xworm | 24359daec4a8fd5901889f2a45e5b8d783e07c3b63bb272caf94cbe08abefedd

General

Target

Quotation.scr
Size

945KB
MD5

91808cc12b1db334c458e38174207aba
SHA1

6a7be345db82c710c129b7bf17a9633b92398482
SHA256

2b68138198f01ca60ce18eb72fc8c1268691bae2409dd56ab871d465a958c1dc
SHA512

771784a96c5bff6fd6ebca728aa634363bf5a13a8e0f907bb76524bfa8f4131e5aef1ed680604ff9131d4c6588386a9b2758f1b0501c9bd9484d645a3982a1ed
SSDEEP

12288:Jtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga5TiSRlHEKqEFJMr+6A:Jtb20pkaCqT5TBWgNQ7a9iS3EVE++6A

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

69.174.99.6:7000

Mutex

ZMMi52bfIGvYY0Ok

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral3/memory/1604-22-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral3/memory/1604-26-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral3/memory/1604-24-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fascinatress.vbs	fascinatress.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	fascinatress.exe

Loads dropped DLL 1 IoCs

pid	Process
2136	Quotation.scr

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral3/files/0x000700000001921f-8.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 1604	2844	fascinatress.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fascinatress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2844	fascinatress.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2136	Quotation.scr
2136	Quotation.scr
2844	fascinatress.exe
2844	fascinatress.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2136	Quotation.scr
2136	Quotation.scr
2844	fascinatress.exe
2844	fascinatress.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2844	2136	Quotation.scr	31
PID 2136 wrote to memory of 2844	2136	Quotation.scr	31
PID 2136 wrote to memory of 2844	2136	Quotation.scr	31
PID 2136 wrote to memory of 2844	2136	Quotation.scr	31
PID 2844 wrote to memory of 1604	2844	fascinatress.exe	32
PID 2844 wrote to memory of 1604	2844	fascinatress.exe	32
PID 2844 wrote to memory of 1604	2844	fascinatress.exe	32
PID 2844 wrote to memory of 1604	2844	fascinatress.exe	32
PID 2844 wrote to memory of 1604	2844	fascinatress.exe	32
PID 2844 wrote to memory of 1604	2844	fascinatress.exe	32
PID 2844 wrote to memory of 1604	2844	fascinatress.exe	32
PID 2844 wrote to memory of 1604	2844	fascinatress.exe	32

C:\Users\Admin\AppData\Local\Temp\Quotation.scr
"C:\Users\Admin\AppData\Local\Temp\Quotation.scr" /S
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\bleacher\fascinatress.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation.scr" /S
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.scr" /S
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\bleacher\fascinatress.exe

Filesize
945KB

MD5
91808cc12b1db334c458e38174207aba

SHA1
6a7be345db82c710c129b7bf17a9633b92398482

SHA256
2b68138198f01ca60ce18eb72fc8c1268691bae2409dd56ab871d465a958c1dc

SHA512
771784a96c5bff6fd6ebca728aa634363bf5a13a8e0f907bb76524bfa8f4131e5aef1ed680604ff9131d4c6588386a9b2758f1b0501c9bd9484d645a3982a1ed

Download Submit
memory/1604-22-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1604-26-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1604-24-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1604-27-0x000000007430E000-0x000000007430F000-memory.dmp

Filesize
4KB

Download
memory/1604-28-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1604-29-0x000000007430E000-0x000000007430F000-memory.dmp

Filesize
4KB

Download
memory/1604-30-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2136-6-0x0000000000A10000-0x0000000000E10000-memory.dmp

Filesize
4.0MB

Download
memory/2844-20-0x0000000000860000-0x0000000000C60000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing