xworm | bc8e1e0d26c08f7116113bb591eb5275174652f19293f7d9a4921a580b78b042

General

Target

FREE BYPASS.rar
Size

703KB
MD5

58292ba4352cc7ede74cea6eb6cf4764
SHA1

62d5ffb6fce1c50d793477bf50eaa3b706e1746d
SHA256

bc8e1e0d26c08f7116113bb591eb5275174652f19293f7d9a4921a580b78b042
SHA512

278a23320aa015c2303c808fcc7f6a718c833cc7bb8d17d54de23d132ef50bb7acbad586ad47a96341be1859336d33bca8e58427a6e030e820de437ef041f1c7
SSDEEP

12288:r5QdwWNKMUvO3sryrdKDRxSwj3mfXnj31KYiZqwu4Jpq9FCLcmc4ofpzvSUV:rCpK1O3cyrdCRow7mfTgjEcpmsL+4ofr

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:25808

Attributes

Install_directory
%LocalAppData%
install_file
Realtek HD Audio Universal Service.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00290000000451ad-17.dat	family_xworm
behavioral1/memory/2032-37-0x00000000000B0000-0x00000000000CA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	FREE BYPASS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	FREE BYPASS.exe

Executes dropped EXE 6 IoCs

pid	Process
824	FREE BYPASS.exe
2032	Realtek HD Audio Universal Service.exe
2052	SAM CHEAT bypass.exe
648	FREE BYPASS.exe
1436	Realtek HD Audio Universal Service.exe
232	SAM CHEAT bypass.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FREE BYPASS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FREE BYPASS.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00280000000451aa-4.dat	nsis_installer_1
behavioral1/files/0x00280000000451aa-4.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1828	7zFM.exe
1828	7zFM.exe
1828	7zFM.exe
1828	7zFM.exe
1828	7zFM.exe
1828	7zFM.exe
1828	7zFM.exe
1828	7zFM.exe
1828	7zFM.exe
1828	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1828	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	1828	7zFM.exe
Token: 35	1828	7zFM.exe
Token: SeSecurityPrivilege	1828	7zFM.exe
Token: SeDebugPrivilege	2032	Realtek HD Audio Universal Service.exe
Token: SeSecurityPrivilege	1828	7zFM.exe
Token: SeDebugPrivilege	1436	Realtek HD Audio Universal Service.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1828	7zFM.exe
1828	7zFM.exe
1828	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
824	FREE BYPASS.exe
648	FREE BYPASS.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 824	1828	7zFM.exe	88
PID 1828 wrote to memory of 824	1828	7zFM.exe	88
PID 1828 wrote to memory of 824	1828	7zFM.exe	88
PID 824 wrote to memory of 2032	824	FREE BYPASS.exe	91
PID 824 wrote to memory of 2032	824	FREE BYPASS.exe	91
PID 824 wrote to memory of 2052	824	FREE BYPASS.exe	92
PID 824 wrote to memory of 2052	824	FREE BYPASS.exe	92
PID 1828 wrote to memory of 648	1828	7zFM.exe	99
PID 1828 wrote to memory of 648	1828	7zFM.exe	99
PID 1828 wrote to memory of 648	1828	7zFM.exe	99
PID 648 wrote to memory of 1436	648	FREE BYPASS.exe	100
PID 648 wrote to memory of 1436	648	FREE BYPASS.exe	100
PID 648 wrote to memory of 232	648	FREE BYPASS.exe	101
PID 648 wrote to memory of 232	648	FREE BYPASS.exe	101

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\7zO42759DD7\FREE BYPASS.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO42759DD7\FREE BYPASS.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
    "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe
    "C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe"
    3⤵
    - Executes dropped EXE
    PID:2052
- C:\Users\Admin\AppData\Local\Temp\7zO427881F7\FREE BYPASS.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO427881F7\FREE BYPASS.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
    "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe
    "C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe"
    3⤵
    - Executes dropped EXE
    PID:232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO42759DD7\FREE BYPASS.exe

Filesize
758KB

MD5
d73c9e865143acd7ee7b526266109048

SHA1
86cd070de3e808bfa057daf04ca7286644e33e35

SHA256
d1179ff1ecadf6756288590c6c08420ec7b9e06aa9e0effc9b2c6b9b8ca5fa4e

SHA512
a3ba88e3418d68cac8bb7d96a29fa218605933696cf1489367062f8d85d5a6c701403b24e701c668dcfeb27abdd1fd907a9815691f47d6802087b409bdc66e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

Filesize
79KB

MD5
066d90fb1d671648842a3b46622eb7ce

SHA1
6d0949bd4f494c9f8d80b705a79cfa9038c80e51

SHA256
8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8

SHA512
b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe

Filesize
1.3MB

MD5
d46bcf5d90966c10fb75419041fae79f

SHA1
9db2c47dd39acd50983c963d370045fcb956d72a

SHA256
edcef9f0255fa29acdfd80bbfb03abea630eb152b19f20fca12fdd88ccf9b399

SHA512
26a241bb87b5abafbba8209135c49163e9ee97ef4f8eaa4dbaf5723b9ce7038b6bdfa9926da29ad3728a854d424168384605c3f494dc29f55249b96adcbe7fb2

Download Submit
memory/2032-37-0x00000000000B0000-0x00000000000CA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing