xworm | 968a3feb8e25469ff22d85d887972498989c1acb7d6bbcc4f982211e8fc88079

Analysis

max time kernel
30s
max time network
16s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-11-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X Project SUPER X GODDOM.exe
Size

326KB
MD5

6e6f88cba90c145c96d1461d60d5c152
SHA1

e9982c57a6777b2508070e061a7eb5a8f15b22fb
SHA256

968a3feb8e25469ff22d85d887972498989c1acb7d6bbcc4f982211e8fc88079
SHA512

71fb7b5dc56233f790b0973227a1d127b799c58b062306debbd9a67cdd741c7a123a3a6455300e27f2be9442746f4048e4f4ee4fc2e06cedbfca4e019ab6cd77
SSDEEP

6144:4VqG0SebO1eFh8JZpvUSlz5WeElf6+G386tPZ:4VqRFeXY3sMOh

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

client-toilet.gl.at.ply.gg:29921

Mutex

NvsfH1XO1syyGREn

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045044-14.dat	family_xworm
behavioral1/memory/400-24-0x0000000000750000-0x0000000000766000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	X Project SUPER X GODDOM.exe

Executes dropped EXE 1 IoCs

pid	Process
400	BLACKGODDOM V.2 GOD BY LA.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	BLACKGODDOM V.2 GOD BY LA.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 1604	5112	X Project SUPER X GODDOM.exe	84
PID 5112 wrote to memory of 1604	5112	X Project SUPER X GODDOM.exe	84
PID 5112 wrote to memory of 400	5112	X Project SUPER X GODDOM.exe	86
PID 5112 wrote to memory of 400	5112	X Project SUPER X GODDOM.exe	86
PID 1604 wrote to memory of 4948	1604	cmd.exe	87
PID 1604 wrote to memory of 4948	1604	cmd.exe	87
PID 1604 wrote to memory of 3652	1604	cmd.exe	88
PID 1604 wrote to memory of 3652	1604	cmd.exe	88
PID 1604 wrote to memory of 4124	1604	cmd.exe	89
PID 1604 wrote to memory of 4124	1604	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\X Project SUPER X GODDOM.exe
"C:\Users\Admin\AppData\Local\Temp\X Project SUPER X GODDOM.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X-PROJECT.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:4948
- - C:\Windows\system32\mode.com
    Mode 100,22
    3⤵
    PID:3652
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4124
- C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe
  "C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe

Filesize
67KB

MD5
2b1bcff698482a45a0d01356ad3e0384

SHA1
77d106b1495b869600cdfda6afeaec0f75a78634

SHA256
a9bd5014b5a6744b0a5c180a3e76ff546a514dcbad8bf2d8c500f903a285424b

SHA512
e8b6a729f3b4fc02886aeed232511dc9407a52aae40f01cd2817f8369944b14240bd3edfd573dbdef0d506557f02622148ce4042f6f497c20f1f11af85eeac77

Download Submit
C:\Users\Admin\AppData\Local\Temp\X-PROJECT.bat

Filesize
44KB

MD5
9c159b73622ac364dd0e8168cdcac067

SHA1
f11ef6fdfd881549f2a9496945d8c4570d27c85b

SHA256
3759b72e092e5d4aaf51407d88c231d036e3cca7e80ac79585dc428b32bbb39f

SHA512
dbfc7b204219ee06685834c34e4f1bc9a6c910a8357f7c6555054b36f6a09cf7f6fe3be23bb19903da20dff341f71f51db59ba239d6d03f697cba45b71ee1310

Download Submit
memory/400-24-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download
memory/400-25-0x00007FFF8C350000-0x00007FFF8CE12000-memory.dmp

Filesize
10.8MB

Download
memory/400-28-0x00007FFF8C350000-0x00007FFF8CE12000-memory.dmp

Filesize
10.8MB

Download
memory/400-29-0x00007FFF8C350000-0x00007FFF8CE12000-memory.dmp

Filesize
10.8MB

Download
memory/5112-0-0x00007FFF8C353000-0x00007FFF8C355000-memory.dmp

Filesize
8KB

Download
memory/5112-1-0x0000000000490000-0x00000000004E8000-memory.dmp

Filesize
352KB

Download
memory/5112-3-0x00007FFF8C350000-0x00007FFF8CE12000-memory.dmp

Filesize
10.8MB

Download
memory/5112-26-0x00007FFF8C350000-0x00007FFF8CE12000-memory.dmp

Filesize
10.8MB

Download