xworm | ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141

General

Target

a.ps1
Size

779B
MD5

209a0dcfb7e176365dc8f9a00dec716a
SHA1

aac44bda989e764f25277e7ed2b6680c781d704e
SHA256

ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141
SHA512

354491ae39042832f2b419a85ffbb45e1159a35aa124cfb61c3ec47ba70da176f4bffe1a089f4dfa55ee3f76525cc6f1a204a84b153d44eb143ea6a6780f687b

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4668-26-0x0000015AC2F40000-0x0000015AC2F50000-memory.dmp	family_xworm
behavioral2/files/0x000200000001e72a-25.dat	family_xworm
behavioral2/memory/4368-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	4668	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
6	4668	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4668 set thread context of 4368	4668	powershell.exe	94

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4668	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4668	powershell.exe
4668	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4368	MSBuild.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4472	4668	powershell.exe	90
PID 4668 wrote to memory of 4472	4668	powershell.exe	90
PID 4472 wrote to memory of 4056	4472	csc.exe	93
PID 4472 wrote to memory of 4056	4472	csc.exe	93
PID 4668 wrote to memory of 4368	4668	powershell.exe	94
PID 4668 wrote to memory of 4368	4668	powershell.exe	94
PID 4668 wrote to memory of 4368	4668	powershell.exe	94
PID 4668 wrote to memory of 4368	4668	powershell.exe	94
PID 4668 wrote to memory of 4368	4668	powershell.exe	94
PID 4668 wrote to memory of 4368	4668	powershell.exe	94
PID 4668 wrote to memory of 4368	4668	powershell.exe	94
PID 4668 wrote to memory of 4368	4668	powershell.exe	94

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\a.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i4sadzte\i4sadzte.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA604.tmp" "c:\Users\Admin\AppData\Local\Temp\i4sadzte\CSC787DB32BBC694CD19F9970E7C032B08B.TMP"
    3⤵
    PID:4056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA604.tmp

Filesize
1KB

MD5
a71c3a756c467bd879edd58e5b68047f

SHA1
69e66fcd1751ceae6dea4d91f3787c8280637a86

SHA256
7500e829e959dd591ea180707ce41c836f3b579271772fb373daab406c3ef1b4

SHA512
bcb4407fc58ea62175c94733ccfd47410c1c319139f79d6b4434da4130a5ca2d1569c1c846ec908641f624beec48ba901a3d81799b3eb85cac02a5e58e850fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yqcqsilc.buw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4sadzte\i4sadzte.dll

Filesize
42KB

MD5
8f9740cdffa6f16a742ce78a37d5f50a

SHA1
66ea5c325aea18b0fc6e53353402558ea2b9f8ee

SHA256
d72d83107607c55f08a321907f43ae3dda0d6a4c4696d534b4820315272aad5c

SHA512
3cf7e8561ab39b0e1cf1e6cf6d96cb8311aa8edddcb8f3ab56e63d9c6dc526f1413ff2e535ed68cbaa719e8b413e91b6edde5c5d32e839eddf460d23d57f46a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i4sadzte\CSC787DB32BBC694CD19F9970E7C032B08B.TMP

Filesize
652B

MD5
d0bbf07592bbad522b4b0d7aa5f6f2d4

SHA1
e1dbc08964814532867920ce7500c68f44e4ea4e

SHA256
2711ce58f6a46883fece10b72340cd10a3c06b1d0032b268d0833fff461ab9d5

SHA512
a861512742bdd9a2908169ae700c1715be3bc0094487615839021ab8778977cb9dd3a74344bbff752de3d19ad54774bf9860faa3dffb3edd20f7a8edc4e854ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i4sadzte\i4sadzte.0.cs

Filesize
103KB

MD5
992ab26a03ded91714491d267da55fb2

SHA1
25fe04d5493f7e904bd4e64078aa464226e8f393

SHA256
3b18772dbf088171f78cccd3da6fb05f46918b2bafa17ab43ea03ec0507935c1

SHA512
a1dbfd27e02d10e978475bf9c1279c489e1c9febd8456492e2b0d7df33563c4e81cc28e39f6a90aa82cadc06927bce2f831f2089b5e57da4ea89862a6d82ad0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i4sadzte\i4sadzte.cmdline

Filesize
204B

MD5
0f20fc0260915e2602ba4c1459115480

SHA1
83e49a5ce9b4ff7a9b591d65feb71833ee007832

SHA256
908d3e375c372cbc27329f643182bdb9fec011da8ef4613781c928f5c710726d

SHA512
a0f4645aa400e355035a2ba0996453e30df1015beb0c761ae126189b8934c675f08c6713ef7c70cbcf716e177d1e39ef6d2547963a4b05cbe46e9019b3749547

Download Submit
memory/4368-33-0x00000000059D0000-0x0000000005A6C000-memory.dmp

Filesize
624KB

Download
memory/4368-36-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/4368-37-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4368-38-0x0000000006A50000-0x0000000006AE2000-memory.dmp

Filesize
584KB

Download
memory/4368-35-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/4368-39-0x00000000071A0000-0x0000000007744000-memory.dmp

Filesize
5.6MB

Download
memory/4368-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4368-34-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4368-32-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/4668-13-0x0000015AC3A30000-0x0000015AC3A98000-memory.dmp

Filesize
416KB

Download
memory/4668-31-0x00007FFE47F70000-0x00007FFE48A31000-memory.dmp

Filesize
10.8MB

Download
memory/4668-26-0x0000015AC2F40000-0x0000015AC2F50000-memory.dmp

Filesize
64KB

Download
memory/4668-0-0x00007FFE47F73000-0x00007FFE47F75000-memory.dmp

Filesize
8KB

Download
memory/4668-12-0x00007FFE47F70000-0x00007FFE48A31000-memory.dmp

Filesize
10.8MB

Download
memory/4668-2-0x0000015AC2F10000-0x0000015AC2F32000-memory.dmp

Filesize
136KB

Download
memory/4668-11-0x00007FFE47F70000-0x00007FFE48A31000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing