xworm | 7c78edd54d043b9ac2d4556c10f7bd07f4dd2258fd46a0f6469200431f8a21a0

Analysis

max time kernel
98s
max time network
145s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-11-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dragon.exe
Size

275KB
MD5

4a2b87da39aa0c18015c52982d9b041e
SHA1

418bb0b60e5613abfd28348bdee58a009122e66e
SHA256

7c78edd54d043b9ac2d4556c10f7bd07f4dd2258fd46a0f6469200431f8a21a0
SHA512

921797a79bb863432aa9b635e4f144678836eff9ec3a0cf31d6aad5805018b5abe8f6dd2fa830f72a3fdcd77c0ce112becf0d13cefb0119c5c96f63d2be3744d
SSDEEP

3072:LIvTbyuUBoAlsYJ7OcrFZrvjKP60cq/ehN8zuUQr2jRIpzgD7ZKDwodfKdM9:iylsYJ7Ocr/j1UQr2jf3ZKswU

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

ensure-manual.gl.at.ply.gg:41199

Attributes

Install_directory
%AppData%
install_file
dllhost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002900000004504f-6.dat	family_xworm
behavioral1/memory/4448-22-0x0000000000B20000-0x0000000000B36000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Dragon.exe

Executes dropped EXE 1 IoCs

pid	Process
4448	Dragon.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	Dragon.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 4448	1212	Dragon.exe	82
PID 1212 wrote to memory of 4448	1212	Dragon.exe	82
PID 1212 wrote to memory of 4080	1212	Dragon.exe	83
PID 1212 wrote to memory of 4080	1212	Dragon.exe	83
PID 4080 wrote to memory of 2004	4080	cmd.exe	85
PID 4080 wrote to memory of 2004	4080	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\Dragon.exe
"C:\Users\Admin\AppData\Local\Temp\Dragon.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Roaming\Dragon.exe
  "C:\Users\Admin\AppData\Roaming\Dragon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\dragon.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Dragon.exe

Filesize
65KB

MD5
53a22b4902f3b98f3520a5ded2c98e04

SHA1
487c5b7f0d2fa11a68155406d67129c37e7c2a70

SHA256
64e409b3bc596cec8e7fda89a2bbf7b74fcc257544a8f999b7753bbebe47245a

SHA512
f2cef4ae06ffc9e62d81a6c46a6a58c6c155f544b0e58771d84b7dac08f6e2d6546722d1bbfefbd9a3e5a70e10c45f984c39c3c42dbcdf77db49ff35cf4a8f99

Download Submit
C:\Users\Admin\AppData\Roaming\dragon.bat

Filesize
2KB

MD5
b942ff88a54c0d0777addfb9b1d93f3e

SHA1
e8c800e0bca11c9c55f18e48be769a550be7840b

SHA256
45db70e76ba8e7d6e12ac548be6575757d43c56d78dbd0e3497f2b5c20c21979

SHA512
c707fa393917e21df77fc5147f39ac0d1a2d12479cc2752f4e3022308f4b079329271b2cbe6c0a00e15fa46561730a8c34bf472630b26d7ca1cd7e834b416aa2

Download Submit
memory/1212-0-0x00007FFFA5893000-0x00007FFFA5895000-memory.dmp

Filesize
8KB

Download
memory/1212-1-0x0000000000DA0000-0x0000000000DEA000-memory.dmp

Filesize
296KB

Download
memory/4448-22-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download
memory/4448-24-0x00007FFFA5890000-0x00007FFFA6352000-memory.dmp

Filesize
10.8MB

Download
memory/4448-26-0x00007FFFA5890000-0x00007FFFA6352000-memory.dmp

Filesize
10.8MB

Download
memory/4448-27-0x00007FFFA5890000-0x00007FFFA6352000-memory.dmp

Filesize
10.8MB

Download