xworm | 999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008

General

Target

999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008.exe
Size

1.1MB
MD5

a4f882b8dfb6c075effcaf592d5662f8
SHA1

c3b5d0b630a8575304fdcc92023fb5b3c051c1b4
SHA256

999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008
SHA512

5780b1cdf63db3826fba5dfc0defa7672dab46782c693e1f7f629e3a3cfb13708d36d9e61872761eadfa554c3e553df28003862dc04dc8f6472fc5494965cad5
SSDEEP

24576:dAHnh+eWsN3skA4RV1Hom2KXFmIan9tlBtuWBd88PBE5:8h+ZkldoPK1Xan/jwWlQ

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

195.154.49.246:2080

Mutex

Wxez4wHXX8E21z87

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4964-31-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs	cunila.exe

Executes dropped EXE 1 IoCs

pid	Process
1688	cunila.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023cb6-14.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 4964	1688	cunila.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cunila.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4964	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1688	cunila.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4964	RegSvcs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1688	1572	999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008.exe	87
PID 1572 wrote to memory of 1688	1572	999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008.exe	87
PID 1572 wrote to memory of 1688	1572	999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008.exe	87
PID 1688 wrote to memory of 4964	1688	cunila.exe	88
PID 1688 wrote to memory of 4964	1688	cunila.exe	88
PID 1688 wrote to memory of 4964	1688	cunila.exe	88
PID 1688 wrote to memory of 4964	1688	cunila.exe	88

C:\Users\Admin\AppData\Local\Temp\999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008.exe
"C:\Users\Admin\AppData\Local\Temp\999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\holloing\cunila.exe
  "C:\Users\Admin\AppData\Local\Temp\999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Keily

Filesize
36KB

MD5
5635ad00e748a47bff8330822c030ebf

SHA1
e3504f02b4d6cb5afcc9f051a7cdd17902286ca2

SHA256
549998b23bcd05105a8e8662510fa04a92014bd36e9dc568a6c3e0d11e199ebf

SHA512
944bdfb02d5f308e0ebe30ab98e3dd359c622dd7b786155091db4516cb9f9f64dcbe89b1cdba9d464abce5b6260e9ce4f14b1c5a10b46cba672ec3263d677166

Download Submit
C:\Users\Admin\AppData\Local\Temp\spado

Filesize
140KB

MD5
ac11d25107b0285906b7fe88df5f3c1d

SHA1
b7a27996f2d8ae79d7e16d4ba6d57f3ec3e2f1f4

SHA256
a222226b607a17e13966e4ff388f4904d4c22f528fb0d043d1df84f0d9c88b72

SHA512
a2d16b18579da36ad682a3dc711ea33f5bbd967b8e62f7a872ea5e5470643199c2b9467f4c02cae391b8b0d6d330f21ba56a1575ff49adc62bfef547378ad73b

Download Submit
C:\Users\Admin\AppData\Local\holloing\cunila.exe

Filesize
1.1MB

MD5
a4f882b8dfb6c075effcaf592d5662f8

SHA1
c3b5d0b630a8575304fdcc92023fb5b3c051c1b4

SHA256
999793a77939720fd339a4a06bfb8af07523f433009b1895b8dec743d4026008

SHA512
5780b1cdf63db3826fba5dfc0defa7672dab46782c693e1f7f629e3a3cfb13708d36d9e61872761eadfa554c3e553df28003862dc04dc8f6472fc5494965cad5

Download Submit
memory/1572-11-0x0000000001010000-0x0000000001410000-memory.dmp

Filesize
4.0MB

Download
memory/1688-29-0x00000000013C0000-0x00000000017C0000-memory.dmp

Filesize
4.0MB

Download
memory/4964-32-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/4964-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4964-33-0x00000000050A0000-0x000000000513C000-memory.dmp

Filesize
624KB

Download
memory/4964-34-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/4964-35-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-36-0x0000000005FA0000-0x0000000006032000-memory.dmp

Filesize
584KB

Download
memory/4964-37-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/4964-38-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/4964-39-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/4964-40-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing