xworm | 17c7d4a3d7d090646721f5a1326955c0c4471450bfb76fdeca9b256680da2e71

General

Target

js.exe
Size

394KB
MD5

fc44a673893daac90d53e63d0f3cba69
SHA1

38476f091d4d53e32abf92cb961f8df5782734cb
SHA256

17c7d4a3d7d090646721f5a1326955c0c4471450bfb76fdeca9b256680da2e71
SHA512

a247d42527e4933e874710fa905a4e248fa3cdc799b863635ebcb6afabcad63b4c61c643a6bd3bc80c242d80b01459517de3bcf4548a77832d19b3a5ba054378
SSDEEP

12288:hQoqIEtLGnkEz0VgXVNX77gBjkgvSoitcOgvFwE0+fubk7IVcHMqXxTU9LiqVDRH:G

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d1f-14.dat	family_xworm
behavioral1/memory/2652-15-0x0000000000240000-0x0000000000250000-memory.dmp	family_xworm
behavioral1/memory/2772-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2772-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2772-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2772-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2772-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 2772	2652	js.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	js.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2652	js.exe
2652	js.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	js.exe
Token: SeDebugPrivilege	2772	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2756	2652	js.exe	30
PID 2652 wrote to memory of 2756	2652	js.exe	30
PID 2652 wrote to memory of 2756	2652	js.exe	30
PID 2652 wrote to memory of 2756	2652	js.exe	30
PID 2756 wrote to memory of 2052	2756	csc.exe	32
PID 2756 wrote to memory of 2052	2756	csc.exe	32
PID 2756 wrote to memory of 2052	2756	csc.exe	32
PID 2756 wrote to memory of 2052	2756	csc.exe	32
PID 2652 wrote to memory of 2840	2652	js.exe	33
PID 2652 wrote to memory of 2840	2652	js.exe	33
PID 2652 wrote to memory of 2840	2652	js.exe	33
PID 2652 wrote to memory of 2840	2652	js.exe	33
PID 2652 wrote to memory of 2772	2652	js.exe	34
PID 2652 wrote to memory of 2772	2652	js.exe	34
PID 2652 wrote to memory of 2772	2652	js.exe	34
PID 2652 wrote to memory of 2772	2652	js.exe	34
PID 2652 wrote to memory of 2772	2652	js.exe	34
PID 2652 wrote to memory of 2772	2652	js.exe	34
PID 2652 wrote to memory of 2772	2652	js.exe	34
PID 2652 wrote to memory of 2772	2652	js.exe	34
PID 2652 wrote to memory of 2772	2652	js.exe	34

C:\Users\Admin\AppData\Local\Temp\js.exe
"C:\Users\Admin\AppData\Local\Temp\js.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oua5vsmi\oua5vsmi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB08.tmp" "c:\Users\Admin\AppData\Local\Temp\oua5vsmi\CSC8C3F8CBA8D45473380AEC8D36676F31E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB08.tmp

Filesize
1KB

MD5
61a383184bdad1198b4b7d2287505013

SHA1
0e0bc6d1b7b2682061519c9e2175b6360d7b9049

SHA256
35d1873d83dd75470e99e3e55c48dff13d2600721afec3b06d492fa1d04c9049

SHA512
5144b1a987ca1e348ba287292e8d8e0d46f0fd306cd5e80609ce07a2caa8f24d2086b36adb624549abd77a800cbe5c889a939409ec92dbeb2bffbb5259f98449

Download Submit
C:\Users\Admin\AppData\Local\Temp\oua5vsmi\oua5vsmi.dll

Filesize
42KB

MD5
99f4f729b41e323bff4caa97a7440d28

SHA1
caccb2579539dfde613ab2f871a365000b7f41d6

SHA256
44d491c5dc31f7ba80d2b490f76c0c8d25609d50ac9819c9a783642cc660e066

SHA512
fc984194cad1638bd3248d406f705704322ef3a98535f1ae8004c9cfe81581d4537bc6e23d5d91b70e367230d2ec4ee7ee0476af5f8ce739d0365f23ee6e9860

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oua5vsmi\CSC8C3F8CBA8D45473380AEC8D36676F31E.TMP

Filesize
652B

MD5
93825318cad42312644a0f963689e6c5

SHA1
23a70237b69fd235f7055a3ac006a990d6b51c07

SHA256
8ef178af29949c86adc3e905808acb0073e75b346a81e0ee05d847b41c3dafe8

SHA512
031a7e48bf559da3640f7fba7880df681b2c5d1e847731816af298805d09a421419bacd0ab618cb0bd3bdc15f7a5582718b8fb80f4dd526291b2d1d2a3eae839

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oua5vsmi\oua5vsmi.0.cs

Filesize
103KB

MD5
a85c09b310c91fac493ca2fe00dd2014

SHA1
f00ece43ccdd820892c2c3b0b130baa06113ab61

SHA256
e1ae1da5e7e56c5b43354c7ed2484f5272eb73eedcc02185cc00329ee749bae1

SHA512
6547a8fe570bf00185c44ccb8009dfcdb154e63118c8a2ccb448ae3ce9dd19802a906f34aee0bb4a0e23e5869e67ea001f6d535d928ca42ead582dec0d6667ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oua5vsmi\oua5vsmi.cmdline

Filesize
204B

MD5
fd87e27e09c75625bb61769ae0821333

SHA1
d7c0645e8c6fa964387701ec08d3d7177fe732bb

SHA256
bea688a5a8c0b830832de1c62ca949b6f9d566bfd89925b39b1b6641d47edf72

SHA512
dd9f7694196fcee044d6d6a29885f280baeb8d6d4f6fd768687d20569005c14fe023a8d406d8aa39d242dc7e49d2b4475961953513d2be44bd400e0aa2f2806c

Download Submit
memory/2652-0-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/2652-1-0x00000000012C0000-0x0000000001328000-memory.dmp

Filesize
416KB

Download
memory/2652-5-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-15-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2652-28-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2772-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2772-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2772-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2772-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2772-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2772-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2772-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2772-29-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-30-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing