xworm | 66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3e

General

Target

66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3eN.exe
Size

552KB
MD5

10bbf67948e6dddb51f6f08d018c0af0
SHA1

241eca0187de98f65f76253e1ea8998f5d51fbe5
SHA256

66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3e
SHA512

f6b2b3b2e0ca98ce80a55962c6778a94d7d2d6b7f25999965fc0a466f8d095fe729fbdc346049c9d90d76212e05314d16dcd3f28066cc51b93c9ca4883cfdfd2
SSDEEP

6144:I5vWMUYDhcGHAsDkeA5IvxDmUAI+K366Ujge5DAtAvKhAp081nNVjqKoeS:IxWCDhVXA5IvQ0mjgAPy6nnjqKoeS

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

4SlUuKAVMJTCYjjd

Attributes

Install_directory
%AppData%
install_file
pdf.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015fba-15.dat	family_xworm
behavioral1/memory/2696-20-0x0000000000EA0000-0x0000000000ECA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2344	StubSoftware.exe
2696	pdf.exe

Loads dropped DLL 1 IoCs

pid	Process
2344	StubSoftware.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\pdf	66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StubSoftware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3eN.exe
Token: SeDebugPrivilege	2344	StubSoftware.exe
Token: SeDebugPrivilege	2696	pdf.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2812	AcroRd32.exe
2812	AcroRd32.exe
2812	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2344	876	66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3eN.exe	31
PID 876 wrote to memory of 2344	876	66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3eN.exe	31
PID 876 wrote to memory of 2344	876	66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3eN.exe	31
PID 876 wrote to memory of 2344	876	66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3eN.exe	31
PID 2344 wrote to memory of 2696	2344	StubSoftware.exe	32
PID 2344 wrote to memory of 2696	2344	StubSoftware.exe	32
PID 2344 wrote to memory of 2696	2344	StubSoftware.exe	32
PID 2344 wrote to memory of 2696	2344	StubSoftware.exe	32
PID 2344 wrote to memory of 2812	2344	StubSoftware.exe	33
PID 2344 wrote to memory of 2812	2344	StubSoftware.exe	33
PID 2344 wrote to memory of 2812	2344	StubSoftware.exe	33
PID 2344 wrote to memory of 2812	2344	StubSoftware.exe	33

C:\Users\Admin\AppData\Local\Temp\66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3eN.exe
"C:\Users\Admin\AppData\Local\Temp\66d19a418b63a7d1fe5aedb22b4632f65588cd8b4bff4873c0a1938585009e3eN.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe
  "C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\pdf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2024.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024.pdf

Filesize
19KB

MD5
1bfe03726985e5f00d6493bae4d7733e

SHA1
8aa97a35f4136255e515fee32a9e7494a59cf36b

SHA256
3d14fcb12f470412cc85d15ae4a84210c4ee5cd79455dd18000ce7ef7c3828e1

SHA512
6a65118e9d3da7ab65b1c2e2d8dadce2e15f5b5b35c5db934681a826486e69602532e87cf4a99154100aa63a0fb341b7fbc105a26819d506a35063d621bb0681

Download Submit
C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe

Filesize
225KB

MD5
14d355e2281f4132311311fa31b84607

SHA1
ff44c91fde76f9d5e7482092bf9f8b45ae7bada8

SHA256
4620e089eccef262e3cf156e04104aa7ab5724a71e814e56113568cd0df3985e

SHA512
b8b2b250b03084eba7c407cfe99bfb6e19fe7a9b06472136468c85890391012e01b28126ee23040472127a8df2d5d66ae8620ccc2bbf9dfd3c5f4a9c82ed1249

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
53a9d90d57162d784158c440edb43375

SHA1
817776f84e14348089fb7f9090275f7b8d6f0e2e

SHA256
642584e00e0e724896e9feb4359ca36183ce8f3414a06862d92dfd9aabe93008

SHA512
ff489eaed2444cfacae87d8bf7576456de4e41249754990a8010a7a723d1b5b820c582e9236f2e42e4c08978b7dd4c915941054a953f56ed34cac460964e91bc

Download Submit
\Users\Admin\AppData\Local\Temp\pdf.exe

Filesize
143KB

MD5
250fcb3398d262e5cf16ef67feb71787

SHA1
94acc26f63f9fe050fc37a4c4de91dd5259a077c

SHA256
4ac349e2b8c861c982779353a473f600e64f8a0e9a92a00778c2a330dc852576

SHA512
d05ebc06412fbcb229b05248b899c7f49d480179eaa77a4b80a769577b66b9924f9f05b41dc87a42d859c2d284572dcd923926a1ce8746feb150463471598ad7

Download Submit
memory/876-1-0x0000000000020000-0x0000000000096000-memory.dmp

Filesize
472KB

Download
memory/876-2-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/876-10-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/876-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

Filesize
4KB

Download
memory/2344-11-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/2344-21-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2344-12-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2344-9-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2696-20-0x0000000000EA0000-0x0000000000ECA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing