xworm | 44fc51bf740eeed8fee536ab1fc2c01e6b8ab2bada3af62f44ad0a6481d61417

General

Target

ten's loader.exe
Size

2.9MB
MD5

94bc2b3a186f5f3a41304a4e1b57505e
SHA1

29ec490e1a1c7e24193e80b4177d6d368869f3ce
SHA256

44fc51bf740eeed8fee536ab1fc2c01e6b8ab2bada3af62f44ad0a6481d61417
SHA512

314699346a7b9e76fc359235aec2cbd99beef403acf8d3840dfe3c45f3cb56e000de205bb46917f9032a3f85cc893970e454dbbae91e35e0f2f74156aabd9d97
SSDEEP

49152:a55WF1dYq+K99bTC11nTgzRy43M3B1yAowDZc270nBmvLka7/2kUk+/rU2yfuuyc:avAdY4b2DkL3syAo+gBmLv7/Gn/6fY1e

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

round-nonprofit.gl.at.ply.gg:40484

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b93-33.dat	family_xworm
behavioral2/memory/2308-41-0x0000000000350000-0x0000000000364000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ten's loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Jizz's loader.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	jizz.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	jizz.exe

Executes dropped EXE 3 IoCs

pid	Process
3600	BootstrapperNew.exe
772	Jizz's loader.exe
2308	jizz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	jizz.exe
Token: SeDebugPrivilege	2308	jizz.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 3600	3352	ten's loader.exe	83
PID 3352 wrote to memory of 3600	3352	ten's loader.exe	83
PID 3352 wrote to memory of 772	3352	ten's loader.exe	84
PID 3352 wrote to memory of 772	3352	ten's loader.exe	84
PID 772 wrote to memory of 2308	772	Jizz's loader.exe	85
PID 772 wrote to memory of 2308	772	Jizz's loader.exe	85

C:\Users\Admin\AppData\Local\Temp\ten's loader.exe
"C:\Users\Admin\AppData\Local\Temp\ten's loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Roaming\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Roaming\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Users\Admin\AppData\Roaming\Jizz's loader.exe
  "C:\Users\Admin\AppData\Roaming\Jizz's loader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Roaming\jizz.exe
    "C:\Users\Admin\AppData\Roaming\jizz.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BootstrapperNew.exe

Filesize
2.9MB

MD5
4d207914ab7b161d4a8e6bf45cd27de4

SHA1
accd340b49754a770fd8debc10a379fe587336f6

SHA256
3c4dcf944e748c91df983422349e3a10f8271d3ef77ceee73d071b3d5e764f1b

SHA512
7df470c7c3b1f695289202363826d86af5e878138aa7c50a5d678df1ee95c0e9e2e87dc913be007e212519b05ab56146766768fbe00c583f5b57b905fbbf3f19

Download Submit
C:\Users\Admin\AppData\Roaming\Jizz's loader.exe

Filesize
72KB

MD5
e1a370dda927b29186165040d9c1fab8

SHA1
dfbd3714ea74670aa8ba3cffa18374eae565b35a

SHA256
40bbbae461aca6a2d90da6c39f772873484de0435f641d10bffa3eebbfe781c2

SHA512
09eb17a7dbb9a6ad459d74f0c145e01ed51a8c9bc46bbc309cb9621240c102c6d4cdc72fdc7c2c89b5249ce98d9a4f694ae4dbc4c32f8821c9dcc373becf649e

Download Submit
C:\Users\Admin\AppData\Roaming\jizz.exe

Filesize
57KB

MD5
3e1e065fc0731757e156d175b50fe7cd

SHA1
a590b6e85e7e72ac1be5f85bcf5b45703e207bd9

SHA256
9efae534c26a61633eb6945e1cd18e09b8768f1fa82bfa75f16474e2a36ec4e5

SHA512
dcc9b176abfd68fde6c24b9baf50ec609ebaecf5ad7735cd84a10cb2a23246abb831bff87d9f8dfd81105bfcf6b924994737ad38b98e6efa9f87da6a935af7fd

Download Submit
memory/772-43-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/772-26-0x0000000000790000-0x00000000007A8000-memory.dmp

Filesize
96KB

Download
memory/772-29-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/2308-41-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/3352-1-0x0000000000980000-0x0000000000C7A000-memory.dmp

Filesize
3.0MB

Download
memory/3352-0-0x00007FFCD9873000-0x00007FFCD9875000-memory.dmp

Filesize
8KB

Download
memory/3600-28-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/3600-50-0x000001DF74F90000-0x000001DF74FB6000-memory.dmp

Filesize
152KB

Download
memory/3600-44-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/3600-25-0x000001DF55580000-0x000001DF55862000-memory.dmp

Filesize
2.9MB

Download
memory/3600-45-0x000001DF6FF90000-0x000001DF6FF98000-memory.dmp

Filesize
32KB

Download
memory/3600-48-0x000001DF76210000-0x000001DF76310000-memory.dmp

Filesize
1024KB

Download
memory/3600-47-0x000001DF71B50000-0x000001DF71B5E000-memory.dmp

Filesize
56KB

Download
memory/3600-46-0x000001DF74F50000-0x000001DF74F88000-memory.dmp

Filesize
224KB

Download
memory/3600-49-0x000001DF74F10000-0x000001DF74F1A000-memory.dmp

Filesize
40KB

Download
memory/3600-42-0x000001DF55C40000-0x000001DF55C50000-memory.dmp

Filesize
64KB

Download
memory/3600-53-0x000001DF74F30000-0x000001DF74F3A000-memory.dmp

Filesize
40KB

Download
memory/3600-52-0x000001DF74FC0000-0x000001DF74FD6000-memory.dmp

Filesize
88KB

Download
memory/3600-51-0x000001DF74F40000-0x000001DF74F48000-memory.dmp

Filesize
32KB

Download
memory/3600-54-0x000001DF74F20000-0x000001DF74F2A000-memory.dmp

Filesize
40KB

Download
memory/3600-55-0x000001DF74FF0000-0x000001DF74FF8000-memory.dmp

Filesize
32KB

Download
memory/3600-61-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/3600-62-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing