xworm | d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a

General

Target

d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe
Size

34KB
MD5

c9c23e8ec35c88ce322287cc2e7e3a6d
SHA1

3644da59369aba3d19644bc658e8fd7f8baed1d3
SHA256

d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a
SHA512

90ecb074ab146f79cabe1821dd55082d333523ec104c3584acee2411bbe4fe59f81b8396e08cb0c79acb2c84a930f655ad1a0f9b9a3903e70923a624ead3e373
SSDEEP

768:6b7h81Q27R5Wo2/bHoDd+ntAxV85eeJ8Ym9Py:eh8GcJ2/bHi+mxLeWw

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

92.255.85.66:7000

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2908-30-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2908-28-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2908-26-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2908-23-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2908-21-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe
Token: SeDebugPrivilege	2908	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1744	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	31
PID 2664 wrote to memory of 1744	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	31
PID 2664 wrote to memory of 1744	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	31
PID 2664 wrote to memory of 1744	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	31
PID 1744 wrote to memory of 2788	1744	csc.exe	33
PID 1744 wrote to memory of 2788	1744	csc.exe	33
PID 1744 wrote to memory of 2788	1744	csc.exe	33
PID 1744 wrote to memory of 2788	1744	csc.exe	33
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34
PID 2664 wrote to memory of 2908	2664	d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe	34

C:\Users\Admin\AppData\Local\Temp\d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe
"C:\Users\Admin\AppData\Local\Temp\d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rlvjojkg\rlvjojkg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE495.tmp" "c:\Users\Admin\AppData\Local\Temp\rlvjojkg\CSCBEC95CC2AB2B47B7984E126736CE473B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE495.tmp

Filesize
1KB

MD5
a48a589875006879281ec7cb1be0372e

SHA1
6442c1bd1fde0b9eee585bc0eda333a83d5e4a8e

SHA256
3e5737ee6643054a18c1edcf39b45c0e66f100586bcbb6fb004a7d1b2374fc20

SHA512
1bbe352cef760ab3d10ba0420da13ec548eec68d1c7bf5a96023177a1697d1a92fbd7b4f1caa45bb2422ab20ca876104ecfa1073dab24d7c9ecadfb13e4dc786

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlvjojkg\rlvjojkg.dll

Filesize
9KB

MD5
69f5a20aa6e5f912a144edec950d43cb

SHA1
e2c3b26b65e59acfdc3f0d5813368f02b4b15005

SHA256
b98d224978f0b0b318fa4253428475c3c40f8405da0bb2569205d878aaa10838

SHA512
fb67009880d312f140d2fe57f029261694dc33600078688bf3d24f3fb284ddfba0d66cc8bb2fd5379787b8d12c84109598e97d83d9eab5d47c6d6cdf42d428ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlvjojkg\CSCBEC95CC2AB2B47B7984E126736CE473B.TMP

Filesize
652B

MD5
a86115463fe4a6a79b2afd18d0bf21ca

SHA1
e315b1636d7625388a4f7b82d9748007ab0b9bc2

SHA256
5a37a459ed77a0c445b2fb0e033335d6f0cd6274aad1791dc13269ddf8e1cec4

SHA512
d84d51d3812e1a91be9ce4906b1a837d30b54d3bda207c63484b0e8813275ce266da0ffb417dbf3e2a9daefa5b9695652e2f824fd7806da6ad235acc9c33f7db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlvjojkg\rlvjojkg.0.cs

Filesize
10KB

MD5
9395e2aa1dddc1ae6ca1779aac4570f9

SHA1
7c8bc4d5b24a33ecbffd4ba0bada18d21c2d7988

SHA256
2b637d09604a7108ee0d12061f64d05299c3061c11f09a401853124664a3d5f0

SHA512
20aa8de49b5136d0699164893b969ceab8ddbbb3afd894104afa50b75d26847748d0bcaa1c57d7053d0a1a550956903fb8001353105bbd0d9098f90db5483b6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlvjojkg\rlvjojkg.cmdline

Filesize
204B

MD5
f4b78e217b4693f2f7c50c3e014921ad

SHA1
293451021d7fa77abcb469133a919d777b2f5201

SHA256
0afde8efaf95a37b7cff92033b0df9326dc64f8c3f987c3fd7a2b7bfaf3ebeae

SHA512
48031d5d5e70f547a0b1c0e69d632a2d4408069cdbbedef0dcef16bd4d09a7907e6653fd4bf316721b396096cf92260d2abcfadf66e08b4591f14598179dba76

Download Submit
memory/2664-15-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/2664-5-0x0000000074CB0000-0x000000007539E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-1-0x0000000000210000-0x000000000021E000-memory.dmp

Filesize
56KB

Download
memory/2664-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/2664-31-0x0000000074CB0000-0x000000007539E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2908-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2908-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2908-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2908-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2908-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2908-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2908-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing