xworm | 8344b15b9177b70916a48f8b8852747d6b7cb179e6d3edf5eac1692751b132fe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

187KB
MD5

087c075bc4fe5fe242b5c66c29869864
SHA1

c45efc31b2277d02383946a90394ca4db1f703af
SHA256

8344b15b9177b70916a48f8b8852747d6b7cb179e6d3edf5eac1692751b132fe
SHA512

ad424e56406d98047db617b7ef6df2da9cef765cb5bf4eb7e592045386c49a982d951778c04e33e9d978cf3740a4829bc1c695ca73c3abd64f3bc3e0f27b4119
SSDEEP

3072:TqWg0oaxBGieuvQTtv6c/mTRPyZqqiIdhI+czv/gJQE7zK+l+2aVbUucM5W65S:TgP8GiHvQTV+d/qi25eKfU2cbNcM5U

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

45.149.241.37:7000

Mutex

4zFlCBA2xyUliXRM

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3044-1-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5056 set thread context of 3044	5056	file.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2628	5056	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3044	5056	file.exe	85
PID 5056 wrote to memory of 3044	5056	file.exe	85
PID 5056 wrote to memory of 3044	5056	file.exe	85
PID 5056 wrote to memory of 3044	5056	file.exe	85
PID 5056 wrote to memory of 3044	5056	file.exe	85
PID 5056 wrote to memory of 3044	5056	file.exe	85
PID 5056 wrote to memory of 3044	5056	file.exe	85
PID 5056 wrote to memory of 3044	5056	file.exe	85

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 264
  2⤵
  - Program crash
  PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5056 -ip 5056
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3044-1-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3044-2-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3044-3-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/3044-4-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3044-5-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/3044-6-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3044-7-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3044-8-0x0000000006570000-0x0000000006602000-memory.dmp

Filesize
584KB

Download
memory/3044-9-0x0000000006BC0000-0x0000000007164000-memory.dmp

Filesize
5.6MB

Download
memory/5056-0-0x0000000000D15000-0x0000000000D16000-memory.dmp

Filesize
4KB

Download