xworm | 62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e | Triage

Sharing

General

Target

62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e.doc
Size

797KB
Sample

241107-c1j9aatfnp
MD5

917e800806d60717238c5b767070af1a
SHA1

2fd273a4f5a39691e4f256eebf4c0ec705a0d298
SHA256

62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e
SHA512

ebc6c8f811383faad6f159b65e3db598173e5fba6fb6e0167dbdf85e148ddbcd25400e8c1395e7388ea897ae7cb646832c88400a7eb461bb65efd7d098d4afc4
SSDEEP

24576:/KOGjn4lUrN4vaxrB1qep1wuJ7NYtQV7dJXWlLPx:3q4m4Sxrzp1TJ7j7vXW

Score

10^/10

xworm discovery execution macro persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

185.244.29.113:5563

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e.doc
- Size
  
  797KB
- MD5
  
  917e800806d60717238c5b767070af1a
- SHA1
  
  2fd273a4f5a39691e4f256eebf4c0ec705a0d298
- SHA256
  
  62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e
- SHA512
  
  ebc6c8f811383faad6f159b65e3db598173e5fba6fb6e0167dbdf85e148ddbcd25400e8c1395e7388ea897ae7cb646832c88400a7eb461bb65efd7d098d4afc4
- SSDEEP
  
  24576:/KOGjn4lUrN4vaxrB1qep1wuJ7NYtQV7dJXWlLPx:3q4m4Sxrzp1TJ7j7vXW
Score

10^/10

discovery execution xworm persistence rat trojan
- Detect Xworm Payload
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

xwormdiscoveryexecutionpersistencerattrojan