xworm | c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d

General

Target

fg.exe
Size

321KB
MD5

724cc4de405ed3db8a91c383cfc89f84
SHA1

45ca40cf798b7b2ea7216dba582d09dc83cd1bf5
SHA256

c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d
SHA512

2d3a4b342de5760091e6d6b77d5cdc8abad81ea9dea44bbeb37626f399c11d1405fd6eb8e2156330a684e2a3d28f6dd4ff93660816515896dc82f7a1f7d0d338
SSDEEP

6144:PzU2+BjwsX7+LtOKcvGj94+Y2MlP2yOjxK70NTDx9agjjkRE2aMoiFSV:PzU2+FwsX7+LtOKcvGj94+Y2MlP2yOj7

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b57-14.dat	family_xworm
behavioral2/memory/1480-15-0x0000000002BC0000-0x0000000002BD0000-memory.dmp	family_xworm
behavioral2/memory/5016-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 5016	1480	fg.exe	95

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1480	fg.exe
1480	fg.exe
1480	fg.exe
1480	fg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	fg.exe
Token: SeDebugPrivilege	5016	MSBuild.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3332	1480	fg.exe	90
PID 1480 wrote to memory of 3332	1480	fg.exe	90
PID 1480 wrote to memory of 3332	1480	fg.exe	90
PID 3332 wrote to memory of 3060	3332	csc.exe	92
PID 3332 wrote to memory of 3060	3332	csc.exe	92
PID 3332 wrote to memory of 3060	3332	csc.exe	92
PID 1480 wrote to memory of 2008	1480	fg.exe	93
PID 1480 wrote to memory of 2008	1480	fg.exe	93
PID 1480 wrote to memory of 2008	1480	fg.exe	93
PID 1480 wrote to memory of 4676	1480	fg.exe	94
PID 1480 wrote to memory of 4676	1480	fg.exe	94
PID 1480 wrote to memory of 4676	1480	fg.exe	94
PID 1480 wrote to memory of 5016	1480	fg.exe	95
PID 1480 wrote to memory of 5016	1480	fg.exe	95
PID 1480 wrote to memory of 5016	1480	fg.exe	95
PID 1480 wrote to memory of 5016	1480	fg.exe	95
PID 1480 wrote to memory of 5016	1480	fg.exe	95
PID 1480 wrote to memory of 5016	1480	fg.exe	95
PID 1480 wrote to memory of 5016	1480	fg.exe	95
PID 1480 wrote to memory of 5016	1480	fg.exe	95

C:\Users\Admin\AppData\Local\Temp\fg.exe
"C:\Users\Admin\AppData\Local\Temp\fg.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bi3zzuee\bi3zzuee.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90E6.tmp" "c:\Users\Admin\AppData\Local\Temp\bi3zzuee\CSCB7EBA0C4BD40508CABEBBDC37C7DFF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES90E6.tmp

Filesize
1KB

MD5
13c9032f69cd5a8f254e50c152087a7a

SHA1
27fd20980d46a554509cf7db9c0cd2011625325c

SHA256
9ddf746e1bce0bd15b9fab6b27b2361e20422a25fe3c6a113636e260c6528f57

SHA512
da069b5fe4266852377a066b80a871bff48aa6a55e970f43a0a69b49fca04ba6573c0820e23b314017adda872a98864115ac8d2942e568dbbd778b4fe9bcc665

Download Submit
C:\Users\Admin\AppData\Local\Temp\bi3zzuee\bi3zzuee.dll

Filesize
42KB

MD5
d4e9ebe400227fde86aa002ff0cdfcb1

SHA1
6d31e4127bfaae0025a05e4f3cd360fd8e816144

SHA256
749742d1bbe4524600c1f58f40eedc89cf119f531ba5aadaab66d9bf4a939e67

SHA512
71b4b50b5a34677905fe644a49e4aae1004958bf5b470aff8aa74103f59da33787a02cf4575ae7e0adb4a7169190a41079c438420abfe175ee23364f025a3e6a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bi3zzuee\CSCB7EBA0C4BD40508CABEBBDC37C7DFF.TMP

Filesize
652B

MD5
ce737ca7abce10dc30f1ad8795e3b609

SHA1
af9daee8ecfdffdedbeb08d664585db496e0a996

SHA256
ccbf624cd3cce4c735ad439244de4c0203f36ba92c6af012a6be3db75b998452

SHA512
6359ac4a8d339d6386cdafbf5b83d4196236f179ef6bf01576ff13d889c14c3956970079d789b84c428e248f47a5941923a8341edc3a9f16b1c99b6168efeb5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bi3zzuee\bi3zzuee.0.cs

Filesize
104KB

MD5
4c235e59a96c8c09a6f7e97b95772164

SHA1
7350cfb88fbf6a2e7a9b12ad85f12e174b22b76a

SHA256
3a8459f7033c4dec0a2a8ee37090fa2fe38a2013667c969ac870965deb0b8c8d

SHA512
0857cc0c6c0aa7204772873a02fbeb11a05d0c890241eedaee6bf4fdd3a4ceaf18e6d612c7e3d47ba1c077104cf91809b133dc2420864d16cd15315c2d47cdf9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bi3zzuee\bi3zzuee.cmdline

Filesize
204B

MD5
6d56a7d0b95a87da183dd0d73eca8bf6

SHA1
be23a3365c37f4c927ff9c7042753e827d716513

SHA256
2f4116b17ceb0d6c03d27b40b21cc89e8097b01d6ef4a11ca07b90cf5285f2ab

SHA512
29244218d1fb6a5ab8830d552ef9c76b93ea5e03a8620f85287b265e9550e4d6c98c4fe89389c55e9bf4e686735f771c55d9a998ebd42b0fb4a7d20ab12b3b87

Download Submit
memory/1480-15-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/1480-19-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/1480-1-0x0000000000910000-0x0000000000966000-memory.dmp

Filesize
344KB

Download
memory/1480-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/1480-5-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-21-0x0000000005280000-0x000000000531C000-memory.dmp

Filesize
624KB

Download
memory/5016-20-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5016-22-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-23-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-24-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/5016-25-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-26-0x0000000006310000-0x00000000063A2000-memory.dmp

Filesize
584KB

Download
memory/5016-27-0x0000000006960000-0x0000000006F04000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing