xworm | 8b55f3a58422ac0e9d0808e5f909c7666ff2e35cf42ef486639b271a263d4a05

General

Target

ExcellentPc.exe
Size

3.8MB
MD5

c442314955c838b624c2e192bf5047b8
SHA1

aec181fb91ddbaccce6446e6cb13b1cc7bf3dbc1
SHA256

8b55f3a58422ac0e9d0808e5f909c7666ff2e35cf42ef486639b271a263d4a05
SHA512

f99c3c47fb540ad2cfdfb94fcee42344a33ac5504e2dae2f553fb62192fd5b5ffff9d7a44a806e9969d83788b5297a44228c15ab899a272904042b948bc5bd93
SSDEEP

98304:ZF2Vfe+gLUCd7gRkBokvNc8hYLbnkKy6H960sUUuht:ZFdW6jiHfs1Wt

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

cameras-happen.gl.at.ply.gg:23386

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012262-3.dat	family_xworm
behavioral1/memory/2832-20-0x0000000000D70000-0x0000000000D88000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
2832	Excellent.exe
2880	OperaGXSetup (1).exe
2844	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	ExcellentPc.exe
2124	ExcellentPc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExcellentPc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup (1).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	Excellent.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2832	2124	ExcellentPc.exe	30
PID 2124 wrote to memory of 2832	2124	ExcellentPc.exe	30
PID 2124 wrote to memory of 2832	2124	ExcellentPc.exe	30
PID 2124 wrote to memory of 2832	2124	ExcellentPc.exe	30
PID 2124 wrote to memory of 2880	2124	ExcellentPc.exe	31
PID 2124 wrote to memory of 2880	2124	ExcellentPc.exe	31
PID 2124 wrote to memory of 2880	2124	ExcellentPc.exe	31
PID 2124 wrote to memory of 2880	2124	ExcellentPc.exe	31
PID 2124 wrote to memory of 2880	2124	ExcellentPc.exe	31
PID 2124 wrote to memory of 2880	2124	ExcellentPc.exe	31
PID 2124 wrote to memory of 2880	2124	ExcellentPc.exe	31

C:\Users\Admin\AppData\Local\Temp\ExcellentPc.exe
"C:\Users\Admin\AppData\Local\Temp\ExcellentPc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\Excellent.exe
  "C:\Users\Admin\AppData\Local\Temp\Excellent.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe
  "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\7zS04B7D6E7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS04B7D6E7\setup.exe --server-tracking-blob=MzdkM2I5YTZlZTlkZDJjYjljNDk2YjEwMDk1NDQ1NjZhZWJjMzNhYTRhNjRjYzA0YjY0OWRiMDc1YjM3YmQ3NTp7ImNvdW50cnkiOiJSVSIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9SVV9IVlJfOTM5Nl9XRUJfMzk4NSZlZGl0aW9uPXN0ZC0yJnV0bV9pZD1kMGQyZjJmNjkzNGM0Y2ZkOTY2N2Q4ZTEwNjMyM2VmMCZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmdldCUyRm9wZXJhLWd4JTNGdXRtX3NvdXJjZSUzRFBXTmdhbWVzJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEUFdOX1JVX0hWUl85Mzk2X1dFQl8zOTg1JTI2dXRtX2lkJTNEZDBkMmYyZjY5MzRjNGNmZDk2NjdkOGUxMDYzMjNlZjAlMjZlZGl0aW9uJTNEc3RkLTImdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZnZXQlMkZvcGVyYS1neCZ1dG1faWQ9ZDBkMmYyZjY5MzRjNGNmZDk2NjdkOGUxMDYzMjNlZjAmZGxfdG9rZW49NDA4MjU4NjMiLCJ0aW1lc3RhbXAiOiIxNzQwNjY0ODM5LjY1MDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMyLjAuMC4wIFlhQnJvd3Nlci8yNS4yLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX1JVX0hWUl85Mzk2X1dFQl8zOTg1IiwiaWQiOiJkMGQyZjJmNjkzNGM0Y2ZkOTY2N2Q4ZTEwNjMyM2VmMCIsImxhc3RwYWdlIjoib3BlcmEuY29tL2dldC9vcGVyYS1neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiJiZWFiZjE2NC05MzQ3LTRjOGYtYTA4Yy03M2M0Yzc0ZGExZTEifQ==
    3⤵
    - Executes dropped EXE
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS04B7D6E7\setup.exe

Filesize
7.3MB

MD5
ccba9deda7c10dd73610e4e941876488

SHA1
f297c723ea2e3a66036277bf947aa0fe2eb88107

SHA256
0541d2511b1983b854b1ea51466c48b9022e68bf244de91317b9df0ccf32e6d3

SHA512
79451a43e2e9ad323c99291e91ddf0fd2ef0392934e4204a1ef1e765c20a02ddb9396c179a9a3bd1cf6a42b00b7b2ba18747a0683603f3bab4ee356dc1d31145

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe

Filesize
3.8MB

MD5
2935b63c6a377520c4ef0217a3d1a3ed

SHA1
e04efa1d2d6186e9a881895e4c2238c9844eea96

SHA256
7b966799aa2b2aa182016de05942391f1ce5877d151dc3a657424ccab9e7457e

SHA512
a9858a5d684167b8ce37469ba1f4d383b9d3a1cff6d2839e9c6a3fe0a793e48392b6fbb64854e97575ba430800accecd0f25a4528a665ad38fe31a632611b390

Download Submit
\Users\Admin\AppData\Local\Temp\Excellent.exe

Filesize
74KB

MD5
adea56183989cfa7f4024f91b50529e3

SHA1
1c8fbb32af7914d6c80b753e452313c07d9f5d94

SHA256
64817bd012bc473d52eb38eb9e32f1169f16d784bddcd7070be0ba2c64bb0137

SHA512
d0be77d5822d664a6cc2a73c2425cbb34c1c901d517d47734016be46403bf360f08c84d679d14f3fe92d96a37e293a714277e9aec440e3006dfba28fc66648e3

Download Submit
memory/2832-15-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/2832-20-0x0000000000D70000-0x0000000000D88000-memory.dmp

Filesize
96KB

Download
memory/2832-22-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing