xworm | 8b55f3a58422ac0e9d0808e5f909c7666ff2e35cf42ef486639b271a263d4a05

General

Target

ExcellentPc.exe
Size

3.8MB
MD5

c442314955c838b624c2e192bf5047b8
SHA1

aec181fb91ddbaccce6446e6cb13b1cc7bf3dbc1
SHA256

8b55f3a58422ac0e9d0808e5f909c7666ff2e35cf42ef486639b271a263d4a05
SHA512

f99c3c47fb540ad2cfdfb94fcee42344a33ac5504e2dae2f553fb62192fd5b5ffff9d7a44a806e9969d83788b5297a44228c15ab899a272904042b948bc5bd93
SSDEEP

98304:ZF2Vfe+gLUCd7gRkBokvNc8hYLbnkKy6H960sUUuht:ZFdW6jiHfs1Wt

Score

10^/10

xworm discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C2

cameras-happen.gl.at.ply.gg:23386

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023c00-4.dat	family_xworm
behavioral2/memory/1672-17-0x0000000000FA0000-0x0000000000FB8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
42	2964	setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	ExcellentPc.exe

Executes dropped EXE 5 IoCs

pid	Process
1672	Excellent.exe
3528	OperaGXSetup (1).exe
2964	setup.exe
4988	setup.exe
4056	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
2964	setup.exe
4988	setup.exe
4056	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExcellentPc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4988	setup.exe
4988	setup.exe
4988	setup.exe
4988	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	Excellent.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2964	setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 1672	4016	ExcellentPc.exe	85
PID 4016 wrote to memory of 1672	4016	ExcellentPc.exe	85
PID 4016 wrote to memory of 3528	4016	ExcellentPc.exe	86
PID 4016 wrote to memory of 3528	4016	ExcellentPc.exe	86
PID 4016 wrote to memory of 3528	4016	ExcellentPc.exe	86
PID 3528 wrote to memory of 2964	3528	OperaGXSetup (1).exe	89
PID 3528 wrote to memory of 2964	3528	OperaGXSetup (1).exe	89
PID 3528 wrote to memory of 2964	3528	OperaGXSetup (1).exe	89
PID 2964 wrote to memory of 4988	2964	setup.exe	91
PID 2964 wrote to memory of 4988	2964	setup.exe	91
PID 2964 wrote to memory of 4988	2964	setup.exe	91
PID 2964 wrote to memory of 4056	2964	setup.exe	92
PID 2964 wrote to memory of 4056	2964	setup.exe	92
PID 2964 wrote to memory of 4056	2964	setup.exe	92

C:\Users\Admin\AppData\Local\Temp\ExcellentPc.exe
"C:\Users\Admin\AppData\Local\Temp\ExcellentPc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\Excellent.exe
  "C:\Users\Admin\AppData\Local\Temp\Excellent.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe
  "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\7zS8CD78ED7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS8CD78ED7\setup.exe --server-tracking-blob=MzdkM2I5YTZlZTlkZDJjYjljNDk2YjEwMDk1NDQ1NjZhZWJjMzNhYTRhNjRjYzA0YjY0OWRiMDc1YjM3YmQ3NTp7ImNvdW50cnkiOiJSVSIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9SVV9IVlJfOTM5Nl9XRUJfMzk4NSZlZGl0aW9uPXN0ZC0yJnV0bV9pZD1kMGQyZjJmNjkzNGM0Y2ZkOTY2N2Q4ZTEwNjMyM2VmMCZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmdldCUyRm9wZXJhLWd4JTNGdXRtX3NvdXJjZSUzRFBXTmdhbWVzJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEUFdOX1JVX0hWUl85Mzk2X1dFQl8zOTg1JTI2dXRtX2lkJTNEZDBkMmYyZjY5MzRjNGNmZDk2NjdkOGUxMDYzMjNlZjAlMjZlZGl0aW9uJTNEc3RkLTImdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZnZXQlMkZvcGVyYS1neCZ1dG1faWQ9ZDBkMmYyZjY5MzRjNGNmZDk2NjdkOGUxMDYzMjNlZjAmZGxfdG9rZW49NDA4MjU4NjMiLCJ0aW1lc3RhbXAiOiIxNzQwNjY0ODM5LjY1MDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMyLjAuMC4wIFlhQnJvd3Nlci8yNS4yLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX1JVX0hWUl85Mzk2X1dFQl8zOTg1IiwiaWQiOiJkMGQyZjJmNjkzNGM0Y2ZkOTY2N2Q4ZTEwNjMyM2VmMCIsImxhc3RwYWdlIjoib3BlcmEuY29tL2dldC9vcGVyYS1neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiJiZWFiZjE2NC05MzQ3LTRjOGYtYTA4Yy03M2M0Yzc0ZGExZTEifQ==
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CD78ED7\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS8CD78ED7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=116.0.5366.148 --initial-client-data=0x324,0x328,0x32c,0x320,0x330,0x74ea30ac,0x74ea30b8,0x74ea30c4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8CD78ED7\setup.exe

Filesize
7.3MB

MD5
ccba9deda7c10dd73610e4e941876488

SHA1
f297c723ea2e3a66036277bf947aa0fe2eb88107

SHA256
0541d2511b1983b854b1ea51466c48b9022e68bf244de91317b9df0ccf32e6d3

SHA512
79451a43e2e9ad323c99291e91ddf0fd2ef0392934e4204a1ef1e765c20a02ddb9396c179a9a3bd1cf6a42b00b7b2ba18747a0683603f3bab4ee356dc1d31145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Excellent.exe

Filesize
74KB

MD5
adea56183989cfa7f4024f91b50529e3

SHA1
1c8fbb32af7914d6c80b753e452313c07d9f5d94

SHA256
64817bd012bc473d52eb38eb9e32f1169f16d784bddcd7070be0ba2c64bb0137

SHA512
d0be77d5822d664a6cc2a73c2425cbb34c1c901d517d47734016be46403bf360f08c84d679d14f3fe92d96a37e293a714277e9aec440e3006dfba28fc66648e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe

Filesize
3.8MB

MD5
2935b63c6a377520c4ef0217a3d1a3ed

SHA1
e04efa1d2d6186e9a881895e4c2238c9844eea96

SHA256
7b966799aa2b2aa182016de05942391f1ce5877d151dc3a657424ccab9e7457e

SHA512
a9858a5d684167b8ce37469ba1f4d383b9d3a1cff6d2839e9c6a3fe0a793e48392b6fbb64854e97575ba430800accecd0f25a4528a665ad38fe31a632611b390

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2502281549097602964.dll

Filesize
6.8MB

MD5
d9e515822bdbf7ecfe5dacb7b8b125a1

SHA1
fcfe8bb7087c258098d4fce427e17d6457b7523c

SHA256
3d0d66d26aaca32ec51a8785b4bfefd6eabe0c3d1f2f8def56607cb488d74811

SHA512
2b6b08aeef44543ffb277ae27626f4329d38cb581a9af2a084a3b137de098d10cb07090f843b0a1a8201d5a26915aa6db1a30cd71da4cf4cac73aee124f314bc

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\reports\4e25f2c9-0371-4a66-a7ab-5403f6ebe0a8.dmp

Filesize
1.3MB

MD5
3a1e14a76786f81a7b684835ced0a4f4

SHA1
d235c51e70dd369ef3360708fa4230d9d50fb0d8

SHA256
ae389f399c7e965d984d3df4508d8bd9f0fbc9528731df8074b25b641e7e3983

SHA512
e906b6da0c48a5e915f576dba39dde31b46fbf45d4383be8719f0afa55e0fa8d438a37a86c0acc01f676d1bcd1d42a2608f8bea8e9ccaa58b5a4e51f9f88cfad

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
c40c7d213d36a57aded35293c720a50a

SHA1
47304e97176435877faecff02bdfc0fa46900db0

SHA256
9c0d764bb7ba87099d72d344d4305583a34f42a00d2b4f465e028feea68a8c23

SHA512
8e4658e3d7c9385a60195f373f55aaac66fc2f47c82dc71fa1e09344484ad628f456c69c7f246bc144612c330f78120abe851c9e48a87c769748fcae7b261fb7

Download Submit
memory/1672-12-0x00007FF9352E3000-0x00007FF9352E5000-memory.dmp

Filesize
8KB

Download
memory/1672-17-0x0000000000FA0000-0x0000000000FB8000-memory.dmp

Filesize
96KB

Download
memory/1672-90-0x00007FF9352E0000-0x00007FF935DA1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-91-0x00007FF9352E0000-0x00007FF935DA1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads