xworm | cbc725af77ebf25c61784ad3df87a4d42003492931562c3d6ca00c0726320f98

General

Target

CMDBITX_Crack__By_Rank1_Fix1.exe
Size

5.7MB
MD5

f5ca75b6deed282fb277bcd87dcf968d
SHA1

de0aafbc767308332795f0de7d59e30f1f1293fa
SHA256

cbc725af77ebf25c61784ad3df87a4d42003492931562c3d6ca00c0726320f98
SHA512

bffbe2cf79dfd4efdb760d3bb440f2ebbee7a1db6c4b6f87e19407efa597927f35766dfb23300890ce0f2c33e2f178c25423d6cd6bd3d1500574efd72e365f57
SSDEEP

98304:ezg8NHE04004RmgZKJG4HrC5rji6tXtNhUc9u70rhwt3FNHbJ5gJYNIi56LKAsYv:ezvdh40lRmwuG4Glt1Uy/t0Xb5NIiIAK

Score

10^/10

xworm rat trojan vmprotect

Malware Config

Extracted

Family

xworm

C2

85.203.4.149:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016ccc-5.dat	family_xworm
behavioral1/memory/2116-7-0x0000000000D40000-0x0000000000D58000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2116	svchost.exe
2528	CMDBITX_Crack__By_Rank1_Fix1.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	CMDBITX_Crack__By_Rank1_Fix1.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0009000000016cd8-12.dat	vmprotect
behavioral1/memory/2528-25-0x000000013FF80000-0x000000014094E000-memory.dmp	vmprotect

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2528	CMDBITX_Crack__By_Rank1_Fix1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2528	CMDBITX_Crack__By_Rank1_Fix1.exe
2528	CMDBITX_Crack__By_Rank1_Fix1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2116	2104	CMDBITX_Crack__By_Rank1_Fix1.exe	29
PID 2104 wrote to memory of 2116	2104	CMDBITX_Crack__By_Rank1_Fix1.exe	29
PID 2104 wrote to memory of 2116	2104	CMDBITX_Crack__By_Rank1_Fix1.exe	29
PID 2104 wrote to memory of 2528	2104	CMDBITX_Crack__By_Rank1_Fix1.exe	30
PID 2104 wrote to memory of 2528	2104	CMDBITX_Crack__By_Rank1_Fix1.exe	30
PID 2104 wrote to memory of 2528	2104	CMDBITX_Crack__By_Rank1_Fix1.exe	30
PID 2528 wrote to memory of 2560	2528	CMDBITX_Crack__By_Rank1_Fix1.exe	32
PID 2528 wrote to memory of 2560	2528	CMDBITX_Crack__By_Rank1_Fix1.exe	32
PID 2528 wrote to memory of 2560	2528	CMDBITX_Crack__By_Rank1_Fix1.exe	32
PID 2528 wrote to memory of 2972	2528	CMDBITX_Crack__By_Rank1_Fix1.exe	33
PID 2528 wrote to memory of 2972	2528	CMDBITX_Crack__By_Rank1_Fix1.exe	33
PID 2528 wrote to memory of 2972	2528	CMDBITX_Crack__By_Rank1_Fix1.exe	33

C:\Users\Admin\AppData\Local\Temp\CMDBITX_Crack__By_Rank1_Fix1.exe
"C:\Users\Admin\AppData\Local\Temp\CMDBITX_Crack__By_Rank1_Fix1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\ProgramData\CMDBITX_Crack__By_Rank1_Fix1.exe
  "C:\ProgramData\CMDBITX_Crack__By_Rank1_Fix1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CMDBITX_Crack__By_Rank1_Fix1.exe

Filesize
5.6MB

MD5
b8706e3eec936f15bd7b4a957e6128cc

SHA1
861d963c4535ad565656c966e179e2386d29cbfa

SHA256
aa8bddd86d728e417ab54f6b34f1dc7ed6f48d4a6229e1d452abce07f1e7b747

SHA512
5a0975d5086799f7856ebdf84c64111b6de07e3b7a8af7c9cb5b753cb8e8f2ac913c0578073bb9c224ef8c54c279bde7bfdf35d96f5266142966297497419a7e

Download Submit
C:\ProgramData\svchost.exe

Filesize
73KB

MD5
a85dd5e8817d7d7027496450b609c35d

SHA1
f7045eab4bcb8a557efc4b08630be324f791d45b

SHA256
7298148e9b7339323d19babc0b1408f3a680d777c7de5680b0bb898987e5ef9b

SHA512
1712c6bb38bd748bd83bf79610f8b398126a358c944d9c881f126e94630e4c30477e2101f786c3355bd91727be8da10ea9820a9f18f17023ec8eea40f81260ac

Download Submit
memory/2104-1-0x0000000001100000-0x00000000016BC000-memory.dmp

Filesize
5.7MB

Download
memory/2104-0-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

Filesize
4KB

Download
memory/2116-29-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2116-7-0x0000000000D40000-0x0000000000D58000-memory.dmp

Filesize
96KB

Download
memory/2116-13-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2116-30-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-24-0x0000000077B90000-0x0000000077B92000-memory.dmp

Filesize
8KB

Download
memory/2528-19-0x0000000077B60000-0x0000000077B62000-memory.dmp

Filesize
8KB

Download
memory/2528-17-0x0000000077B60000-0x0000000077B62000-memory.dmp

Filesize
8KB

Download
memory/2528-25-0x000000013FF80000-0x000000014094E000-memory.dmp

Filesize
9.8MB

Download
memory/2528-15-0x0000000077B60000-0x0000000077B62000-memory.dmp

Filesize
8KB

Download
memory/2528-20-0x0000000077B90000-0x0000000077B92000-memory.dmp

Filesize
8KB

Download
memory/2528-22-0x0000000077B90000-0x0000000077B92000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing