xworm | 713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5

General

Target

713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe
Size

394KB
MD5

9daf267f412e5c38116989762a9cf145
SHA1

809fad1c6bf61546ea05188dfedbde4bad0f98a1
SHA256

713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5
SHA512

0115e5c5cfa324615fba5dbc4b9f3c915195f26bfdc1598ebf1bd3291582410f7cee46d2296d34165e9115b4cafcd74e2e88eca55cbdb8a8009901b9d8ffd88b
SSDEEP

12288:TxjwN1WoADQEwTKOZ2+i/qW83wfeuLhDhyO6T1GdcdcgL5i:d

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022b0b-14.dat	family_xworm
behavioral2/memory/688-15-0x0000000005760000-0x0000000005770000-memory.dmp	family_xworm
behavioral2/memory/428-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 688 set thread context of 428	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe
688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe
Token: SeDebugPrivilege	428	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 1360	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	89
PID 688 wrote to memory of 1360	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	89
PID 688 wrote to memory of 1360	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	89
PID 1360 wrote to memory of 956	1360	csc.exe	92
PID 1360 wrote to memory of 956	1360	csc.exe	92
PID 1360 wrote to memory of 956	1360	csc.exe	92
PID 688 wrote to memory of 4552	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	93
PID 688 wrote to memory of 4552	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	93
PID 688 wrote to memory of 4552	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	93
PID 688 wrote to memory of 428	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	94
PID 688 wrote to memory of 428	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	94
PID 688 wrote to memory of 428	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	94
PID 688 wrote to memory of 428	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	94
PID 688 wrote to memory of 428	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	94
PID 688 wrote to memory of 428	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	94
PID 688 wrote to memory of 428	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	94
PID 688 wrote to memory of 428	688	713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe	94

C:\Users\Admin\AppData\Local\Temp\713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe
"C:\Users\Admin\AppData\Local\Temp\713a9ec5fe2a81686942a159c168027da5910e72fd52d914cf8e6fc0a2cdb0e5.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u44vs2hm\u44vs2hm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE05.tmp" "c:\Users\Admin\AppData\Local\Temp\u44vs2hm\CSC869F67BA96A459B8C8A1D10527AF6A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE05.tmp

Filesize
1KB

MD5
c53923bb81336c797d0db9f27b4e566c

SHA1
438ff0fcbddf442edbf9acfc486c2ae346b4c18c

SHA256
c6f679a844f6762ce9ed6e537a5f588888c0b66736124b1bc4a65c52335b9220

SHA512
ff2dd3205d3021b5a6b323cceca60f2afb6dbc352ba5d72811f5e1c39aad98032dffc6f748bd3421e2ed6285100ff5aa083a3c7a960750b485fbb257bd3c9582

Download Submit
C:\Users\Admin\AppData\Local\Temp\u44vs2hm\u44vs2hm.dll

Filesize
42KB

MD5
2fc1bba46441fe1d5f904af6d7c3886d

SHA1
3df58db5c9a8a5c51450841907068cbb0a4de689

SHA256
2e5f8e9871f7659d0ccabc99aec92e8c95e5076d7c2f96a6c2881669ab944753

SHA512
253a85bd286ca123172cbe8b2bb4e55e6c2b6cf20d24324bb9772d35f56c9435fd92cba40119ea21bf118d7b3f7b16ac1b5dd25b235787552bf0ba308d98255e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u44vs2hm\CSC869F67BA96A459B8C8A1D10527AF6A.TMP

Filesize
652B

MD5
9627cd0ac06bd5e1edce60828a6db79e

SHA1
9054e85ddd5bebc0936334ce35ea6740ff568f68

SHA256
2c8423e80dfa86770fc12c4f2900edce305882a4c09baa35602d585b8b131362

SHA512
d541ef23202b12ac160b59c3cb9d991ed5419981a8f007c0ae0aa0c6a9a3b3277fb84e857496f2a7c469bea69eaad2dc5b2a7d07615980cf9ac322d25e621530

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u44vs2hm\u44vs2hm.0.cs

Filesize
103KB

MD5
992ab26a03ded91714491d267da55fb2

SHA1
25fe04d5493f7e904bd4e64078aa464226e8f393

SHA256
3b18772dbf088171f78cccd3da6fb05f46918b2bafa17ab43ea03ec0507935c1

SHA512
a1dbfd27e02d10e978475bf9c1279c489e1c9febd8456492e2b0d7df33563c4e81cc28e39f6a90aa82cadc06927bce2f831f2089b5e57da4ea89862a6d82ad0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u44vs2hm\u44vs2hm.cmdline

Filesize
204B

MD5
16312a12dddd45d1e16b926f20c5a30f

SHA1
42a2899c516b2087ea8e3b96f348b703495291b9

SHA256
5815263fda87425e4fef22bfb6a7ff680255b1f6f1ec74719f44b7628d11c62a

SHA512
a800839d9a2cd69f1310d13e5ba870cce0ef450aea685c89bba6fe466515e9c7b93e0a63626bd50d1ab76f23440b0f99f0bcb37659019ea974412f619d2f723b

Download Submit
memory/428-21-0x0000000004CE0000-0x0000000004D7C000-memory.dmp

Filesize
624KB

Download
memory/428-24-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/428-27-0x00000000063E0000-0x0000000006984000-memory.dmp

Filesize
5.6MB

Download
memory/428-26-0x0000000005D90000-0x0000000005E22000-memory.dmp

Filesize
584KB

Download
memory/428-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/428-25-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/428-20-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/428-23-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/428-22-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/688-0-0x000000007529E000-0x000000007529F000-memory.dmp

Filesize
4KB

Download
memory/688-5-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/688-19-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/688-15-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/688-1-0x0000000000E10000-0x0000000000E78000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing