xworm | 9e109f42594b27b9cd46bc2c921467e571ded77081b8827717dee1a63d454703

General

Target

Chef.exe
Size

2.4MB
MD5

913746cb80b7853cc2430a0c067a2d4c
SHA1

7cfaf2942ac5aef5d73dc93e53d93eaaea673e87
SHA256

9e109f42594b27b9cd46bc2c921467e571ded77081b8827717dee1a63d454703
SHA512

943ef904a4fe28ef265a1556890002049fbf57f8992f5e8b60c09668ecab2310ab252b140331615c2be910cd5f3edd65544ee63c12651c8db398b6e91ac2c644
SSDEEP

49152:TL4Lbjy9eBZGXfdEl6ISzae0PF81yQYZ0yKAA6M8AAk1+ycDyJ8siSDt8:TESeD0Vs6ISx0dPQNy2ady/J8siSR8

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

93.123.109.89:7000

Attributes

Install_directory
%Temp%
install_file
BackgroundTaskHost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3412-3-0x0000000000400000-0x0000000000416000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
720	Ocean.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 3412	2980	Chef.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2352	3412	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
720	Ocean.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
720	Ocean.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3412	2980	Chef.exe	80
PID 2980 wrote to memory of 3412	2980	Chef.exe	80
PID 2980 wrote to memory of 3412	2980	Chef.exe	80
PID 2980 wrote to memory of 3412	2980	Chef.exe	80
PID 2980 wrote to memory of 3412	2980	Chef.exe	80
PID 2980 wrote to memory of 3412	2980	Chef.exe	80
PID 2980 wrote to memory of 3412	2980	Chef.exe	80
PID 2980 wrote to memory of 3412	2980	Chef.exe	80
PID 2980 wrote to memory of 720	2980	Chef.exe	81
PID 2980 wrote to memory of 720	2980	Chef.exe	81

C:\Users\Admin\AppData\Local\Temp\Chef.exe
"C:\Users\Admin\AppData\Local\Temp\Chef.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 1652
    3⤵
    - Program crash
    PID:2352
- C:\Users\Admin\AppData\Local\Temp\Ocean.exe
  "C:\Users\Admin\AppData\Local\Temp\Ocean.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3412 -ip 3412
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ocean.exe

Filesize
2.3MB

MD5
286efca498147dedaf4169e9bb297b52

SHA1
a88b65dc85d209a26da56c1d31fc63edb99d0819

SHA256
de824109d13ae96a87c2cfabbc650e05765e1ae36ebe69c4bf16d253f3e7f53d

SHA512
3b4149969308e53bf4f37af4f71d47199f6ba0198fd6e9b0a937daf11c728bdf2f695aa2400c1ee0db7708ed5e48b1cce5596b7a5cce9cafa21e6de8eb5c9ad6

Download Submit
memory/2980-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x0000000000750000-0x00000000009C6000-memory.dmp

Filesize
2.5MB

Download
memory/2980-2-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/2980-5-0x0000000074950000-0x0000000075101000-memory.dmp

Filesize
7.7MB

Download
memory/2980-16-0x0000000074950000-0x0000000075101000-memory.dmp

Filesize
7.7MB

Download
memory/3412-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3412-6-0x0000000074950000-0x0000000075101000-memory.dmp

Filesize
7.7MB

Download
memory/3412-7-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/3412-17-0x0000000074950000-0x0000000075101000-memory.dmp

Filesize
7.7MB

Download
memory/3412-18-0x0000000074950000-0x0000000075101000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing