xworm | c1b2508911195d25524604f8fd72691bf55354fdb0e5c7cceeb55e0489335050

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1b2508911195d25524604f8fd72691bf55354fdb0e5c7cceeb55e0489335050.exe
Size

582KB
MD5

17f138c7944f0fe501cabf1c9b613959
SHA1

8f121cfde56155202580b4f9068fad786d8751e3
SHA256

c1b2508911195d25524604f8fd72691bf55354fdb0e5c7cceeb55e0489335050
SHA512

1c6a4b1b89efac547d53bddc0f3686cd28ad2d8679c8e8620a3505bb51166778cf2c8827e8a1fd6f1e73cdaa50860fe63b56eec95d45f42424a9893b9ded0d25
SSDEEP

12288:5rLLrjj5JbC7rDh7ht0iJpMjS00bSVYjk/EgTjB/nnPCVu6I/:5r/rjVJbC7vztZJIS002Kgp/nn6V9g

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

july-marriott.gl.at.ply.gg:1130

Mutex

VqJPowq8OqaOBDgg

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234b6-7.dat	family_xworm
behavioral2/memory/2808-22-0x0000000000490000-0x000000000049E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	c1b2508911195d25524604f8fd72691bf55354fdb0e5c7cceeb55e0489335050.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	XClient.exe
4728	XBinder v2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	XClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2808	1148	c1b2508911195d25524604f8fd72691bf55354fdb0e5c7cceeb55e0489335050.exe	82
PID 1148 wrote to memory of 2808	1148	c1b2508911195d25524604f8fd72691bf55354fdb0e5c7cceeb55e0489335050.exe	82
PID 1148 wrote to memory of 4728	1148	c1b2508911195d25524604f8fd72691bf55354fdb0e5c7cceeb55e0489335050.exe	83
PID 1148 wrote to memory of 4728	1148	c1b2508911195d25524604f8fd72691bf55354fdb0e5c7cceeb55e0489335050.exe	83

C:\Users\Admin\AppData\Local\Temp\c1b2508911195d25524604f8fd72691bf55354fdb0e5c7cceeb55e0489335050.exe
"C:\Users\Admin\AppData\Local\Temp\c1b2508911195d25524604f8fd72691bf55354fdb0e5c7cceeb55e0489335050.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe
  "C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe"
  2⤵
  - Executes dropped EXE
  PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe

Filesize
3.5MB

MD5
a98358eb7f4953aa6d60015ccd8506ce

SHA1
d9be0c9d6d968c1baef11027a7ace6a0e869e75a

SHA256
21e0cc9ef715cc2147b9ec481b3fb876dbae8a4491367b478513128d7f7b8555

SHA512
62389e840c375a15d317d024d2e07b861b5b66447abb0423f603b73d2ec0853e3f947f78498a40dd835b48ca50562af9364c65c448a60172fa9011b6e564fac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
30KB

MD5
d87443c6b5551a4b205cf23642096ae6

SHA1
62469aa8d7564bc2ad27d6ee3b9d5fb7743805e2

SHA256
c6b12d194db4a5cce9a287a90a0c23c1af24a325a56b2470bc2f9fa0b5553948

SHA512
34fad02a8dc63f07ea1e9f249f3fd181c281a7f07d267859e1daf2c1ba7c09a65986e99ca5c9115d409d83baa7718684e091fe28762d74d7b8bb9a65b0e1f4c0

Download Submit
memory/1148-0-0x00007FFCB6DC3000-0x00007FFCB6DC5000-memory.dmp

Filesize
8KB

Download
memory/1148-1-0x0000000000930000-0x00000000009C8000-memory.dmp

Filesize
608KB

Download
memory/1148-3-0x00007FFCB6DC0000-0x00007FFCB7881000-memory.dmp

Filesize
10.8MB

Download
memory/1148-28-0x00007FFCB6DC0000-0x00007FFCB7881000-memory.dmp

Filesize
10.8MB

Download
memory/2808-22-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2808-23-0x00007FFCB6DC0000-0x00007FFCB7881000-memory.dmp

Filesize
10.8MB

Download
memory/2808-33-0x00007FFCB6DC0000-0x00007FFCB7881000-memory.dmp

Filesize
10.8MB

Download
memory/2808-34-0x00007FFCB6DC0000-0x00007FFCB7881000-memory.dmp

Filesize
10.8MB

Download
memory/4728-30-0x00007FFCB6DC0000-0x00007FFCB7881000-memory.dmp

Filesize
10.8MB

Download
memory/4728-29-0x000001A102890000-0x000001A102C1E000-memory.dmp

Filesize
3.6MB

Download
memory/4728-31-0x00007FFCB6DC0000-0x00007FFCB7881000-memory.dmp

Filesize
10.8MB

Download
memory/4728-32-0x000001A11E9D0000-0x000001A11EA6C000-memory.dmp

Filesize
624KB

Download
memory/4728-35-0x00007FFCB6DC0000-0x00007FFCB7881000-memory.dmp

Filesize
10.8MB

Download