xworm | 5fbae4b6f13ae53c0c72395da9aaff02bdd023adb735512a17d951feb869f124

General

Target

jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe
Size

930KB
MD5

327b7ea8c22c6fde0cc18d55f1b93d6d
SHA1

32212f75534b53e499db147c35e116413e9d93f8
SHA256

5fbae4b6f13ae53c0c72395da9aaff02bdd023adb735512a17d951feb869f124
SHA512

a40a7854947b7a38c7a369885eea28e48a52a275871a2d2038d4b8a6bb01112513ee463cccb9d0deb596331bb0c2debdf8130d3a794472fd7c5170e94d2a5eb1
SSDEEP

24576:tcjJkDRAIlgn/SwykVe6xBpHHd58Alq35GJ:tc1kdAIlKqwX8U/Blq35W

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

83.38.28.117:1603

83.38.24.1:1603

Attributes

Install_directory
%Temp%
install_file
RuntimeBroker.exe

Signatures

Detect Xworm Payload 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023c1f-6.dat	family_xworm
behavioral2/files/0x0008000000023cab-35.dat	family_xworm
behavioral2/memory/3488-90-0x00000000009D0000-0x00000000009E4000-memory.dmp	family_xworm
behavioral2/files/0x0007000000023cb1-119.dat	family_xworm
behavioral2/files/0x0007000000023caf-142.dat	family_xworm
behavioral2/files/0x0007000000023cb0-145.dat	family_xworm
behavioral2/memory/4136-179-0x0000000000E10000-0x0000000000E34000-memory.dmp	family_xworm
behavioral2/files/0x0007000000023cb2-182.dat	family_xworm
behavioral2/memory/4588-178-0x0000000000A40000-0x0000000000A54000-memory.dmp	family_xworm
behavioral2/memory/1844-183-0x00000000001A0000-0x00000000001CC000-memory.dmp	family_xworm
behavioral2/memory/3564-173-0x00000000007F0000-0x0000000000836000-memory.dmp	family_xworm
behavioral2/memory/2872-143-0x00000000009B0000-0x00000000009E0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe

Executes dropped EXE 6 IoCs

pid	Process
3488	RuntimeBroker.exe
3564	SecurityHealthSystray.exe
2872	OneDrive.exe
4136	WmiPrvSE.exe
4588	svchost.exe
1844	SearchFilterHost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	RuntimeBroker.exe
Token: SeDebugPrivilege	3564	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2872	OneDrive.exe
Token: SeDebugPrivilege	4588	svchost.exe
Token: SeDebugPrivilege	4136	WmiPrvSE.exe
Token: SeDebugPrivilege	1844	SearchFilterHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 3488	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	84
PID 4564 wrote to memory of 3488	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	84
PID 4564 wrote to memory of 3564	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	85
PID 4564 wrote to memory of 3564	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	85
PID 4564 wrote to memory of 2872	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	86
PID 4564 wrote to memory of 2872	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	86
PID 4564 wrote to memory of 4136	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	87
PID 4564 wrote to memory of 4136	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	87
PID 4564 wrote to memory of 4588	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	88
PID 4564 wrote to memory of 4588	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	88
PID 4564 wrote to memory of 1844	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	89
PID 4564 wrote to memory of 1844	4564	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	89

C:\Users\Admin\AppData\Local\Temp\jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe
"C:\Users\Admin\AppData\Local\Temp\jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\RuntimeBroker.exe
  "C:\Users\Admin\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Users\Admin\SecurityHealthSystray.exe
  "C:\Users\Admin\SecurityHealthSystray.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Users\Admin\OneDrive.exe
  "C:\Users\Admin\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Users\Admin\WmiPrvSE.exe
  "C:\Users\Admin\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Users\Admin\SearchFilterHost.exe
  "C:\Users\Admin\SearchFilterHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\OneDrive.exe

Filesize
170KB

MD5
247956f3e2357939ad85a91ade6871bc

SHA1
d823a32115625d68a6a2bddf78197492a3656da9

SHA256
8b80416b1c2c1fd35981d2ca261578874a599236447f85f91af1e19d50e2d5fc

SHA512
b68bee7c8ae6b17621dd910b9b5753e06e98a136c58e15add84b74a2ebf1a673a85676119a5cfbbbab82b3302bce717a059cb893b219c0565130f304f1ec1ff3

Download Submit
C:\Users\Admin\RuntimeBroker.exe

Filesize
59KB

MD5
a2add11711c5fc82860b42735b4996f3

SHA1
986e5d99b1f8f9127e262f7a24513674e5be9868

SHA256
aab3501f022a254e9599189aefadbf636aeda273ee0a0ffc6218ef4955157f41

SHA512
a00305ccd91e673957471e2b2328b8f41339a46c37ed450d06cd1290096efdcd8a0098b68f5b3b59f84a2be2a5f8ce69f057364bff354ca7f9defeb701cc084a

Download Submit
C:\Users\Admin\SearchFilterHost.exe

Filesize
155KB

MD5
c493bed5ff7fffa1c7a378235595654f

SHA1
008dd17c8201eb83106d95ad135ae711880e6f49

SHA256
ebc2b439ce3464a3d6961ad4c8e17245336bb18a7b818ec80c8da9d1513986a2

SHA512
ed8e0956ef559c644e4e1f6a519bbaca82c1cb1ea315fce1e17810037b5cb33b854cb7404630f3c598988618e9bea82c7c272826f2a6f6588ba0f8394c4366c5

Download Submit
C:\Users\Admin\SecurityHealthSystray.exe

Filesize
254KB

MD5
3c4ee8268896f403918024e7be84c5bc

SHA1
1b328cf35cd4ae1aa89ef3a70fd4277b6cb8431e

SHA256
9c075f295379a6c9f6f567d8f2cdd6f67e5cc272aba900a2533e0f7a8fdd2828

SHA512
1b824a62019b910f3c4c3b6f1279a682fc2619c3bfde73a55d270043348ec131f96dcec492eea9c269e54c54bf59f44c27807cc4d8ff55e6d829557d3eee2a7d

Download Submit
C:\Users\Admin\WmiPrvSE.exe

Filesize
121KB

MD5
c9c36b58fd4b41a0ca4b27fea908d611

SHA1
27a286d189a9a64ba0d431e24e3ca38acc0edde7

SHA256
4d6a7e99efa2949f2c6e37f5846e40cb6a9b3937f8624654697a93e67cd09ddb

SHA512
5967d8b28d677356a102bbcf0858e1b5dab5160194a5ecd0b3476c4ad4bfadbe1a8678465007ec7f8b0b41b7ea4811151880646bf255459b4dd9ef26536ce13f

Download Submit
C:\Users\Admin\svchost.exe

Filesize
55KB

MD5
d468a3c6966f939a8775fe46c8048583

SHA1
aa9ef0f1201388380a051e9c454612b146f918f5

SHA256
298f2f96d524f2db8b151909a1fb4f8e480bf76f66cd5a5a26c9483b4987a1a3

SHA512
3060f53757c271f0c38128ba72255ce679af8d47c8743aa71a8de2e0b31d7d6afbd34febdf54a77925dadd65bc433e7cfe1064f98f0e41ef21c6931dff0af5c7

Download Submit
memory/1844-183-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/2872-143-0x00000000009B0000-0x00000000009E0000-memory.dmp

Filesize
192KB

Download
memory/3488-90-0x00000000009D0000-0x00000000009E4000-memory.dmp

Filesize
80KB

Download
memory/3488-176-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/3488-186-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/3564-173-0x00000000007F0000-0x0000000000836000-memory.dmp

Filesize
280KB

Download
memory/3564-184-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/3564-185-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-179-0x0000000000E10000-0x0000000000E34000-memory.dmp

Filesize
144KB

Download
memory/4564-0-0x00007FFA13EF3000-0x00007FFA13EF5000-memory.dmp

Filesize
8KB

Download
memory/4564-1-0x0000000000EC0000-0x0000000000FAE000-memory.dmp

Filesize
952KB

Download
memory/4588-178-0x0000000000A40000-0x0000000000A54000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing