xworm | 167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf

General

Target

SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe
Size

315KB
MD5

47db83a48f4ce42a918802f20de2728f
SHA1

676554792c422bd78cc6763efc863b52c9c41ac8
SHA256

167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf
SHA512

54a99695dba773bae591fba6ac9c5c5c9e9f0742ff1c40ebbc316b32fc8a4738e43515ab1977abe1f560d170023c73bdfcc710aaedc79fa0c1bea5b342e5b694
SSDEEP

1536:yzJC0dKuaIOz7Q0gLkUAg4YvRjYEBIU3joFpCm26oq7kd4m4sMXLiIRTCbpvYLsf:ytCmW49aSpgFXm1cC5gYoQN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.85.66:7000

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e99a-14.dat	family_xworm
behavioral2/memory/3188-15-0x0000000002A20000-0x0000000002A30000-memory.dmp	family_xworm
behavioral2/memory/4964-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3188 set thread context of 4964	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	101

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 3920	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	96
PID 3188 wrote to memory of 3920	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	96
PID 3188 wrote to memory of 3920	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	96
PID 3920 wrote to memory of 4140	3920	csc.exe	100
PID 3920 wrote to memory of 4140	3920	csc.exe	100
PID 3920 wrote to memory of 4140	3920	csc.exe	100
PID 3188 wrote to memory of 4964	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	101
PID 3188 wrote to memory of 4964	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	101
PID 3188 wrote to memory of 4964	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	101
PID 3188 wrote to memory of 4964	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	101
PID 3188 wrote to memory of 4964	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	101
PID 3188 wrote to memory of 4964	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	101
PID 3188 wrote to memory of 4964	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	101
PID 3188 wrote to memory of 4964	3188	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	101

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nqsybgnn\nqsybgnn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC275.tmp" "c:\Users\Admin\AppData\Local\Temp\nqsybgnn\CSC202759AB92FA4163B5A36314D2FE4FE8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC275.tmp

Filesize
1KB

MD5
e12d8efe4e7ac6a6416ab27cf7113743

SHA1
adcad3244a68e15872dff0e4a1a5f971232c8dda

SHA256
f72f6757d9f94b3fc90196022360d1002728bc2c4c4aad2621fc1080b39e29b5

SHA512
03c0a501c8af4d96a63125b21594cb3196b70779c0f5254cffc2a432232a8f6d27e66d461acfe9c497e7cc8666333db30414ed81bf3cc4701c8769ece4e869b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqsybgnn\nqsybgnn.dll

Filesize
41KB

MD5
26d9dd4272f46289614e3cb51feb615b

SHA1
49f84538b260b02b6a4a329e6425e4671e0bf59f

SHA256
e8a9c7906546b1e4a045a776f01e5d0048f09bf0da052bec99e2789c4f70d6d4

SHA512
689fbfd0836e05890880c2720c22b536f0af0fd8c241e51613c76a2b8de2673090eb45c1a745f8ad88d6f6814b1ba676035eb4994ccc74cfab3cd47d75e31ccf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nqsybgnn\CSC202759AB92FA4163B5A36314D2FE4FE8.TMP

Filesize
652B

MD5
e79244e643b480a09f670080bf589868

SHA1
4664ce7be0943988d1ce40f0895119d0fb497347

SHA256
5eba2ace6d7a2cf4dceec7a557c70d5b8b095bcab3fefbd4e35a3bea58612672

SHA512
c55d976da7d8ca5577e4bf0ef561e818fb74a6d085203babf844f4e7e5912b347702aec7dcb18f90a806570ab53952e2f036844d8347a8fd68ecf96e1de5c7b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nqsybgnn\nqsybgnn.0.cs

Filesize
101KB

MD5
b7d84d4752fcef0d27c1c6f62d557f7a

SHA1
92c0d7e926329f5e997f3b9753d9d3db42f18c24

SHA256
81f1e49e831871b44b80ef805a6e39d33166acc9f74dfc7e61689d33a2379908

SHA512
250f62f087245ffc81b1cd3d0bd0d27748e4cb20c9452c4f97ccd69bf903d275996be8607a6ba05a50bbf089f18ac1423db9074d9845a010ae440037866ea54d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nqsybgnn\nqsybgnn.cmdline

Filesize
204B

MD5
09428b15ab5bd46dc6407449f4197d0f

SHA1
f49daf27a7aa1e746748bb6859f3dfb0b3ced87f

SHA256
c1577d4531cdc5520ff0a050cb3b1b9504105b1adf550f1055dc7b5fe626d0da

SHA512
12dd27aff43bf7c4f320b4f2c0f6a8f6dff5fb7fc187f31a0a8e04710a350f819745fa54e42197a0584dcd795f9b9dd11811e8f259ee76d1ee69bbb0af6a8421

Download Submit
memory/3188-15-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/3188-20-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-1-0x0000000000670000-0x00000000006C4000-memory.dmp

Filesize
336KB

Download
memory/3188-0-0x000000007502E000-0x000000007502F000-memory.dmp

Filesize
4KB

Download
memory/3188-5-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-21-0x00000000050C0000-0x000000000515C000-memory.dmp

Filesize
624KB

Download
memory/4964-19-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4964-22-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-23-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-24-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/4964-25-0x0000000006130000-0x00000000061C2000-memory.dmp

Filesize
584KB

Download
memory/4964-26-0x0000000006780000-0x0000000006D24000-memory.dmp

Filesize
5.6MB

Download
memory/4964-27-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing