xworm | 4a6a052cca2e26577c7e07e513a33ae7f147bfdcbbed22e3ad6ee36d4c66850e

General

Target

185.7.214_1.211.ps1
Size

748B
MD5

e82a3ff48366e1f36544a3da3cabc703
SHA1

84796eb3285b20787b8b17765e73b7180b4931d0
SHA256

4a6a052cca2e26577c7e07e513a33ae7f147bfdcbbed22e3ad6ee36d4c66850e
SHA512

87fe6cf2aa4925e39274a7279b2349ff8aeebcd68c73a6561d3d456960b9bca8b5c0722aa0c2712804c4538793f4c1cce9ff3be3904bbd891599979e963d6173

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.211:4444

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e452-25.dat	family_xworm
behavioral2/memory/1740-26-0x0000018DBFBB0000-0x0000018DBFBC0000-memory.dmp	family_xworm
behavioral2/memory/448-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	1740	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
7	1740	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 448	1740	powershell.exe	95

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1740	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1740	powershell.exe
1740	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	448	MSBuild.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 3124	1740	powershell.exe	93
PID 1740 wrote to memory of 3124	1740	powershell.exe	93
PID 3124 wrote to memory of 4868	3124	csc.exe	94
PID 3124 wrote to memory of 4868	3124	csc.exe	94
PID 1740 wrote to memory of 448	1740	powershell.exe	95
PID 1740 wrote to memory of 448	1740	powershell.exe	95
PID 1740 wrote to memory of 448	1740	powershell.exe	95
PID 1740 wrote to memory of 448	1740	powershell.exe	95
PID 1740 wrote to memory of 448	1740	powershell.exe	95
PID 1740 wrote to memory of 448	1740	powershell.exe	95
PID 1740 wrote to memory of 448	1740	powershell.exe	95
PID 1740 wrote to memory of 448	1740	powershell.exe	95

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\185.7.214_1.211.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y10iophq\y10iophq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82FB.tmp" "c:\Users\Admin\AppData\Local\Temp\y10iophq\CSCF672D0E841FA4DD882B6767DAC3FA92.TMP"
    3⤵
    PID:4868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES82FB.tmp

Filesize
1KB

MD5
ba74dd988dfe70760dfe6bd4da298316

SHA1
ed5f4842e4271741666330f326e584f889571916

SHA256
990917b831c4357cc420c77f732832f1a3ab0764804821d46ea494358f4d47bf

SHA512
84f79aa387e3c2f22178fa31a90ce75034ab2c70ea404049265cb6615a71341845463b1ceeca6d0eebfdef33e07d8d1820a0fb62b4598249a8b709dbf916961c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_et051ngn.0lh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\y10iophq\y10iophq.dll

Filesize
41KB

MD5
35e1eebc23c6668f0ad0d421f4e75c9d

SHA1
80dcf4859c9942cb0557b26648150558e1ab6aa6

SHA256
b93bddadbc8c432af9be2adb8a2765725f9018359a1bf5d95031c67d694c6028

SHA512
59056d8850ca5824fa35206b21db546343bf57c701fbd5c8d96d70a622c3673083a268b973b26ff4a33472d0aebad71a279f7886b2772e8a3ddc10a84e8b9cbf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y10iophq\CSCF672D0E841FA4DD882B6767DAC3FA92.TMP

Filesize
652B

MD5
3a74ccb51a2731dcc16722385d19f900

SHA1
ad15dd7610f5beec5afe9c3b7990883cb88e33f3

SHA256
0360dbdac2ee7ad9181f9a04731d80af4cc3b807bbf1ac90e832a5b580357d92

SHA512
950b0aaee02065796f44647a5bc44852c2474c992d2486ecd2ebedba9fab8f5109aa729dc211460cbea51cbe6aca1924c24968c44a0db23cbd89dae1af67848f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y10iophq\y10iophq.0.cs

Filesize
101KB

MD5
cba2847534e58636a5292dc393b45fdd

SHA1
ffd2fc63507cfee641ba53038d3f017a6ededbee

SHA256
33561d11060d90e7a1d49d19e395fd943c2500af98521412d2390b43b6cec6bd

SHA512
1b9bd2957ffe364788abcca1d90f2deb4634c89eea0a07e6a203573ed606df95b3e28ce41de038badaef674b2a8606fb8370abb3d9697b45f80f82d5e89ec1d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y10iophq\y10iophq.cmdline

Filesize
204B

MD5
91b485dd48d6754daa7751650b5bc05f

SHA1
0b1edb8ac47da4709f417eaed7e0f040ff5f3508

SHA256
b1cc745e69aa30c86c780def21a950b37b0a462ff8a45df5e6f76afac398c231

SHA512
7dff924daccdf1a3e8628ffab7510edbe334e49d66298dc102083436de3132ac86883f8e1e4a2fdf8bf39f5b2cb630f0ae59e76b325b3b0134da058b0d63f554

Download Submit
memory/448-33-0x0000000005660000-0x00000000056FC000-memory.dmp

Filesize
624KB

Download
memory/448-34-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/448-39-0x0000000006DB0000-0x0000000007354000-memory.dmp

Filesize
5.6MB

Download
memory/448-38-0x0000000006760000-0x00000000067F2000-memory.dmp

Filesize
584KB

Download
memory/448-37-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/448-36-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download
memory/448-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/448-35-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/448-32-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x0000018DBFB60000-0x0000018DBFB82000-memory.dmp

Filesize
136KB

Download
memory/1740-0-0x00007FF92EB63000-0x00007FF92EB65000-memory.dmp

Filesize
8KB

Download
memory/1740-31-0x00007FF92EB60000-0x00007FF92F621000-memory.dmp

Filesize
10.8MB

Download
memory/1740-26-0x0000018DBFBB0000-0x0000018DBFBC0000-memory.dmp

Filesize
64KB

Download
memory/1740-13-0x0000018DD8BD0000-0x0000018DD8C24000-memory.dmp

Filesize
336KB

Download
memory/1740-11-0x00007FF92EB60000-0x00007FF92F621000-memory.dmp

Filesize
10.8MB

Download
memory/1740-12-0x00007FF92EB60000-0x00007FF92F621000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing