	CrackLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba93f77d1a5ea6e0167b22431de94d20N.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\discord-1199748644409184347\shell\open\command	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\discord-1199748644409184347\shell\open	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\discord-1199748644409184347\DefaultIcon	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\discord-1199748644409184347\URL Protocol	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\discord-1199748644409184347\shell	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\discord-1199748644409184347	CrackLauncher.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2760	3940	ba93f77d1a5ea6e0167b22431de94d20N.exe	92
PID 3940 wrote to memory of 2760	3940	ba93f77d1a5ea6e0167b22431de94d20N.exe	92
PID 2760 wrote to memory of 2256	2760	CrackLauncher.exe	94
PID 2760 wrote to memory of 2256	2760	CrackLauncher.exe	94

C:\Users\Admin\AppData\Local\Temp\ba93f77d1a5ea6e0167b22431de94d20N.exe
"C:\Users\Admin\AppData\Local\Temp\ba93f77d1a5ea6e0167b22431de94d20N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1420,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

Filesize
102KB

MD5
c137c5f5287d73a94d55bc18df238303

SHA1
95b4b01775bea14feaaa462c98d969eb81696d2c

SHA256
d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

SHA512
ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

Download Submit
memory/3940-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download