xworm | 8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088

General

Target

8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe
Size

315KB
MD5

918f83cd6d935bd729990142f8e276e0
SHA1

bd15b5a29a83b86d1ab177f16f6d0f3a54dc6741
SHA256

8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088
SHA512

c8e529a268fa1ca589d362538b9b9368a518cdead33cbe383dbb7ffdcced101950911e0cea4ebf0b5343583e48e3b8b490c3167874505a09d53da57cf25f05f1
SSDEEP

1536:LTJkxPIwcXpo/s/wyQC7CEJ0nMbYcj/RPc4YjDI4ox0V+s4jDu3Eyufeso1+qUQB:LNqP3UW/s4LQYGhcC1yufwqXYoQN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.211:4444

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x00070000000173ee-14.dat	family_xworm
behavioral1/memory/2664-15-0x0000000000520000-0x0000000000530000-memory.dmp	family_xworm
behavioral1/memory/3060-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/3060-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/3060-21-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/3060-29-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/3060-31-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 3060	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	35

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe
2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe
Token: SeDebugPrivilege	3060	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2712	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	31
PID 2664 wrote to memory of 2712	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	31
PID 2664 wrote to memory of 2712	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	31
PID 2664 wrote to memory of 2712	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	31
PID 2712 wrote to memory of 2320	2712	csc.exe	33
PID 2712 wrote to memory of 2320	2712	csc.exe	33
PID 2712 wrote to memory of 2320	2712	csc.exe	33
PID 2712 wrote to memory of 2320	2712	csc.exe	33
PID 2664 wrote to memory of 2820	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	34
PID 2664 wrote to memory of 2820	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	34
PID 2664 wrote to memory of 2820	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	34
PID 2664 wrote to memory of 2820	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	34
PID 2664 wrote to memory of 3060	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	35
PID 2664 wrote to memory of 3060	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	35
PID 2664 wrote to memory of 3060	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	35
PID 2664 wrote to memory of 3060	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	35
PID 2664 wrote to memory of 3060	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	35
PID 2664 wrote to memory of 3060	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	35
PID 2664 wrote to memory of 3060	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	35
PID 2664 wrote to memory of 3060	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	35
PID 2664 wrote to memory of 3060	2664	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	35

C:\Users\Admin\AppData\Local\Temp\8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe
"C:\Users\Admin\AppData\Local\Temp\8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nryriywf\nryriywf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF132.tmp" "c:\Users\Admin\AppData\Local\Temp\nryriywf\CSC824F7562C4474D0C9EAEDA65684D611F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF132.tmp

Filesize
1KB

MD5
c360d86f6bd5bd64d81136a054369ed9

SHA1
7af9554549a1be853d8cca4597125da7ad959ed8

SHA256
a4d5beaab71d45dc3de041ada105b32fef8b3f1ca89aa5cadf7da6bb4df2dadb

SHA512
b851b502ee82489621a463af208792cb276165278fe85e3a861c9e7f4b3dbfa470663bc4f8a7e1feb48fd8352f44ec3df414ad79805d6c051e026f6da0f4c668

Download Submit
C:\Users\Admin\AppData\Local\Temp\nryriywf\nryriywf.dll

Filesize
41KB

MD5
9eeb64c64a5ebda4553a42be7b9b18d1

SHA1
f21c1f57fd0a4e74c38a6b1e1ee6b82a77ccab3a

SHA256
2cfe2c4f8abed01fafde3b0fe6f5287f77ecf3ed5b28271678f4412657dfa0d1

SHA512
193d6e5e5377885f5cc4e75c3f06fa44a9efafe8faab8065308a0fa3b079019e62d064adfd4980359d2d55e4f65218b42f979864b549d7936884f2cfddb2f68b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nryriywf\CSC824F7562C4474D0C9EAEDA65684D611F.TMP

Filesize
652B

MD5
ffb1d4060b74840531f2c40b2daf53d7

SHA1
e8cfd7dae0bf6ed310190bb68992d47c50281084

SHA256
e5aea1748d0e045d5eb4d3a9f5f31aebb7f638a7f5c72549e6d4d74c746e0726

SHA512
4fb834a70e1e9a801005b3941ecee83d0f48a689e75e7337754753bba8487c8fda08751eb556cbaf586462bbd2267b373a79ee51c7254c1082a64778b943b672

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nryriywf\nryriywf.0.cs

Filesize
101KB

MD5
321752ec5d5fef01d4f146035796f9df

SHA1
a46dbf6fb95d498fd733d4fde9a3d1b5917ba1f3

SHA256
9e9c63652e73aeaf0904794cfe6428f5f72faa493a6d9815dadceb3ef911a393

SHA512
5a52ac4a13f4bb6b5813fc3ca446e3366e4902acb7675356a2d675ee612d2bd3affdebc1c446e59a1cc2ab64640b59a09b2e00c25729ccb4c93b1985249b9d73

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nryriywf\nryriywf.cmdline

Filesize
204B

MD5
506700e28b2e0d6c6080c1864c8d53a2

SHA1
c71acb01b0bffc77ca54b535e2d84316a751e3d3

SHA256
bc50ab2f3be4e153b4122ad50f2a2d41d9ade9d8b00a18dee3c24e57550b0f89

SHA512
f76c55b129849d8d2258b2667bd23ac1a341605e96bb44393d220d04d6576f6d85c6253f5085071001ff56d93eb93e68ab5b28c833a4186340c4219daf98fa8d

Download Submit
memory/2664-0-0x000000007435E000-0x000000007435F000-memory.dmp

Filesize
4KB

Download
memory/2664-1-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/2664-5-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-15-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/2664-32-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/3060-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3060-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3060-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3060-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3060-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3060-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3060-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3060-33-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/3060-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3060-34-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing