xworm | dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762

General

Target

dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe
Size

313KB
MD5

a28240f6a63d655f50bd4febc028455c
SHA1

f093d774c744c994b2b0e756783093ba7e342575
SHA256

dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762
SHA512

dec2809f3c15afc0e1acb5cb278e3fdad44c770878c0fea81d9efa76bf7e6855977eb63811f4896d555832e51bba3bfbcb0291ea286b7c394203cee535b8519f
SSDEEP

6144:um8fza8GpKgzK+OUmXAEw0Kd3kauJkZfu+C+3+W4nCjAQJGDu8r6SE:umazpG0gXOUWAEw0Kd3kadf13+xCB1eE

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x00080000000174bf-14.dat	family_xworm
behavioral1/memory/2100-15-0x00000000001E0000-0x00000000001F0000-memory.dmp	family_xworm
behavioral1/memory/2184-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2184-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2184-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2184-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2184-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 2184	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2492	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	30
PID 2100 wrote to memory of 2492	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	30
PID 2100 wrote to memory of 2492	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	30
PID 2100 wrote to memory of 2492	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	30
PID 2492 wrote to memory of 2916	2492	csc.exe	32
PID 2492 wrote to memory of 2916	2492	csc.exe	32
PID 2492 wrote to memory of 2916	2492	csc.exe	32
PID 2492 wrote to memory of 2916	2492	csc.exe	32
PID 2100 wrote to memory of 2184	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	33
PID 2100 wrote to memory of 2184	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	33
PID 2100 wrote to memory of 2184	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	33
PID 2100 wrote to memory of 2184	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	33
PID 2100 wrote to memory of 2184	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	33
PID 2100 wrote to memory of 2184	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	33
PID 2100 wrote to memory of 2184	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	33
PID 2100 wrote to memory of 2184	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	33
PID 2100 wrote to memory of 2184	2100	dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe	33

C:\Users\Admin\AppData\Local\Temp\dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe
"C:\Users\Admin\AppData\Local\Temp\dcd7f802f5ddf4ce2ffe5bda303c916ae37865c9b10ca97f8fe2bcc7c24f1762.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jzbfoxrw\jzbfoxrw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB5C.tmp" "c:\Users\Admin\AppData\Local\Temp\jzbfoxrw\CSCA220509D6C7C4C3897FEF259F2B96BB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAB5C.tmp

Filesize
1KB

MD5
9b39f06b860867e51773c7946345d5ff

SHA1
0336096c97cd19acff47f2e4e08ba7e040e7e59a

SHA256
af52f0ff264ec6e4cb0ad7ec52e1fed54fb83521d265ab25609b76b2b543d2d2

SHA512
bb08278bc890dccce861e6f4565614669989b398a54ac358567d88128f242ab020789d2c7ddb3fbf449250e8656c8de6e8d2e5e4b1134dc5f483305743f7d66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzbfoxrw\jzbfoxrw.dll

Filesize
41KB

MD5
2185a5d8fc97369a7bfc5dfdac2044ec

SHA1
71bbf4aecc011e049933925bcca907a821b8eef8

SHA256
8d64767eac6dd05c97f835615062ae634d4e4202118577e8add692c35ec8d414

SHA512
b20dc2cfcc46ae6c4905bc6c55ebd27876828b6bb0ce86ebd54b8241d0756de2dd49eaa008452d6988cfe9cc14adbd665d3e21ade8c5d363ae857d5013953eea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jzbfoxrw\CSCA220509D6C7C4C3897FEF259F2B96BB.TMP

Filesize
652B

MD5
0b5c670f530e1119bcc6a3026f4abe3c

SHA1
30c2d778f5fa3ce442c0567d7daf34698a12b7be

SHA256
aad610a62884966085bb4ede4caec5a9021bce9502bca0a744196f24b3891445

SHA512
4bb440f24abbc08a0a5445b49d0c4a04b43d66d2440b080d0102d3b6389a3d19d09fd14b93ed79a3dca9b392c3178444de513ce33ad55a04fdf70d4cdf4b0497

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jzbfoxrw\jzbfoxrw.0.cs

Filesize
101KB

MD5
d3d7b5b0fbcc9de20ec2e4fa32236a10

SHA1
164877cfef6f88ee94f26cc6e7ebd5007dc0ba1f

SHA256
c3ae166b77e7843c2f31b5c80beb993b580d1e5877d9c8cabfa17dd2ba57de50

SHA512
c08c29f671055a8849e388101860abdc329ba25c8feb53784e34db8f8c546e2d1023dcb4b146103f7539026d2b5ca070204f2223189ff76a06ae1c3138cba6ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jzbfoxrw\jzbfoxrw.cmdline

Filesize
204B

MD5
5995d7547ee77bffe3cebf439abc6ca8

SHA1
52f481c7ff02080b0646f9b251fec519ee554cbe

SHA256
97470bb6466d8b8776ed6cb1d7b666e5deeb5e6b7272d5f46e0756339e973ace

SHA512
b683e2a868fc78d16566e3d432539dd359c0f5ba8b99b187b01537d9d338d9927a5df24e221a3cf522a9498f8f5b9cc908be2b11c2a0ac803a3cef40c277e1b5

Download Submit
memory/2100-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x00000000011F0000-0x0000000001244000-memory.dmp

Filesize
336KB

Download
memory/2100-5-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-15-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2100-28-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2184-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2184-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2184-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2184-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2184-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2184-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2184-29-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2184-30-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-31-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-32-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing