xworm | ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141

General

Target

a.ps1
Size

779B
MD5

209a0dcfb7e176365dc8f9a00dec716a
SHA1

aac44bda989e764f25277e7ed2b6680c781d704e
SHA256

ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141
SHA512

354491ae39042832f2b419a85ffbb45e1159a35aa124cfb61c3ec47ba70da176f4bffe1a089f4dfa55ee3f76525cc6f1a204a84b153d44eb143ea6a6780f687b

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022b4f-25.dat	family_xworm
behavioral2/memory/2080-26-0x000002C2C2730000-0x000002C2C2740000-memory.dmp	family_xworm
behavioral2/memory/4352-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2080	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
5	2080	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2080 set thread context of 4352	2080	powershell.exe	96

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2080	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2080	powershell.exe
2080	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	4352	MSBuild.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2548	2080	powershell.exe	93
PID 2080 wrote to memory of 2548	2080	powershell.exe	93
PID 2548 wrote to memory of 1184	2548	csc.exe	95
PID 2548 wrote to memory of 1184	2548	csc.exe	95
PID 2080 wrote to memory of 4352	2080	powershell.exe	96
PID 2080 wrote to memory of 4352	2080	powershell.exe	96
PID 2080 wrote to memory of 4352	2080	powershell.exe	96
PID 2080 wrote to memory of 4352	2080	powershell.exe	96
PID 2080 wrote to memory of 4352	2080	powershell.exe	96
PID 2080 wrote to memory of 4352	2080	powershell.exe	96
PID 2080 wrote to memory of 4352	2080	powershell.exe	96
PID 2080 wrote to memory of 4352	2080	powershell.exe	96

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\a.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oqa2o05u\oqa2o05u.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC39E.tmp" "c:\Users\Admin\AppData\Local\Temp\oqa2o05u\CSC676EEF80AD7F412BABFD94306BCA72A.TMP"
    3⤵
    PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC39E.tmp

Filesize
1KB

MD5
76cccd40588eba983be739d383256c2d

SHA1
c8f2b4ec469f23106272cce32809f3d91f92d30d

SHA256
675dcb61e98cf62f410b94165e615f80a52e56f6d1290b5b24f95c4626f4b203

SHA512
07a6ebd81d40bd412c05cf758fcd161f5bd8be3e83e6c063f6f06c84dec85b20ff19661e51e3f216d7fd774c5b92115ed3ca3299bb96fac17e3766000857a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5ccyg11.qxj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqa2o05u\oqa2o05u.dll

Filesize
42KB

MD5
2e9ca220ac6542facee84931253b6df8

SHA1
95a755b8846bbdb412687d4fbc7421abda0b35ec

SHA256
03079cfb009ff4021ccdaa43dfafad3015086a1f1453617c0f83fe60c5e7e362

SHA512
8458ab489387cf904955140d6710f4d32875ffb2efd53156300c70e669dbca848b82d937f24a7509b237e25f320ec90d228654725c15e8cff6a98c9defb0c648

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqa2o05u\CSC676EEF80AD7F412BABFD94306BCA72A.TMP

Filesize
652B

MD5
773d2383b6d676c69e2e66cb83938630

SHA1
b874c82bba7442233593f9b2ca4722575e894c98

SHA256
7280fe70143b6df0c5a17d7b657b169df9d08dc8864351a850a2633ab1d4b95c

SHA512
f2e2629a353045f34010ac77b3b3a7b42de0560b4b93e289e15dad6b5ea3ea0a901041c4369401a79310d3c7ed8596c866adfd048125afa47263e9268d4b3941

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqa2o05u\oqa2o05u.0.cs

Filesize
103KB

MD5
992ab26a03ded91714491d267da55fb2

SHA1
25fe04d5493f7e904bd4e64078aa464226e8f393

SHA256
3b18772dbf088171f78cccd3da6fb05f46918b2bafa17ab43ea03ec0507935c1

SHA512
a1dbfd27e02d10e978475bf9c1279c489e1c9febd8456492e2b0d7df33563c4e81cc28e39f6a90aa82cadc06927bce2f831f2089b5e57da4ea89862a6d82ad0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqa2o05u\oqa2o05u.cmdline

Filesize
204B

MD5
b3b06352e69755172f009e4cf8216fa5

SHA1
47f11ea04adab2c8c27445a00f1a44b1ea70fd53

SHA256
1cbbd10bf13e3163abb46732189024c44b2495f8783be24f96d9b643c671c7e1

SHA512
88e9dca4710adfab0bcfdecf206688d9f5715a248af896990b2a6aa14496d633baed4980a626321f8393851dd4923625dd72a1cfbf5351d82249c539d1eec5a3

Download Submit
memory/2080-13-0x000002C2C33A0000-0x000002C2C3408000-memory.dmp

Filesize
416KB

Download
memory/2080-31-0x00007FFC08480000-0x00007FFC08F41000-memory.dmp

Filesize
10.8MB

Download
memory/2080-12-0x00007FFC08480000-0x00007FFC08F41000-memory.dmp

Filesize
10.8MB

Download
memory/2080-11-0x00007FFC08480000-0x00007FFC08F41000-memory.dmp

Filesize
10.8MB

Download
memory/2080-10-0x000002C2C2740000-0x000002C2C2762000-memory.dmp

Filesize
136KB

Download
memory/2080-26-0x000002C2C2730000-0x000002C2C2740000-memory.dmp

Filesize
64KB

Download
memory/2080-0-0x00007FFC08483000-0x00007FFC08485000-memory.dmp

Filesize
8KB

Download
memory/4352-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4352-32-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/4352-33-0x0000000005940000-0x00000000059DC000-memory.dmp

Filesize
624KB

Download
memory/4352-34-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4352-35-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/4352-36-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/4352-37-0x0000000006960000-0x00000000069F2000-memory.dmp

Filesize
584KB

Download
memory/4352-38-0x0000000006FB0000-0x0000000007554000-memory.dmp

Filesize
5.6MB

Download
memory/4352-39-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing