xworm | 35d1c3d34870f5c5ac2985bfb359e9cd0d6743a367f55e5cc21992a96deaf85b

General

Target

EagleSpy V5 Cracked By @R3D_Dev.zip
Size

322.9MB
MD5

fc2524a3c18eddd353bd5cb80cf7dc0d
SHA1

7bfbfd7edbe6eb1a92d3741b5a4afaaa222bd60c
SHA256

35d1c3d34870f5c5ac2985bfb359e9cd0d6743a367f55e5cc21992a96deaf85b
SHA512

369c3046450c88dc31190ffa4c1f2f339c5f1fb6fda3abba9565fdafba3bf5245a953333127d18e71269e043d4118a242d192a6c7a04c0423572c5c6c338da1e
SSDEEP

6291456:mUvgkmWuiGyfvKNMZYmrkz4AOPHg8JuGrPriREp4UQ3PVUD1W4Jxka2T1Y:nvg9uvSMfnHgSuG6C6PSpJxkJY

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

else-workflow.gl.at.ply.gg:58116

Mutex

hhrcQoynZCKLCvBI

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001d00000002aa9b-1033.dat	family_xworm
behavioral1/memory/3856-1040-0x0000000000E20000-0x0000000000E30000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
2420	Eagle Spy V5.exe
3856	XClient.exe
4892	Eagle Spy V5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eagle Spy V5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eagle Spy V5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe
3856	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3380	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	3380	7zFM.exe
Token: 35	3380	7zFM.exe
Token: SeSecurityPrivilege	3380	7zFM.exe
Token: SeRestorePrivilege	1940	dw20.exe
Token: SeBackupPrivilege	1940	dw20.exe
Token: SeBackupPrivilege	1940	dw20.exe
Token: SeBackupPrivilege	1940	dw20.exe
Token: SeDebugPrivilege	3856	XClient.exe
Token: SeDebugPrivilege	3856	XClient.exe
Token: SeBackupPrivilege	3824	dw20.exe
Token: SeBackupPrivilege	3824	dw20.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3380	7zFM.exe
3380	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3856	XClient.exe
3980	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3856	2420	Eagle Spy V5.exe	83
PID 2420 wrote to memory of 3856	2420	Eagle Spy V5.exe	83
PID 2420 wrote to memory of 1940	2420	Eagle Spy V5.exe	84
PID 2420 wrote to memory of 1940	2420	Eagle Spy V5.exe	84
PID 2420 wrote to memory of 1940	2420	Eagle Spy V5.exe	84
PID 4892 wrote to memory of 3824	4892	Eagle Spy V5.exe	87
PID 4892 wrote to memory of 3824	4892	Eagle Spy V5.exe	87
PID 4892 wrote to memory of 3824	4892	Eagle Spy V5.exe	87

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\EagleSpy V5 Cracked By @R3D_Dev.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1080

C:\Users\Admin\Desktop\EagleSpy V5 Cracked By @R3D_Dev\Eagle Spy V5.exe
"C:\Users\Admin\Desktop\EagleSpy V5 Cracked By @R3D_Dev\Eagle Spy V5.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3856
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1576
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1940

C:\Users\Admin\Desktop\EagleSpy V5 Cracked By @R3D_Dev\Eagle Spy V5.exe
"C:\Users\Admin\Desktop\EagleSpy V5 Cracked By @R3D_Dev\Eagle Spy V5.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 824
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3824

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\503391a4-84a1-4ef6-a6c9-78bf33546095.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
76fbe77cbc68f3bd5f0decad25775716

SHA1
2ebc2dea0b2224ea73fb5413d94ad38218122bf3

SHA256
8d59129db45c9f234318144380c9d167d89a9faa8e2a6aede9b5a3bcfdf650b6

SHA512
1a5d850914bd033defe42de3a333c2a7497927a07289258acd5ec08e973b4ed45030b0f299d6da5bac16ad607ed471b3db52a5c9676a532ecaa0836682618230

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
37KB

MD5
6c52c26e703fb342a4eea0506f55c084

SHA1
cc6559b3ca8411c35cad2a59ff79677214ebea7d

SHA256
2f60b5b38b11bcabfb6a1e322cdf9085ad59dd497da364f9e68dc32d83e2554a

SHA512
60a9c0a92060d3ac87c5f44388bb688ddab158276d2cea75a7619969af53f0480b25714069fb72e44e782c5965143064e82359b541ed913af44ed9c950c1b84d

Download Submit
memory/2420-1026-0x0000000074601000-0x0000000074602000-memory.dmp

Filesize
4KB

Download
memory/2420-1027-0x0000000074600000-0x0000000074BB1000-memory.dmp

Filesize
5.7MB

Download
memory/2420-1028-0x0000000074600000-0x0000000074BB1000-memory.dmp

Filesize
5.7MB

Download
memory/2420-1047-0x0000000074600000-0x0000000074BB1000-memory.dmp

Filesize
5.7MB

Download
memory/3856-1040-0x0000000000E20000-0x0000000000E30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads