xworm | 63563e6bfbb746f8aa33ff07896b76f75638373b7ba9a5af6bc2bea66241274c

General

Target

Request for quotation.pdf.exe
Size

1.1MB
MD5

5fbc756d04b68cd1c66a12a56628744f
SHA1

174afc1c59dd513d93afb9aa414e4a3486e8d7d2
SHA256

069facb5cf9660abced4bcb48a98ab7e5e51bb311517148ec794ff6ae4985652
SHA512

cb351a7675035f3e487a0d1deda13e4eb44ee74759e29d6cb4b43a990bc337afd15a5342ed543a5abb8324939ab707d347c43db7b140472529a57a9ac162b863
SSDEEP

24576:AAHnh+eWsN3skA4RV1Hom2KXFmIal9tlBu0OYACQ5:3h+ZkldoPK1Xal/juPP

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

195.154.49.246:2112

Mutex

iTEfRI9nTI5flg7d

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1820-31-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs	cunila.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	RegSvcs.exe

Executes dropped EXE 1 IoCs

pid	Process
212	cunila.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023c94-14.dat	autoit_exe
behavioral2/memory/212-29-0x0000000000BF0000-0x0000000000D1C000-memory.dmp	autoit_exe
behavioral2/memory/212-32-0x0000000000BF0000-0x0000000000D1C000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 1820	212	cunila.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Request for quotation.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cunila.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1820	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
212	cunila.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1820	RegSvcs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 212	924	Request for quotation.pdf.exe	89
PID 924 wrote to memory of 212	924	Request for quotation.pdf.exe	89
PID 924 wrote to memory of 212	924	Request for quotation.pdf.exe	89
PID 212 wrote to memory of 1820	212	cunila.exe	90
PID 212 wrote to memory of 1820	212	cunila.exe	90
PID 212 wrote to memory of 1820	212	cunila.exe	90
PID 212 wrote to memory of 1820	212	cunila.exe	90

C:\Users\Admin\AppData\Local\Temp\Request for quotation.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for quotation.pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\holloing\cunila.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for quotation.pdf.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\Request for quotation.pdf.exe"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misrun

Filesize
37KB

MD5
eb171700b0391534ce7a4fb617689781

SHA1
2b26c80a67b987a9b23e6eaf354c564735f8392f

SHA256
1c892bc6737d83feb24e4b2b0a10c31b860c0247f93df4b78b2587ef77cf3688

SHA512
4e28e6883331bbc3fc6b4fe7c74a5a05071aedce39965b6d3fb5b18a027097f9378f5d5570f4be316242ea8f7a73c75131a8500f83721f0e1e741c34adc91c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\woolpress

Filesize
140KB

MD5
756ecb638d77e205633b32e37f25dc9f

SHA1
cf51f2770bf3bc5fc0c6d13b63815f4c9f291cd0

SHA256
93367912b5f4a4a2830bf03d3f322b0dc873629965ee3e3affc87efd2cb13a5b

SHA512
6156979dd1a956434554493a156d44981ad4cbe2af252313fdfbfe17f9f04d89e914b7c45c97a84b2ffe2182d64ce50434f99f18052211bac8778a12b97865b5

Download Submit
C:\Users\Admin\AppData\Local\holloing\cunila.exe

Filesize
1.1MB

MD5
5fbc756d04b68cd1c66a12a56628744f

SHA1
174afc1c59dd513d93afb9aa414e4a3486e8d7d2

SHA256
069facb5cf9660abced4bcb48a98ab7e5e51bb311517148ec794ff6ae4985652

SHA512
cb351a7675035f3e487a0d1deda13e4eb44ee74759e29d6cb4b43a990bc337afd15a5342ed543a5abb8324939ab707d347c43db7b140472529a57a9ac162b863

Download Submit
memory/212-32-0x0000000000BF0000-0x0000000000D1C000-memory.dmp

Filesize
1.2MB

Download
memory/212-29-0x0000000000BF0000-0x0000000000D1C000-memory.dmp

Filesize
1.2MB

Download
memory/924-11-0x0000000000CA0000-0x00000000010A0000-memory.dmp

Filesize
4.0MB

Download
memory/1820-34-0x0000000005A30000-0x0000000005ACC000-memory.dmp

Filesize
624KB

Download
memory/1820-33-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/1820-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1820-41-0x00000000064E0000-0x0000000006572000-memory.dmp

Filesize
584KB

Download
memory/1820-40-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1820-39-0x0000000006770000-0x0000000006D14000-memory.dmp

Filesize
5.6MB

Download
memory/1820-42-0x00000000064A0000-0x00000000064AA000-memory.dmp

Filesize
40KB

Download
memory/1820-43-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/1820-44-0x0000000006D20000-0x0000000006D86000-memory.dmp

Filesize
408KB

Download
memory/1820-45-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing