xworm | 757af13b416594d65a4c99362a537f13dde2a93b61ec8ba0b939c548b8973186

General

Target

fg.exe
Size

394KB
MD5

ff7bdcc4260a35315c5a59f44fc78126
SHA1

8ca1960bdc5cb8f72fa2735bebc49f47676773c8
SHA256

757af13b416594d65a4c99362a537f13dde2a93b61ec8ba0b939c548b8973186
SHA512

27270cb2803fe88acb58976b8ae8daab249a1110cc8bf574c014d1f49fb1d16b9798fd48341662e2fde88a86e1230a1a8ca6da6b04c5ad51add765739d827db7
SSDEEP

3072:c9apijplAUVMpC5ZgEQLmefWXMRVVmLgP:FijplhMiZgEQaefeyV

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d2c-14.dat	family_xworm
behavioral1/memory/3044-15-0x00000000002E0000-0x00000000002F0000-memory.dmp	family_xworm
behavioral1/memory/2852-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2852-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2852-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2852-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2852-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2852	3044	fg.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2072	3044	fg.exe	30
PID 3044 wrote to memory of 2072	3044	fg.exe	30
PID 3044 wrote to memory of 2072	3044	fg.exe	30
PID 3044 wrote to memory of 2072	3044	fg.exe	30
PID 2072 wrote to memory of 2752	2072	csc.exe	32
PID 2072 wrote to memory of 2752	2072	csc.exe	32
PID 2072 wrote to memory of 2752	2072	csc.exe	32
PID 2072 wrote to memory of 2752	2072	csc.exe	32
PID 3044 wrote to memory of 2852	3044	fg.exe	33
PID 3044 wrote to memory of 2852	3044	fg.exe	33
PID 3044 wrote to memory of 2852	3044	fg.exe	33
PID 3044 wrote to memory of 2852	3044	fg.exe	33
PID 3044 wrote to memory of 2852	3044	fg.exe	33
PID 3044 wrote to memory of 2852	3044	fg.exe	33
PID 3044 wrote to memory of 2852	3044	fg.exe	33
PID 3044 wrote to memory of 2852	3044	fg.exe	33
PID 3044 wrote to memory of 2852	3044	fg.exe	33

C:\Users\Admin\AppData\Local\Temp\fg.exe
"C:\Users\Admin\AppData\Local\Temp\fg.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wvqlvv0c\wvqlvv0c.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30F0.tmp" "c:\Users\Admin\AppData\Local\Temp\wvqlvv0c\CSC567F0D99B5534099955BB1A946B35A12.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES30F0.tmp

Filesize
1KB

MD5
8f24c8724c08f932d156f98de4f52c47

SHA1
83653593f402d4b83326e4e9b4a185c74a446088

SHA256
6d0333780e30bdb2623f1b0ed6239126299a6e3109a6ad3f5e27770ce67a26a8

SHA512
566365ffd566e465c0e034e87f5db9b4809dd55f0e6edaf16e7ba608798269896023dedf049a7515f7e5bed04df1dbc883b3a06f55cf7b774f3acedb44a8bb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvqlvv0c\wvqlvv0c.dll

Filesize
42KB

MD5
c48c46de9b41821d9f0853d731f39699

SHA1
071f0795a5dec225ff159da687e7bffe7af24a5d

SHA256
c4b18d535ef901e16cd8cedf7573a8183356c688627caf67ac25e88cd37e103b

SHA512
7f1c67351543055a51842d9ab847afc245311c8b0ddf4a11862247bd09fbd3d51adc8f50a46fa5d5b19ac28e49c000cb6f8477b74a52a3ea9a0e4bc79a10d472

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wvqlvv0c\CSC567F0D99B5534099955BB1A946B35A12.TMP

Filesize
652B

MD5
8a791c05a2a9320c756c3d4df2138ccf

SHA1
9e78a275f454c38b33cbfeb7fe590b6be65cc72f

SHA256
823c1db0a8d97861f4d5184d60e5a9418ff33ced8524d51a60dcdc5dcc8a7041

SHA512
0f62430a02e87295f8c51e16d566a96d8ac2a71e20ac1b4c230f7ce260e53c06ccc351e06e50efc8ab69e071e2f8bee7d16df50d2b1c9c7796ef91bf248a5f09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wvqlvv0c\wvqlvv0c.0.cs

Filesize
103KB

MD5
410888111f8a84cb88bea4b9876f8150

SHA1
2be368fa85db49d40df8a9346aacfec9c2188cd8

SHA256
edfdbfd4002ea7d3bf87660ad84259b343f2927e9ae31dd36a48dae2547c0adf

SHA512
c33cc37ca495245f0dcc37b0d4e7852d3c9b28fdc240a9bdd634e5b3dce05835d9c306987eae0a65712d29550ca8aeeb1d8708731b73b8551c02d97f4ae6fa06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wvqlvv0c\wvqlvv0c.cmdline

Filesize
204B

MD5
b0c1f5b1a4195ade7eed1a92af85a8ac

SHA1
211f8839fdf2cdebeb0ddee8fc578da25acaac43

SHA256
0f7dcecf455dafc94144d8805d71019c448e87278b182e06add2720d76a4675b

SHA512
6cd8f1d8a10f47930a83170d0b4f14e3789afee0e75d39fb19f3fd63136471b9d94e58d131dd5535b2cab31c3d337b466f343eb8ec2687886843160600e83d62

Download Submit
memory/2852-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-28-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2852-32-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2852-31-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2852-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-30-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2852-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2852-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3044-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/3044-29-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/3044-4-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/3044-15-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/3044-1-0x00000000013A0000-0x0000000001408000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing