xworm | 713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5

General

Target

yr.exe
Size

394KB
MD5

9daf267f412e5c38116989762a9cf145
SHA1

809fad1c6bf61546ea05188dfedbde4bad0f98a1
SHA256

713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5
SHA512

0115e5c5cfa324615fba5dbc4b9f3c915195f26bfdc1598ebf1bd3291582410f7cee46d2296d34165e9115b4cafcd74e2e88eca55cbdb8a8009901b9d8ffd88b
SSDEEP

12288:TxjwN1WoADQEwTKOZ2+i/qW83wfeuLhDhyO6T1GdcdcgL5i:d

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b42-14.dat	family_xworm
behavioral2/memory/4396-15-0x00000000009F0000-0x0000000000A00000-memory.dmp	family_xworm
behavioral2/memory/2028-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4396 set thread context of 2028	4396	yr.exe	96

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 2996	4396	yr.exe	93
PID 4396 wrote to memory of 2996	4396	yr.exe	93
PID 4396 wrote to memory of 2996	4396	yr.exe	93
PID 2996 wrote to memory of 5052	2996	csc.exe	95
PID 2996 wrote to memory of 5052	2996	csc.exe	95
PID 2996 wrote to memory of 5052	2996	csc.exe	95
PID 4396 wrote to memory of 2028	4396	yr.exe	96
PID 4396 wrote to memory of 2028	4396	yr.exe	96
PID 4396 wrote to memory of 2028	4396	yr.exe	96
PID 4396 wrote to memory of 2028	4396	yr.exe	96
PID 4396 wrote to memory of 2028	4396	yr.exe	96
PID 4396 wrote to memory of 2028	4396	yr.exe	96
PID 4396 wrote to memory of 2028	4396	yr.exe	96
PID 4396 wrote to memory of 2028	4396	yr.exe	96

C:\Users\Admin\AppData\Local\Temp\yr.exe
"C:\Users\Admin\AppData\Local\Temp\yr.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wq4enfxe\wq4enfxe.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3EE.tmp" "c:\Users\Admin\AppData\Local\Temp\wq4enfxe\CSC781F8A5C49B045DEA141C2E79B34E16.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB3EE.tmp

Filesize
1KB

MD5
06170545d5827b3258e5d8178969a4cd

SHA1
73ea8ffbea6b91aa8873ef7d5ffa3be3ead367cd

SHA256
c4a459e6150d5f70b2f6e849ed795038a70b5e2f86cbf8643b66d537f0e8973a

SHA512
c4b9349b257b915eef9d267b4e884d5d2742bf0d9fd6a730980e55aa6345da287a39f2b7cec07b32c8409c5f84adda79d99e79578cc6c78a9d2e673d30bd3daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wq4enfxe\wq4enfxe.dll

Filesize
42KB

MD5
9b872a538e52972e87daf6c5e0a69f82

SHA1
35bc47380e987f199b5bff270f464c28fef8346d

SHA256
be707b5b594bb06768de0c9469ec1ea3646830b46788a722cc3b5764041fa5b5

SHA512
41ec66431f868c9830624f9e358dea9a305215a8908cc666fa4df1c48bc22f27113331cd622f82dedc04264f0bb541016e3e660ecc10c74d5bd74a0953a40713

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wq4enfxe\CSC781F8A5C49B045DEA141C2E79B34E16.TMP

Filesize
652B

MD5
cd98d017ff056138f48287e31d69f015

SHA1
af092f0f1771e4afda9be400f0906ea3e0c3dae5

SHA256
21b3abb777265f54361c1e10755cba214cbb94f90bdf06f15060d05f1bc43e89

SHA512
29e2e94004d44878d5d194155f9e7ba276585c24f4510b824ae2672fe1ad22e563b96cb8abcc1b04d1259c8fe985ba91f400e2dc9dbc75b1f7eae20e5489d860

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wq4enfxe\wq4enfxe.0.cs

Filesize
103KB

MD5
992ab26a03ded91714491d267da55fb2

SHA1
25fe04d5493f7e904bd4e64078aa464226e8f393

SHA256
3b18772dbf088171f78cccd3da6fb05f46918b2bafa17ab43ea03ec0507935c1

SHA512
a1dbfd27e02d10e978475bf9c1279c489e1c9febd8456492e2b0d7df33563c4e81cc28e39f6a90aa82cadc06927bce2f831f2089b5e57da4ea89862a6d82ad0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wq4enfxe\wq4enfxe.cmdline

Filesize
204B

MD5
e3c514e7dc2ba517226bac5579423f84

SHA1
c59cd6840c763664c335cd26034b0a1af7ac4e2a

SHA256
11ad7d4ab48fc32af1a17f927dbc07b77d403df40adda9f6d29ae06f3bf44ee1

SHA512
03f425248ef633147a80d7800b85a9796a31bcd51c42b61bedd04a990f04376e7d773ed1ed8778b3f8fe864ca7ddef58c32d837b152cda1f0209e8a9827d6383

Download Submit
memory/2028-21-0x0000000004FA0000-0x000000000503C000-memory.dmp

Filesize
624KB

Download
memory/2028-24-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/2028-27-0x0000000006660000-0x0000000006C04000-memory.dmp

Filesize
5.6MB

Download
memory/2028-26-0x0000000006010000-0x00000000060A2000-memory.dmp

Filesize
584KB

Download
memory/2028-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2028-20-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/2028-25-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/2028-23-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/2028-22-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/4396-0-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

Filesize
4KB

Download
memory/4396-5-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/4396-19-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/4396-15-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/4396-1-0x00000000000F0000-0x0000000000158000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing