xworm | 4ba863fc0a1da38b5e9e987e7e36cf0b7a8dfb6eebab1fd4eb09c8c1b7e4815d

General

Target

we.exe
Size

313KB
MD5

d1cc6b6a0bf9c9a89341eea7633f00bc
SHA1

ff6f84b71ffdc05af654ecf28006206eeff0afcf
SHA256

4ba863fc0a1da38b5e9e987e7e36cf0b7a8dfb6eebab1fd4eb09c8c1b7e4815d
SHA512

dd73988ad22265d200da041d7b73af917f6e65642dda175759c6649a49cc7bfabc01493aa6938a3b987b88f4f8f5e81969ec60879141931e2d01e7a74a4a29fc
SSDEEP

6144:viC0I27yJtJ71HfdgwBBArJW2ZTTdPDu8r6SE:vR0HIJR/dgwArJW2ZTTd6eE

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.211:4444

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023c45-14.dat	family_xworm
behavioral2/memory/4988-15-0x0000000002970000-0x0000000002980000-memory.dmp	family_xworm
behavioral2/memory/2292-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4988 set thread context of 2292	4988	we.exe	92

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	we.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4992	4988	we.exe	89
PID 4988 wrote to memory of 4992	4988	we.exe	89
PID 4988 wrote to memory of 4992	4988	we.exe	89
PID 4992 wrote to memory of 2852	4992	csc.exe	91
PID 4992 wrote to memory of 2852	4992	csc.exe	91
PID 4992 wrote to memory of 2852	4992	csc.exe	91
PID 4988 wrote to memory of 2292	4988	we.exe	92
PID 4988 wrote to memory of 2292	4988	we.exe	92
PID 4988 wrote to memory of 2292	4988	we.exe	92
PID 4988 wrote to memory of 2292	4988	we.exe	92
PID 4988 wrote to memory of 2292	4988	we.exe	92
PID 4988 wrote to memory of 2292	4988	we.exe	92
PID 4988 wrote to memory of 2292	4988	we.exe	92
PID 4988 wrote to memory of 2292	4988	we.exe	92

C:\Users\Admin\AppData\Local\Temp\we.exe
"C:\Users\Admin\AppData\Local\Temp\we.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v0d3ejbi\v0d3ejbi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC0F.tmp" "c:\Users\Admin\AppData\Local\Temp\v0d3ejbi\CSC3EF18CFDBE544570846D9297F31E8F9C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAC0F.tmp

Filesize
1KB

MD5
7d9263cc98f3146db36350a479e535ff

SHA1
7023ba2ee68bfc864a0ed35e08731d8d5129e8d4

SHA256
00570b10ebbbf0d8c708f513541231f619b144e9ef9100193b07f5a708f66267

SHA512
5a8cef4cdc73378e0913c52cfaeed1ba4b859d655162d6e8239a13a0b94dcf7bed8a5d8e542e61a7f22ffcf95cda467743746142268422eec9b06fd352588957

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0d3ejbi\v0d3ejbi.dll

Filesize
41KB

MD5
64e2fa338817232085ac61144cad4a20

SHA1
fe439c0fbf551f9deb7242c97fbc0ff6591bb12c

SHA256
b16614c96d8c09a9e65210cf0185af56c7f923ccfa0f14b74f97c4bdb3546e91

SHA512
b6a8364100fb9874167e262ee895467aa6477a3b758705db88bf81864dcf4afe2405cc51071b14512c0152fd81d4af49b4db9f98b4a7f2210da6c5bedf9b14b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v0d3ejbi\CSC3EF18CFDBE544570846D9297F31E8F9C.TMP

Filesize
652B

MD5
bcec11d41f2bc3e6b563c9a5461f836f

SHA1
7a8949b250550f5dd38165cea54436ada1987e8a

SHA256
09769460bfc26e16c82e3a5b9d3d78961ea2b13dc8cb2123a1c4dd55e5e403f3

SHA512
0cd0ee0c90f7551fd395202e90add1430b8eb8835e2ac13a5330f7ab7fd902d9a1b0c331fdc37f5a6d3137e9de6e76c3cd9b9045bc93ca2ff984ce23d6fe1165

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v0d3ejbi\v0d3ejbi.0.cs

Filesize
101KB

MD5
cba2847534e58636a5292dc393b45fdd

SHA1
ffd2fc63507cfee641ba53038d3f017a6ededbee

SHA256
33561d11060d90e7a1d49d19e395fd943c2500af98521412d2390b43b6cec6bd

SHA512
1b9bd2957ffe364788abcca1d90f2deb4634c89eea0a07e6a203573ed606df95b3e28ce41de038badaef674b2a8606fb8370abb3d9697b45f80f82d5e89ec1d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v0d3ejbi\v0d3ejbi.cmdline

Filesize
204B

MD5
cdc0871c86ff78d6f7cabb27089d8e41

SHA1
49df88019f6055b9f71e7c60083e4bf1e54c5dab

SHA256
f7119712d0fd3d4ef128d600489f669e4db7dfbcb0d5d9564ee3ecd0d8678718

SHA512
a915fef82fd52c3a1141f03520fe0aed879ffd50cb396f61d93592f6b67fe8ee69d830fc807dba5e05c41b596807efd4076f6031f273f09ee6474c935d9ae963

Download Submit
memory/2292-21-0x0000000005120000-0x00000000051BC000-memory.dmp

Filesize
624KB

Download
memory/2292-24-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/2292-27-0x0000000006980000-0x0000000006F24000-memory.dmp

Filesize
5.6MB

Download
memory/2292-26-0x0000000006330000-0x00000000063C2000-memory.dmp

Filesize
584KB

Download
memory/2292-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2292-25-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2292-20-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2292-23-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2292-22-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4988-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/4988-5-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4988-19-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4988-15-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/4988-1-0x00000000004E0000-0x0000000000534000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing