xworm | 17c7d4a3d7d090646721f5a1326955c0c4471450bfb76fdeca9b256680da2e71

General

Target

js.exe
Size

394KB
MD5

fc44a673893daac90d53e63d0f3cba69
SHA1

38476f091d4d53e32abf92cb961f8df5782734cb
SHA256

17c7d4a3d7d090646721f5a1326955c0c4471450bfb76fdeca9b256680da2e71
SHA512

a247d42527e4933e874710fa905a4e248fa3cdc799b863635ebcb6afabcad63b4c61c643a6bd3bc80c242d80b01459517de3bcf4548a77832d19b3a5ba054378
SSDEEP

12288:hQoqIEtLGnkEz0VgXVNX77gBjkgvSoitcOgvFwE0+fubk7IVcHMqXxTU9LiqVDRH:G

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023d73-14.dat	family_xworm
behavioral2/memory/2752-15-0x00000000054A0000-0x00000000054B0000-memory.dmp	family_xworm
behavioral2/memory/924-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 924	2752	js.exe	93

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	js.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 5024	2752	js.exe	88
PID 2752 wrote to memory of 5024	2752	js.exe	88
PID 2752 wrote to memory of 5024	2752	js.exe	88
PID 5024 wrote to memory of 2584	5024	csc.exe	92
PID 5024 wrote to memory of 2584	5024	csc.exe	92
PID 5024 wrote to memory of 2584	5024	csc.exe	92
PID 2752 wrote to memory of 924	2752	js.exe	93
PID 2752 wrote to memory of 924	2752	js.exe	93
PID 2752 wrote to memory of 924	2752	js.exe	93
PID 2752 wrote to memory of 924	2752	js.exe	93
PID 2752 wrote to memory of 924	2752	js.exe	93
PID 2752 wrote to memory of 924	2752	js.exe	93
PID 2752 wrote to memory of 924	2752	js.exe	93
PID 2752 wrote to memory of 924	2752	js.exe	93

C:\Users\Admin\AppData\Local\Temp\js.exe
"C:\Users\Admin\AppData\Local\Temp\js.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mxcr2x4t\mxcr2x4t.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC49.tmp" "c:\Users\Admin\AppData\Local\Temp\mxcr2x4t\CSC85D5598140AF4A5C9B821281E3251945.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCC49.tmp

Filesize
1KB

MD5
0d408edab24b3a2fcc18ab0a7599d951

SHA1
743b0adfb8a608b882d9645006ff515a2406493a

SHA256
30f6740324c686537341a47fd18f7b39b34afc9a6ab0a58bea37b88a854f5e90

SHA512
b6a4c8ea178adba277948ad4b719f693068a25676e9c4fe7d710f674056dfef94f794f07a8d12dc068347113a6379a154432b236a3ba2579af23b14a85bc9e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxcr2x4t\mxcr2x4t.dll

Filesize
42KB

MD5
3c9d98bba5856463fe703dc2fbfa471b

SHA1
7ce272ef51f8898676be191ca8c3f85c7a8334fb

SHA256
d40f311ae81931cf6c3fac663d5c696d32025c60d5e85b7abcebf416a04734f9

SHA512
0b04256bb2d159ecdcb4682de3cbac810e3c92de1cb3fc5f6af7dcea965c273e3107d7dcf56f4e56c869c993cb4703052d043b6e79b9ce7e42d7845658c04dfb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxcr2x4t\CSC85D5598140AF4A5C9B821281E3251945.TMP

Filesize
652B

MD5
327853b77b00ed063343288ad747fbb6

SHA1
772ef1694aaf73e90503b08365afe0ef29e5805f

SHA256
6b8935d6dcdb3d9f2f652ce493fbaf2aa0afd6bbd1a9b836e152b28c23467b7f

SHA512
ac1fe04d68ae273aa121db470f47b6fbf7858cbe3cf52efa7e247acd04169261594a28cba34b8dfd29857d7b1165a64b5cb513bdea3054a815011748579884da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxcr2x4t\mxcr2x4t.0.cs

Filesize
103KB

MD5
a85c09b310c91fac493ca2fe00dd2014

SHA1
f00ece43ccdd820892c2c3b0b130baa06113ab61

SHA256
e1ae1da5e7e56c5b43354c7ed2484f5272eb73eedcc02185cc00329ee749bae1

SHA512
6547a8fe570bf00185c44ccb8009dfcdb154e63118c8a2ccb448ae3ce9dd19802a906f34aee0bb4a0e23e5869e67ea001f6d535d928ca42ead582dec0d6667ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxcr2x4t\mxcr2x4t.cmdline

Filesize
204B

MD5
4a71ee74565e4a04c9fc4f435fc1751a

SHA1
a520eb5f23b4b2f0cbc0e35f9caa9170d6166a34

SHA256
908cbdf062630461f55bf852a78e46974329571e7d2befce473a387881b1ca2c

SHA512
45bf3f0e420c6bb7502e04c708aabc308089d8efd6eb3313d40256e60426296e00b453de595f9bb999696198d5cd7fa43b0df663957bc19a05450c4a0e2f48dc

Download Submit
memory/924-21-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/924-24-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/924-27-0x0000000006860000-0x0000000006E04000-memory.dmp

Filesize
5.6MB

Download
memory/924-26-0x0000000006210000-0x00000000062A2000-memory.dmp

Filesize
584KB

Download
memory/924-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/924-25-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/924-20-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/924-23-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/924-22-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2752-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download
memory/2752-5-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2752-19-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2752-15-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/2752-1-0x0000000000B50000-0x0000000000BB8000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing