xworm | 12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9

General

Target

12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe
Size

315KB
MD5

e16acddcf30e48f1a412228269ec7ee0
SHA1

c431b49d1a8c7154a90fff36f97ff28497d1e690
SHA256

12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9
SHA512

2894d2e44307386aa7c23ae0093a600247b2bc1d5f0342e48fdce05a52adbe4419c64b6de15105ba942130176078773d4e091a212763151f02f9871b62a42e16
SSDEEP

3072:ktHIcvIdsE+iSmphsQvPb0dwG3birtHcn0UwGqtUH//F+oYoQN:kx131M5GOdtUHMaQ

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d3f-14.dat	family_xworm
behavioral1/memory/1972-15-0x0000000000210000-0x0000000000220000-memory.dmp	family_xworm
behavioral1/memory/2240-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2240-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2240-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2240-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2240-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 2240	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2404	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	30
PID 1972 wrote to memory of 2404	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	30
PID 1972 wrote to memory of 2404	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	30
PID 1972 wrote to memory of 2404	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	30
PID 2404 wrote to memory of 1264	2404	csc.exe	32
PID 2404 wrote to memory of 1264	2404	csc.exe	32
PID 2404 wrote to memory of 1264	2404	csc.exe	32
PID 2404 wrote to memory of 1264	2404	csc.exe	32
PID 1972 wrote to memory of 2240	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	33
PID 1972 wrote to memory of 2240	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	33
PID 1972 wrote to memory of 2240	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	33
PID 1972 wrote to memory of 2240	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	33
PID 1972 wrote to memory of 2240	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	33
PID 1972 wrote to memory of 2240	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	33
PID 1972 wrote to memory of 2240	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	33
PID 1972 wrote to memory of 2240	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	33
PID 1972 wrote to memory of 2240	1972	12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe	33

C:\Users\Admin\AppData\Local\Temp\12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe
"C:\Users\Admin\AppData\Local\Temp\12003cfc75b9d076590abcbe3f960e7b64114f229ace64497d28e260ca01a2b9.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zgaq0ghu\zgaq0ghu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA554.tmp" "c:\Users\Admin\AppData\Local\Temp\zgaq0ghu\CSC5F69EE3BA19244E7BFD43BF25BC4EEF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA554.tmp

Filesize
1KB

MD5
82ecf5623da21dea47c25715039fc1f4

SHA1
4a36b574ebc34b86be9ac10399cbb923f083bf00

SHA256
50412f2a69a8d09b402d2afa0524392b9eadb4eafe08df18b8eecb7e07cdfd0f

SHA512
b87905e7156576998589b95d6ac6a0af43eb0c2fddb382c65b8507db6b95525ba7d243983c31d52f52cd12b37483fd68c7b1f674d315e18f4b25013d4748bb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgaq0ghu\zgaq0ghu.dll

Filesize
41KB

MD5
a7f3744144f7a1f6a1c4c2f5415ba232

SHA1
6a49061e286c793f67531786e919326a99f332d5

SHA256
e2a3b59a1bcb7ab65881bfd3efd473edec6cfc21f9db62660178971936d2e0ec

SHA512
74f890c00c3d4e5f276f784dc098d5725e7c5450f421075093b16791f1a545c3bc57ba1b6ea3aa5d3277064fbb21f312a8957482d71214db973e1b38416a9114

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zgaq0ghu\CSC5F69EE3BA19244E7BFD43BF25BC4EEF.TMP

Filesize
652B

MD5
ad463c8568b18c0079e2f4c0b2fee705

SHA1
ac2d8ea578656c6c3af24fcd04d09717528e1a47

SHA256
f258434bfc72c6fdf33a98fed39032521eb7c6c8f0a82d3583a32f5ef865f19f

SHA512
c4c75e3cec317300c576c94c53c926da8ce513f38a27546123472a643fb5463cef0f35e80b467f06ea53ef895a38f1f4f7ad8a679684def5b8510a0f9509e2eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zgaq0ghu\zgaq0ghu.0.cs

Filesize
101KB

MD5
fcb83d623452e1cafbc3b0ad5b3b5b73

SHA1
abc26af231584f50ca2ae6de25d4c4764eaf7a9f

SHA256
d4e8ff661b3125613fadc869675cf7c01909b4d64d06344ab2b632ab7ba1e4cc

SHA512
41a233e55bca274c0c3d2fe1c6474306cb17f273bc70e7b1224603b91d17314eb3709c2cbddf2e30d5caafb4b94eb18e8b7ea7d11b19612bf1b5fa80fa9dd3d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zgaq0ghu\zgaq0ghu.cmdline

Filesize
204B

MD5
8cb1339121d14eb6e2e5931c8bf3f5af

SHA1
2ac6331e1c23e3ed8644c4bd4778331593750014

SHA256
39b599ae14b3b6181138646d57afb275c40c8a5faab1494e0cbce1781578413c

SHA512
9af734adbd8426af95d6e5c618a6127a5a69c98e3f88394a75f30ed92c7980605c055bb69cbbce07574f3bb7cd269346c8f689dddc0e5a5c1051259f616c8b8b

Download Submit
memory/1972-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x0000000000D50000-0x0000000000DA4000-memory.dmp

Filesize
336KB

Download
memory/1972-5-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-15-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/1972-29-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2240-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2240-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2240-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2240-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2240-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2240-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2240-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2240-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2240-28-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2240-30-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2240-31-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2240-32-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing