xworm | 24359daec4a8fd5901889f2a45e5b8d783e07c3b63bb272caf94cbe08abefedd

General

Target

Quotation.scr
Size

945KB
MD5

91808cc12b1db334c458e38174207aba
SHA1

6a7be345db82c710c129b7bf17a9633b92398482
SHA256

2b68138198f01ca60ce18eb72fc8c1268691bae2409dd56ab871d465a958c1dc
SHA512

771784a96c5bff6fd6ebca728aa634363bf5a13a8e0f907bb76524bfa8f4131e5aef1ed680604ff9131d4c6588386a9b2758f1b0501c9bd9484d645a3982a1ed
SSDEEP

12288:Jtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga5TiSRlHEKqEFJMr+6A:Jtb20pkaCqT5TBWgNQ7a9iS3EVE++6A

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

69.174.99.6:7000

Mutex

ZMMi52bfIGvYY0Ok

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral4/memory/116-20-0x0000000000150000-0x000000000015E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fascinatress.vbs	fascinatress.exe

Executes dropped EXE 1 IoCs

pid	Process
4460	fascinatress.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/files/0x000c000000023bb0-9.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 116	4460	fascinatress.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fascinatress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.scr

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4460	fascinatress.exe
4460	fascinatress.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4692	Quotation.scr
4692	Quotation.scr
4460	fascinatress.exe
4460	fascinatress.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4692	Quotation.scr
4692	Quotation.scr
4460	fascinatress.exe
4460	fascinatress.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 4460	4692	Quotation.scr	83
PID 4692 wrote to memory of 4460	4692	Quotation.scr	83
PID 4692 wrote to memory of 4460	4692	Quotation.scr	83
PID 4460 wrote to memory of 116	4460	fascinatress.exe	86
PID 4460 wrote to memory of 116	4460	fascinatress.exe	86
PID 4460 wrote to memory of 116	4460	fascinatress.exe	86
PID 4460 wrote to memory of 116	4460	fascinatress.exe	86

C:\Users\Admin\AppData\Local\Temp\Quotation.scr
"C:\Users\Admin\AppData\Local\Temp\Quotation.scr" /S
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\bleacher\fascinatress.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation.scr" /S
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.scr" /S
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\done

Filesize
30KB

MD5
e30efbd4c9a3278363e5200c2c53a871

SHA1
f6e6b4311080c1b59e3a54fec78f0d60f6146c98

SHA256
d7a2b39f05edf818c2265cb112023280d56a09e8a11c05475e8217423267417c

SHA512
9f64059a9dc8f252db4448cbe426cc532f1b069f3bf2fcc213c5029bc1ee03264b175f385ced0928af1187b1160df43e5bbe9c15cd7d8ad84d29278124e7d0a2

Download Submit
C:\Users\Admin\AppData\Local\bleacher\fascinatress.exe

Filesize
945KB

MD5
91808cc12b1db334c458e38174207aba

SHA1
6a7be345db82c710c129b7bf17a9633b92398482

SHA256
2b68138198f01ca60ce18eb72fc8c1268691bae2409dd56ab871d465a958c1dc

SHA512
771784a96c5bff6fd6ebca728aa634363bf5a13a8e0f907bb76524bfa8f4131e5aef1ed680604ff9131d4c6588386a9b2758f1b0501c9bd9484d645a3982a1ed

Download Submit
memory/116-25-0x0000000005150000-0x00000000051B6000-memory.dmp

Filesize
408KB

Download
memory/116-20-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/116-21-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

Filesize
4KB

Download
memory/116-22-0x0000000004B40000-0x0000000004BDC000-memory.dmp

Filesize
624KB

Download
memory/116-23-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/116-24-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

Filesize
4KB

Download
memory/116-26-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/116-27-0x0000000005A90000-0x0000000005B22000-memory.dmp

Filesize
584KB

Download
memory/116-28-0x00000000060E0000-0x0000000006684000-memory.dmp

Filesize
5.6MB

Download
memory/4460-18-0x0000000000CA0000-0x00000000010A0000-memory.dmp

Filesize
4.0MB

Download
memory/4692-6-0x0000000000FE0000-0x00000000013E0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing