xworm | 167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf

General

Target

167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe
Size

315KB
MD5

47db83a48f4ce42a918802f20de2728f
SHA1

676554792c422bd78cc6763efc863b52c9c41ac8
SHA256

167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf
SHA512

54a99695dba773bae591fba6ac9c5c5c9e9f0742ff1c40ebbc316b32fc8a4738e43515ab1977abe1f560d170023c73bdfcc710aaedc79fa0c1bea5b342e5b694
SSDEEP

1536:yzJC0dKuaIOz7Q0gLkUAg4YvRjYEBIU3joFpCm26oq7kd4m4sMXLiIRTCbpvYLsf:ytCmW49aSpgFXm1cC5gYoQN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.85.66:7000

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e72b-14.dat	family_xworm
behavioral2/memory/3040-15-0x0000000002FD0000-0x0000000002FE0000-memory.dmp	family_xworm
behavioral2/memory/2412-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2412	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	95

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3544	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	92
PID 3040 wrote to memory of 3544	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	92
PID 3040 wrote to memory of 3544	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	92
PID 3544 wrote to memory of 3608	3544	csc.exe	94
PID 3544 wrote to memory of 3608	3544	csc.exe	94
PID 3544 wrote to memory of 3608	3544	csc.exe	94
PID 3040 wrote to memory of 2412	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	95
PID 3040 wrote to memory of 2412	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	95
PID 3040 wrote to memory of 2412	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	95
PID 3040 wrote to memory of 2412	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	95
PID 3040 wrote to memory of 2412	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	95
PID 3040 wrote to memory of 2412	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	95
PID 3040 wrote to memory of 2412	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	95
PID 3040 wrote to memory of 2412	3040	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	95

C:\Users\Admin\AppData\Local\Temp\167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe
"C:\Users\Admin\AppData\Local\Temp\167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ousffhrf\ousffhrf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93E3.tmp" "c:\Users\Admin\AppData\Local\Temp\ousffhrf\CSCFB405FEB901D4B88841B0E28A2E547.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES93E3.tmp

Filesize
1KB

MD5
721792e9e17604bd2097074b2fde0900

SHA1
874e63b0aebcd3946017324e744402bd15e20837

SHA256
b0b9d0d9bafd29efbc0952b6e959e9db83a3abad11c13b2e15ff1e2206e01b7c

SHA512
3aa38a77408d6e7de577f82cd9df18754405df45115f5abc9b470ff7ed21b8a15814b63c7ac19a71774e0f5b36545e1e4810e9fc2d8ff2cec0f9c03735eb591a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ousffhrf\ousffhrf.dll

Filesize
41KB

MD5
52e3c5d83ae37feee29a5fae7671cc14

SHA1
2828a6612746a437dfde64bdfb18c6a8bc0f4f0e

SHA256
50ee1099daabde29d38449eac38d5a684352d8db4d3cf30c8eb3ee3cdfd43f01

SHA512
9a9014874305d25a41fffe8cb282f66405bb2e455debe037fcdba685f52cbbb54bb563e678e1cee380023f7eca5c674ca9fbcc77882d7f69b7551b40eff7788b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ousffhrf\CSCFB405FEB901D4B88841B0E28A2E547.TMP

Filesize
652B

MD5
ddf8dbcef4f6236311f9254b3a6ebc55

SHA1
4e8caafe299e1b1588ab1ee992be2a48f6543ecd

SHA256
fc1c9a416716068b76f59535027d9c8cd9803336004854435769038c1b83e96a

SHA512
537b734c3416399203670e5b2da827a77a96898dedfbe82d4e0e23de07a5d0feb247ff3f9cdead3eae5b5aab7ddda342fbfe531388959e36a7aa9894c8cadc0a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ousffhrf\ousffhrf.0.cs

Filesize
101KB

MD5
b7d84d4752fcef0d27c1c6f62d557f7a

SHA1
92c0d7e926329f5e997f3b9753d9d3db42f18c24

SHA256
81f1e49e831871b44b80ef805a6e39d33166acc9f74dfc7e61689d33a2379908

SHA512
250f62f087245ffc81b1cd3d0bd0d27748e4cb20c9452c4f97ccd69bf903d275996be8607a6ba05a50bbf089f18ac1423db9074d9845a010ae440037866ea54d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ousffhrf\ousffhrf.cmdline

Filesize
204B

MD5
dfdd611f854606d9eda2e3cf53f2d2b2

SHA1
8a031ab5ecbe93d3de76815c7523d0480abff711

SHA256
267d5c51cc691340aa690fcb20db38b49fdf01de80f9991b027362784e6fade3

SHA512
79f5b10fcd16e123b8929574ae8cb166e9e1e2219724bcc1d78c4632952395d8b02be1dfa0326b061c5a6ebf8ce1304d4dfbea2842945db642baa80d992db0fa

Download Submit
memory/2412-21-0x0000000005670000-0x000000000570C000-memory.dmp

Filesize
624KB

Download
memory/2412-24-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/2412-27-0x0000000006EC0000-0x0000000007464000-memory.dmp

Filesize
5.6MB

Download
memory/2412-26-0x0000000006870000-0x0000000006902000-memory.dmp

Filesize
584KB

Download
memory/2412-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2412-20-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/2412-25-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/2412-23-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/2412-22-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3040-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/3040-5-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3040-19-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3040-15-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3040-1-0x0000000000B90000-0x0000000000BE4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing