xworm | a3b2fdc9903049997ece0fd5ae96922642477a8ad822c9d8a53d574b8459aca5

General

Target

matrixnew mapper.exe
Size

4.5MB
MD5

2661e9a9b063a4d7a96686aa8e4ffa04
SHA1

cf6af9701e80fb8000f0820e649e9683f7e0e659
SHA256

a3b2fdc9903049997ece0fd5ae96922642477a8ad822c9d8a53d574b8459aca5
SHA512

6bda80210f421d64d8a954564689bdb3fc8f8e229e748c0aca846e9ae2f2b7bf24533a85ba22d0d2771f36a88e38d5918b9b387a6224f83301f5eda70bd3bf83
SSDEEP

98304:j8E/0PCfmKGyVXme/TglieUxwXvsmpvMvdDXieB:4NPCRGyvslieUcOvdDXiS

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

paul-nw.gl.at.ply.gg:51413

Mutex

AVvzTAnLyW8qQCcO

Attributes

Install_directory
%AppData%
install_file
kev.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000027ca7-42.dat	family_xworm
behavioral1/memory/3284-52-0x00000000002D0000-0x00000000002E0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	newuimatrix.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Control Panel\International\Geo\Nation	matrixnew mapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Control Panel\International\Geo\Nation	-.exe

Executes dropped EXE 3 IoCs

pid	Process
4256	newuimatrix.exe
1988	-.exe
3284	.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
28	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4256	newuimatrix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4256	newuimatrix.exe
4256	newuimatrix.exe
4256	newuimatrix.exe
4256	newuimatrix.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	-.exe
Token: SeDebugPrivilege	3284	.exe
Token: SeDebugPrivilege	4256	newuimatrix.exe
Token: SeDebugPrivilege	4256	newuimatrix.exe
Token: SeLoadDriverPrivilege	4256	newuimatrix.exe
Token: SeShutdownPrivilege	3632	Process not Found
Token: SeCreatePagefilePrivilege	3632	Process not Found
Token: SeShutdownPrivilege	3632	Process not Found
Token: SeCreatePagefilePrivilege	3632	Process not Found
Token: SeShutdownPrivilege	3632	Process not Found
Token: SeCreatePagefilePrivilege	3632	Process not Found
Token: SeShutdownPrivilege	3632	Process not Found
Token: SeCreatePagefilePrivilege	3632	Process not Found
Token: SeShutdownPrivilege	3632	Process not Found
Token: SeCreatePagefilePrivilege	3632	Process not Found
Token: SeShutdownPrivilege	3632	Process not Found
Token: SeCreatePagefilePrivilege	3632	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 4256	2348	matrixnew mapper.exe	84
PID 2348 wrote to memory of 4256	2348	matrixnew mapper.exe	84
PID 2348 wrote to memory of 1988	2348	matrixnew mapper.exe	86
PID 2348 wrote to memory of 1988	2348	matrixnew mapper.exe	86
PID 1988 wrote to memory of 3284	1988	-.exe	87
PID 1988 wrote to memory of 3284	1988	-.exe	87

C:\Users\Admin\AppData\Local\Temp\matrixnew mapper.exe
"C:\Users\Admin\AppData\Local\Temp\matrixnew mapper.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\newuimatrix.exe
  "C:\Users\Admin\AppData\Local\Temp\newuimatrix.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Users\Admin\AppData\Local\Temp\-.exe
  "C:\Users\Admin\AppData\Local\Temp\-.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-.exe

Filesize
428KB

MD5
4e4ef72e167c726a5918dd38c9ec901d

SHA1
0d6502c6c0e0e60be7883ea09514b0bd1a1dd1bc

SHA256
17bfc5e52bc85dfafe14e428825ae1b36bd9f016c0a26dc2049057e4a4d71e69

SHA512
c86161039a7c09bb28614a62f40b34b27f0894fc84ed60ef24919048e0aeebaa0ebe00cd4d5cf2a4537f0f09df2ee3eae666c1ce4ae93711e362ca6591e74f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
37KB

MD5
01f86862e5a3fab03f886eb19089da95

SHA1
8749ecbbac9f911deaee8d5530ef644ca0270258

SHA256
ecfb4e772dd3be3c70e2833558b53c9352466ef193694a32a2a6e4926d810d81

SHA512
c03771ab0e115c95c2af29f1ec3e331e90bac38074bd1eeda741a6e9f4f93d7cf55dd2a6354219886e50055730c10a363f264eeadcb2c06a1fd06a3670e41a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\newuimatrix.exe

Filesize
4.1MB

MD5
f749fcc1351aadd81b6775332859fff7

SHA1
d774f21509b2e96ae96c08824387c353d8b5bca2

SHA256
fa1c0114aca150636c782bf0a161aa46059827ba4690090cf5fe076ffc50d82e

SHA512
434a5fa21e0e138945382398726540393308b4eccb7e3b42f557c6683fd39b519e7d8dc507c73e4fac14c961776d6d938406b07bbf7b14f2f4f15a6f41b090fe

Download Submit
memory/1988-34-0x00007FF99AF60000-0x00007FF99B901000-memory.dmp

Filesize
9.6MB

Download
memory/1988-36-0x000000001DC00000-0x000000001E0CE000-memory.dmp

Filesize
4.8MB

Download
memory/1988-29-0x00007FF99B215000-0x00007FF99B216000-memory.dmp

Filesize
4KB

Download
memory/1988-30-0x00007FF99AF60000-0x00007FF99B901000-memory.dmp

Filesize
9.6MB

Download
memory/1988-31-0x00007FF99AF60000-0x00007FF99B901000-memory.dmp

Filesize
9.6MB

Download
memory/1988-32-0x00007FF99AF60000-0x00007FF99B901000-memory.dmp

Filesize
9.6MB

Download
memory/1988-33-0x00007FF99AF60000-0x00007FF99B901000-memory.dmp

Filesize
9.6MB

Download
memory/1988-80-0x00007FF99AF60000-0x00007FF99B901000-memory.dmp

Filesize
9.6MB

Download
memory/1988-35-0x000000001C1C0000-0x000000001C266000-memory.dmp

Filesize
664KB

Download
memory/1988-37-0x000000001C370000-0x000000001C40C000-memory.dmp

Filesize
624KB

Download
memory/2348-1-0x0000000000CA0000-0x0000000001124000-memory.dmp

Filesize
4.5MB

Download
memory/2348-0-0x00007FF99E7C3000-0x00007FF99E7C5000-memory.dmp

Filesize
8KB

Download
memory/3284-52-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/4256-24-0x00007FF6FC670000-0x00007FF6FCA84000-memory.dmp

Filesize
4.1MB

Download
memory/4256-69-0x00000184F0B80000-0x00000184F0B81000-memory.dmp

Filesize
4KB

Download
memory/4256-68-0x00000184EFF50000-0x00000184F0B6C000-memory.dmp

Filesize
12.1MB

Download
memory/4256-70-0x00000184EFF50000-0x00000184F0B6C000-memory.dmp

Filesize
12.1MB

Download
memory/4256-73-0x00000184EFF50000-0x00000184F0B6C000-memory.dmp

Filesize
12.1MB

Download
memory/4256-81-0x00007FF6FC670000-0x00007FF6FCA84000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing