xworm | 0ee44adb41c176680bd68bcc3f8c99aed0b404cedbee7cdcfa02394c8a1e6d01

General

Target

CrackLauncher.exe
Size

602KB
MD5

3f130f5434b8e3f910ed4728752d0d90
SHA1

25451b8025d529012b81e38493c42c682337b148
SHA256

c3d4c0d6d8bdb25a0982bb01524aea9383f4c2cfbfebdbca2982594f6d675032
SHA512

63eceae915c2c7a69c2c8238d55fc595e01971ba207d7a853617cd75040bb6542228a73cd0946174bdd380f541a072efb1d01ae674182155f76cb98672330e75
SSDEEP

12288:YkHpR0q8/RBgTmBbbFHOyml6bmqNjIabY1IY6QcBo:Nqp4xqd3o

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

funds-skating.gl.at.ply.gg:28367

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1296-27-0x0000000000400000-0x000000000049E000-memory.dmp	family_xworm
behavioral1/files/0x0007000000023c9c-26.dat	family_xworm
behavioral1/memory/5452-28-0x0000000000590000-0x00000000005AC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe

Executes dropped EXE 2 IoCs

pid	Process
2312	Launcher.exe
5452	Nursultan.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrackLauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
5936	timeout.exe
5984	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5452	Nursultan.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1056	1296	CrackLauncher.exe	85
PID 1296 wrote to memory of 1056	1296	CrackLauncher.exe	85
PID 1296 wrote to memory of 1056	1296	CrackLauncher.exe	85
PID 1296 wrote to memory of 2312	1296	CrackLauncher.exe	88
PID 1296 wrote to memory of 2312	1296	CrackLauncher.exe	88
PID 1296 wrote to memory of 5452	1296	CrackLauncher.exe	89
PID 1296 wrote to memory of 5452	1296	CrackLauncher.exe	89
PID 1056 wrote to memory of 5936	1056	cmd.exe	91
PID 1056 wrote to memory of 5936	1056	cmd.exe	91
PID 1056 wrote to memory of 5936	1056	cmd.exe	91
PID 1056 wrote to memory of 5984	1056	cmd.exe	106
PID 1056 wrote to memory of 5984	1056	cmd.exe	106
PID 1056 wrote to memory of 5984	1056	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CrackLauncher.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 12 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5936
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5984
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.bat

Filesize
186B

MD5
bd080aac681b6d277b9abade0e053340

SHA1
356d4c54a54d4343348213dd653ef58bc451f5bf

SHA256
b8b9073d34a3df97614c03937ecbaa34259de78d6c9ef70122ba41c439e1600d

SHA512
9439e149bb46c71423248cc15aaf7cae871f90099a730ada4a4b19b0e5ba3a1cf62354851308684ed3561a83f9f35c9db9c121a314556ab395d9e565b8d07220

Download Submit
C:\Users\Admin\AppData\Local\Temp\Launcher.exe

Filesize
505KB

MD5
b8ecdac56c62fd3e55b68f611a90c534

SHA1
1b852b195958f6014accfbbbbfa7ebe64528b7fe

SHA256
39f5483eb257469ed9a4298450337307657e534b0eebe16f2013ddd036829657

SHA512
1fbc46fcf3319b5dc5edc4151f143356782db28c623b82edca2ee107c1993f5d737edfba27a5d4d0055d903ffd26129509340461fa5e2742a70437b8b552d511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
87KB

MD5
aea5282ca4a36a0dd67fc1c00ec043b7

SHA1
51876aae1bb2361cd9b3087b3324fe71f588d46a

SHA256
44132534c8a05d0f000885b1a5c4561c31d7930bc378b635b902633338a31863

SHA512
7e6bb82bc6d0c1b1ec3d09b59a00c578f7229649cc67e99b0b38bfbf12c58bc0a60a9b62128da779e38e2b9b5894db9bebe88fc9ef606b0842646b3e1ec7ec8f

Download Submit
memory/1296-27-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2312-24-0x00007FFE57953000-0x00007FFE57955000-memory.dmp

Filesize
8KB

Download
memory/2312-22-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/5452-28-0x0000000000590000-0x00000000005AC000-memory.dmp

Filesize
112KB

Download
memory/5452-29-0x00007FFE57950000-0x00007FFE58411000-memory.dmp

Filesize
10.8MB

Download
memory/5452-32-0x00007FFE57950000-0x00007FFE58411000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing