xworm | 167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf

General

Target

rt.exe
Size

315KB
MD5

47db83a48f4ce42a918802f20de2728f
SHA1

676554792c422bd78cc6763efc863b52c9c41ac8
SHA256

167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf
SHA512

54a99695dba773bae591fba6ac9c5c5c9e9f0742ff1c40ebbc316b32fc8a4738e43515ab1977abe1f560d170023c73bdfcc710aaedc79fa0c1bea5b342e5b694
SSDEEP

1536:yzJC0dKuaIOz7Q0gLkUAg4YvRjYEBIU3joFpCm26oq7kd4m4sMXLiIRTCbpvYLsf:ytCmW49aSpgFXm1cC5gYoQN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.85.66:7000

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016c4a-14.dat	family_xworm
behavioral1/memory/2700-15-0x0000000000300000-0x0000000000310000-memory.dmp	family_xworm
behavioral1/memory/2932-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2932-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2932-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2932-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2932-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2932	2700	rt.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2984	2700	rt.exe	31
PID 2700 wrote to memory of 2984	2700	rt.exe	31
PID 2700 wrote to memory of 2984	2700	rt.exe	31
PID 2700 wrote to memory of 2984	2700	rt.exe	31
PID 2984 wrote to memory of 2720	2984	csc.exe	33
PID 2984 wrote to memory of 2720	2984	csc.exe	33
PID 2984 wrote to memory of 2720	2984	csc.exe	33
PID 2984 wrote to memory of 2720	2984	csc.exe	33
PID 2700 wrote to memory of 2932	2700	rt.exe	34
PID 2700 wrote to memory of 2932	2700	rt.exe	34
PID 2700 wrote to memory of 2932	2700	rt.exe	34
PID 2700 wrote to memory of 2932	2700	rt.exe	34
PID 2700 wrote to memory of 2932	2700	rt.exe	34
PID 2700 wrote to memory of 2932	2700	rt.exe	34
PID 2700 wrote to memory of 2932	2700	rt.exe	34
PID 2700 wrote to memory of 2932	2700	rt.exe	34
PID 2700 wrote to memory of 2932	2700	rt.exe	34

C:\Users\Admin\AppData\Local\Temp\rt.exe
"C:\Users\Admin\AppData\Local\Temp\rt.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffmpg1qw\ffmpg1qw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF641.tmp" "c:\Users\Admin\AppData\Local\Temp\ffmpg1qw\CSCFCBAA9C875754D4E9A8FED4289F4E44.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF641.tmp

Filesize
1KB

MD5
8a947507e28453dad95113da22e3cd72

SHA1
55d0f850500613ed0f7c2671a72fbdf9c54d986d

SHA256
a8473d96a295dbe34c60e1135f2ed8fd573238d884753ebc7265d4c0013f62dc

SHA512
ab046443e51ff9de396e887fa10c967562e7155f1b2e18841951bc93badde58e1ee8aa386af5d5a4ba64c0be9bf59033c26a860f75bacbaaf7bc09d41c10b239

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffmpg1qw\ffmpg1qw.dll

Filesize
41KB

MD5
42a50a06afb0aae80ab3d87aafd04cd5

SHA1
9587a5df1aa52a4681c88b8042bb0d703ad41ae0

SHA256
c3e10b29a63b0baa67ffa4ee5f9f3277f6d3cd523e91482f63baa8656a9c6a23

SHA512
98f352844f42f01d351cd019dd112dfffdba9eb2cb092060a29ee79e23a455e64662f96040c33edaf0f75679bbb701de720afa9a17302fb30d2410789733ada0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ffmpg1qw\CSCFCBAA9C875754D4E9A8FED4289F4E44.TMP

Filesize
652B

MD5
ec633a68f45063da32222f4586e32635

SHA1
76c33d592b62f9ff084525f6304a503059ec96f8

SHA256
47e8676f84db9dccbc2cbc9746c0fbe87b2045103cfe38969b7b27de41fb99cf

SHA512
ac69c5ed45d0084e56d248c98152a2e769e3d794951cadd7767c278a68bcd6e9a1dae30a8331e4f13e88cb27204a763437ea58bd3d35a14247fb5ccb2bd879eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ffmpg1qw\ffmpg1qw.0.cs

Filesize
101KB

MD5
b7d84d4752fcef0d27c1c6f62d557f7a

SHA1
92c0d7e926329f5e997f3b9753d9d3db42f18c24

SHA256
81f1e49e831871b44b80ef805a6e39d33166acc9f74dfc7e61689d33a2379908

SHA512
250f62f087245ffc81b1cd3d0bd0d27748e4cb20c9452c4f97ccd69bf903d275996be8607a6ba05a50bbf089f18ac1423db9074d9845a010ae440037866ea54d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ffmpg1qw\ffmpg1qw.cmdline

Filesize
204B

MD5
d1c0b27348673240ea17885a6f91518b

SHA1
f34ef72b24b5143586d7398c858669f162a096ea

SHA256
2df44005a1127f66d55fbd477b1b8ca94ae42a037f3905dfd21771fdd2099790

SHA512
b40c0846e57cd1175825d74cae573c6c58dff16bc58651489560ba7c71aca389a4b699a619de3b37413804d140fe8fbd7badb845607adb6f91eddde93cee4c1d

Download Submit
memory/2700-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2700-1-0x00000000008F0000-0x0000000000944000-memory.dmp

Filesize
336KB

Download
memory/2700-5-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-15-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2700-28-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2932-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2932-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2932-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2932-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2932-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2932-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2932-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2932-29-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-30-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-31-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-32-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing