xworm | cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8.exe
Size

7.6MB
MD5

3df9a55a59cb8b6f13315a47947d9b57
SHA1

1bd5c2e8d5ff94cbda38292508ef0b667397ad5f
SHA256

cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8
SHA512

77cfc783008912a2357abed2ce05c0e91fa3957a149856699147bdfcd2ce9c8950e69d08475c0fb1ce406c62e763ae2d6b0d2a92ef5749547708c13eb19a15e8
SSDEEP

196608:dlO/QfaXhb+WVWhU5Dp/A/QUgg2Oy20rxaDN:QIcDp/Ev2OrN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

87.120.116.179:1300

Mutex

C33DN8qMtx58OdAb

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/860-6-0x0000000001080000-0x0000000001090000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 860	4600	cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8.exe	96

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
860	csc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	csc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
860	csc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 860	4600	cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8.exe	96
PID 4600 wrote to memory of 860	4600	cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8.exe	96
PID 4600 wrote to memory of 860	4600	cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8.exe	96
PID 4600 wrote to memory of 860	4600	cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8.exe	96
PID 4600 wrote to memory of 860	4600	cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8.exe	96

C:\Users\Admin\AppData\Local\Temp\cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8.exe
"C:\Users\Admin\AppData\Local\Temp\cb5b070c7f9106506e53a4d84c1f7842afa9177d98cf1bf073d06f3a92af22e8.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-16-0x0000000006B00000-0x0000000006B92000-memory.dmp

Filesize
584KB

Download
memory/860-18-0x0000000006CA0000-0x0000000006D06000-memory.dmp

Filesize
408KB

Download
memory/860-19-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/860-11-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/860-17-0x00000000063B0000-0x00000000063BA000-memory.dmp

Filesize
40KB

Download
memory/860-6-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/860-15-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/860-14-0x0000000006450000-0x00000000069F4000-memory.dmp

Filesize
5.6MB

Download
memory/860-20-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/860-13-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/4600-8-0x0000000000497000-0x00000000004B0000-memory.dmp

Filesize
100KB

Download
memory/4600-12-0x0000000000BA6000-0x0000000000BD3000-memory.dmp

Filesize
180KB

Download
memory/4600-0-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/4600-10-0x0000000000B8B000-0x0000000000B93000-memory.dmp

Filesize
32KB

Download
memory/4600-2-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/4600-1-0x0000000000497000-0x00000000004B0000-memory.dmp

Filesize
100KB

Download
memory/4600-7-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/4600-5-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/4600-4-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/4600-9-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download