xworm | 14e1b5a22e7e68cfd1908bc0b7c6c7db1889c9109967bdd8fc06cd01ad3da042 | Triage

Sharing

General

Target

XvcClient.exe
Size

39KB
Sample

250123-yw5v3stjdr
MD5

8a1f910de42bbdfc2967424952092c93
SHA1

c9eb6e94e8f11e023e524eea898c14e1084568ac
SHA256

14e1b5a22e7e68cfd1908bc0b7c6c7db1889c9109967bdd8fc06cd01ad3da042
SHA512

6c8b01d99e3a8fb4c1e4d671616abe4e523202aba8873ae2eecd92d4a5020330cdb1635344c846b8e8189fd3ecb15f98a2da907a89ab2d1ead5d14dc3af1689f
SSDEEP

768:vMi7NoXNEbgnMpOMb9anqNiAvHzFN9pPOphISv4:H7NQObjAnqNiAvTFN9pPOpjv4

Score

10^/10

xworm discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

cities-annex.gl.at.ply.gg:28648

Mutex

ZcxxP7wB83cGDNRX

Attributes

Install_directory
%Userprofile%
install_file
msconfig.exe

aes.plain

Targets

- Target
  
  XvcClient.exe
- Size
  
  39KB
- MD5
  
  8a1f910de42bbdfc2967424952092c93
- SHA1
  
  c9eb6e94e8f11e023e524eea898c14e1084568ac
- SHA256
  
  14e1b5a22e7e68cfd1908bc0b7c6c7db1889c9109967bdd8fc06cd01ad3da042
- SHA512
  
  6c8b01d99e3a8fb4c1e4d671616abe4e523202aba8873ae2eecd92d4a5020330cdb1635344c846b8e8189fd3ecb15f98a2da907a89ab2d1ead5d14dc3af1689f
- SSDEEP
  
  768:vMi7NoXNEbgnMpOMb9anqNiAvHzFN9pPOphISv4:H7NQObjAnqNiAvTFN9pPOpjv4
Score

10^/10

xworm discovery persistence ransomware rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

xwormdiscoverypersistenceransomwarerattrojan