xworm | 17c7d4a3d7d090646721f5a1326955c0c4471450bfb76fdeca9b256680da2e71

General

Target

js.exe
Size

394KB
MD5

fc44a673893daac90d53e63d0f3cba69
SHA1

38476f091d4d53e32abf92cb961f8df5782734cb
SHA256

17c7d4a3d7d090646721f5a1326955c0c4471450bfb76fdeca9b256680da2e71
SHA512

a247d42527e4933e874710fa905a4e248fa3cdc799b863635ebcb6afabcad63b4c61c643a6bd3bc80c242d80b01459517de3bcf4548a77832d19b3a5ba054378
SSDEEP

12288:hQoqIEtLGnkEz0VgXVNX77gBjkgvSoitcOgvFwE0+fubk7IVcHMqXxTU9LiqVDRH:G

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e99b-14.dat	family_xworm
behavioral2/memory/1512-15-0x0000000001680000-0x0000000001690000-memory.dmp	family_xworm
behavioral2/memory/264-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1512 set thread context of 264	1512	js.exe	97

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	js.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	264	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2932	1512	js.exe	94
PID 1512 wrote to memory of 2932	1512	js.exe	94
PID 1512 wrote to memory of 2932	1512	js.exe	94
PID 2932 wrote to memory of 5096	2932	csc.exe	96
PID 2932 wrote to memory of 5096	2932	csc.exe	96
PID 2932 wrote to memory of 5096	2932	csc.exe	96
PID 1512 wrote to memory of 264	1512	js.exe	97
PID 1512 wrote to memory of 264	1512	js.exe	97
PID 1512 wrote to memory of 264	1512	js.exe	97
PID 1512 wrote to memory of 264	1512	js.exe	97
PID 1512 wrote to memory of 264	1512	js.exe	97
PID 1512 wrote to memory of 264	1512	js.exe	97
PID 1512 wrote to memory of 264	1512	js.exe	97
PID 1512 wrote to memory of 264	1512	js.exe	97

C:\Users\Admin\AppData\Local\Temp\js.exe
"C:\Users\Admin\AppData\Local\Temp\js.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\10rksa11\10rksa11.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC94B.tmp" "c:\Users\Admin\AppData\Local\Temp\10rksa11\CSC7E1B8E23125D4563B335C0B531469AA2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10rksa11\10rksa11.dll

Filesize
42KB

MD5
fc2b070bd4d35a7e2555448e751a93c0

SHA1
cf23f5644bcbe888cb958f8667c09aca90ad7f5d

SHA256
785ff6532cea60881dae5953884c0e7407faa223fbcb3b7fd4425766b6121f04

SHA512
8f0546169f822188df9aa0c149b994856b2b9bfc7413114422daa496dcee135fbb5b5e22516ddd1569f0e668c5e4e1c4ae54c9ff3271bf4dc52b164cb7e1fd1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC94B.tmp

Filesize
1KB

MD5
8b8a2718517bf7062c9388c81512736b

SHA1
8370aae431ad0760f2f61bdeeab679d471feb2fa

SHA256
ca2d99058dc96b45e38eaca22667f1e5a18aa8bbad70f6f0bb456277d11ddcd1

SHA512
7fdf6448b68f5536994f9cf2285830a3465fc0b7a9e643fc1603edd4d2797be29d899a8398f0f740c8879c121e01be072c73c3213c83d67ed210d512af10967a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\10rksa11\10rksa11.0.cs

Filesize
103KB

MD5
a85c09b310c91fac493ca2fe00dd2014

SHA1
f00ece43ccdd820892c2c3b0b130baa06113ab61

SHA256
e1ae1da5e7e56c5b43354c7ed2484f5272eb73eedcc02185cc00329ee749bae1

SHA512
6547a8fe570bf00185c44ccb8009dfcdb154e63118c8a2ccb448ae3ce9dd19802a906f34aee0bb4a0e23e5869e67ea001f6d535d928ca42ead582dec0d6667ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\10rksa11\10rksa11.cmdline

Filesize
204B

MD5
2123e562ecc116a418f53221e011ec05

SHA1
9a11afd78e970a5b91213b7c87230448dfe2e5fa

SHA256
1bfe6022c03fc668099b4f1e674a01ebaf409dbdf8200fa4f2778407950e8f8f

SHA512
fde8c0e495de48ee44f799db7ba9a0db44866e73eb68d665750bcfbbb0039f64a86038f3fddaca202c014ab540e63cd10c15cb82f981bd87a5bb277d754520f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\10rksa11\CSC7E1B8E23125D4563B335C0B531469AA2.TMP

Filesize
652B

MD5
7e0ffe04c0abfeaab394bf8586d56290

SHA1
5e8b150299ddc891f055766694cc740da1749340

SHA256
1d41e57a276d6a7423fd792358459fcbdf0ee6bd45710d210ffe251c61ab9df9

SHA512
cc454e15791114168b715deac307692df5f8a4649cd81ac66a14f023f4ccbb5e5e971ecf3abc47f8050068e23123a37259e2b20147808333cdff0e08befdca91

Download Submit
memory/264-20-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/264-24-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/264-27-0x00000000065B0000-0x0000000006B54000-memory.dmp

Filesize
5.6MB

Download
memory/264-26-0x0000000005F60000-0x0000000005FF2000-memory.dmp

Filesize
584KB

Download
memory/264-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/264-25-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/264-21-0x0000000004D10000-0x0000000004DAC000-memory.dmp

Filesize
624KB

Download
memory/264-23-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/264-22-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/1512-0-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/1512-5-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/1512-19-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/1512-15-0x0000000001680000-0x0000000001690000-memory.dmp

Filesize
64KB

Download
memory/1512-1-0x0000000000C80000-0x0000000000CE8000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing