xworm | ceb91d9b072597d9adad98e6b7ffc3a6593d362ded0fbe8d1bab4cb8460d3cdf

General

Target

BootstrapperNe.exe
Size

3.0MB
MD5

2db7ca48c2862fe3c8ffefb50b7f975b
SHA1

09e61b2d5d3876fc0c8030e075745f89289fb876
SHA256

ceb91d9b072597d9adad98e6b7ffc3a6593d362ded0fbe8d1bab4cb8460d3cdf
SHA512

d9e937061fc8eabb75068d78863f7045e626ba26261a526bb59b0e2fb0010d38b520c19fad9e8bfc67ee943c4669866970728ae006afd73986fd4af0a3e866fa
SSDEEP

49152:ZirspxuZcd9LG5IUNKbFHEwJSRmM/ZUqz2xZM4REPG5B/V1LUuOfW7eVbEJqMEuU:ZigpxuqdFG5dNKJdJSRmM/uqSxZM4RE+

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:5467

google-rocks.gl.at.ply.gg:5467

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023c66-17.dat	family_xworm
behavioral1/memory/2036-27-0x0000000000250000-0x000000000026A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	BootstrapperNe.exe

Executes dropped EXE 2 IoCs

pid	Process
4084	BootstrapperNew.exe
2036	XSolara.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	XSolara.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 4084	3736	BootstrapperNe.exe	86
PID 3736 wrote to memory of 4084	3736	BootstrapperNe.exe	86
PID 3736 wrote to memory of 2036	3736	BootstrapperNe.exe	87
PID 3736 wrote to memory of 2036	3736	BootstrapperNe.exe	87

C:\Users\Admin\AppData\Local\Temp\BootstrapperNe.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Users\Admin\AppData\Local\Temp\XSolara.exe
  "C:\Users\Admin\AppData\Local\Temp\XSolara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSolara.exe

Filesize
87KB

MD5
bd130ce57bdd005741ea1de2c87dcb6a

SHA1
bcfcebf6357ba5714d5373b09d84b4b354efb10e

SHA256
ccb4e8281d4e04b75ffb4c7e7bbc5c8073d7f6f027814ebbf2e63e702ae57b4a

SHA512
1ed20f9192901250646f2bb1fab493d6bb01eff344b86ea5f0f5955de7233180ff4386ad3939f50dc3d47ce2facb1422f29d80f6d0672d8a106084fc474e56a3

Download Submit
memory/2036-27-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/2036-45-0x00007FFBF68F0000-0x00007FFBF6AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2036-29-0x00007FFBF68F0000-0x00007FFBF6AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2036-44-0x00007FFBF68F0000-0x00007FFBF6AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3736-1-0x0000000000460000-0x000000000075E000-memory.dmp

Filesize
3.0MB

Download
memory/3736-28-0x00007FFBF68F0000-0x00007FFBF6AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3736-0-0x00007FFBF68F0000-0x00007FFBF6AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4084-34-0x00000208A5CF0000-0x00000208A5CFE000-memory.dmp

Filesize
56KB

Download
memory/4084-40-0x00000208A5E90000-0x00000208A5E9A000-memory.dmp

Filesize
40KB

Download
memory/4084-32-0x00000208A9630000-0x00000208A9638000-memory.dmp

Filesize
32KB

Download
memory/4084-30-0x00007FFBF68F0000-0x00007FFBF6AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4084-33-0x00000208A5D20000-0x00000208A5D58000-memory.dmp

Filesize
224KB

Download
memory/4084-35-0x00000208A5D60000-0x00000208A5E60000-memory.dmp

Filesize
1024KB

Download
memory/4084-36-0x00000208A5D00000-0x00000208A5D0A000-memory.dmp

Filesize
40KB

Download
memory/4084-37-0x00000208A5E60000-0x00000208A5E86000-memory.dmp

Filesize
152KB

Download
memory/4084-38-0x00000208A5EA0000-0x00000208A5EA8000-memory.dmp

Filesize
32KB

Download
memory/4084-31-0x000002088A1D0000-0x000002088A1E0000-memory.dmp

Filesize
64KB

Download
memory/4084-39-0x00000208A5EB0000-0x00000208A5EC6000-memory.dmp

Filesize
88KB

Download
memory/4084-41-0x00000208A5D10000-0x00000208A5D1A000-memory.dmp

Filesize
40KB

Download
memory/4084-42-0x00000208A5EE0000-0x00000208A5EE8000-memory.dmp

Filesize
32KB

Download
memory/4084-22-0x00007FFBF68F0000-0x00007FFBF6AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4084-26-0x0000020889AD0000-0x0000020889DB2000-memory.dmp

Filesize
2.9MB

Download
memory/4084-46-0x00007FFBF68F0000-0x00007FFBF6AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4084-47-0x00007FFBF68F0000-0x00007FFBF6AE5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing