xworm | ca499aa6e07866d66b5a5c094b183e81bc56d92a6caaf202da6c520437c93cc8

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca499aa6e07866d66b5a5c094b183e81bc56d92a6caaf202da6c520437c93cc8.exe
Size

58KB
MD5

469b78eefebb0c3f12c842b4f323de93
SHA1

a54fc77abf4dae800de294f2431cf5150d01e877
SHA256

ca499aa6e07866d66b5a5c094b183e81bc56d92a6caaf202da6c520437c93cc8
SHA512

45f98e88285f4f6b5cc1bb696110499c54db6a0ac58b0c33c9c90fe4c66009b8fec71711371e80db532183a6dec416787e84ee0b26f9017d8b41fee2b803cdd6
SSDEEP

768:x7MZ4sXKZQmh8kx7j8WjS51zgLF4fg7tr8K/YoCrjq0KQXdNsOPAufXZjfrC/1UQ:fsdmh8K7jrO5d2gRpKWNtP3/ZjzvD

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

materials-defects.gl.at.ply.gg:39616

Mutex

rIuGGTci5WjqsMOs

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001686c-13.dat	family_xworm
behavioral1/memory/2924-18-0x00000000013E0000-0x00000000013EE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2984	DoDo.exe
2924	Anti-Cheat.exe

Loads dropped DLL 1 IoCs

pid	Process
2984	DoDo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DoDo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	Anti-Cheat.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2984	2104	ca499aa6e07866d66b5a5c094b183e81bc56d92a6caaf202da6c520437c93cc8.exe	30
PID 2104 wrote to memory of 2984	2104	ca499aa6e07866d66b5a5c094b183e81bc56d92a6caaf202da6c520437c93cc8.exe	30
PID 2104 wrote to memory of 2984	2104	ca499aa6e07866d66b5a5c094b183e81bc56d92a6caaf202da6c520437c93cc8.exe	30
PID 2104 wrote to memory of 2984	2104	ca499aa6e07866d66b5a5c094b183e81bc56d92a6caaf202da6c520437c93cc8.exe	30
PID 2984 wrote to memory of 2924	2984	DoDo.exe	31
PID 2984 wrote to memory of 2924	2984	DoDo.exe	31
PID 2984 wrote to memory of 2924	2984	DoDo.exe	31
PID 2984 wrote to memory of 2924	2984	DoDo.exe	31

C:\Users\Admin\AppData\Local\Temp\ca499aa6e07866d66b5a5c094b183e81bc56d92a6caaf202da6c520437c93cc8.exe
"C:\Users\Admin\AppData\Local\Temp\ca499aa6e07866d66b5a5c094b183e81bc56d92a6caaf202da6c520437c93cc8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\DoDo.exe
  "C:\Users\Admin\AppData\Local\Temp\DoDo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\Anti-Cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\Anti-Cheat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DoDo.exe

Filesize
32KB

MD5
00e8b4319100ee1fdd88d6b75a269e5c

SHA1
ef2e2e5b1cd6111a7872e6228a5731e7a1f2e305

SHA256
0ad5ae166692a36534fbdd33615425f21efa6aeeb6ab8132435c86e3d4527653

SHA512
0750f69a1f73e9ff7767c41196b88ed3a6a70f6fff3e7bb7372580f6998d0f6fe32874e46486ed17a26794cedd1751179194d5197321b83fa9d7ee3f111c8d02

Download Submit
\Users\Admin\AppData\Local\Temp\Anti-Cheat.exe

Filesize
34KB

MD5
aa696f79e5297b2cd9c183df3339356c

SHA1
37c398ecb1fcb43e92afdc938ac6e9ded7bd3f75

SHA256
999af7fc70df1052507ee82bfd0dab9fda53c455d7cd9f0f876b67579393617a

SHA512
82607232e31d69ee70617705fdfa0169d1beccf90064839023b4a9fa8f4d253494f6da15b304ce96aacfd044cf2930851de9548a4066a67c32452bc1c73c2247

Download Submit
memory/2104-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/2104-1-0x000000013F860000-0x000000013F872000-memory.dmp

Filesize
72KB

Download
memory/2104-2-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/2104-9-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-19-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-18-0x00000000013E0000-0x00000000013EE000-memory.dmp

Filesize
56KB

Download
memory/2984-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download