xworm | c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d

General

Target

c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe
Size

321KB
MD5

724cc4de405ed3db8a91c383cfc89f84
SHA1

45ca40cf798b7b2ea7216dba582d09dc83cd1bf5
SHA256

c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d
SHA512

2d3a4b342de5760091e6d6b77d5cdc8abad81ea9dea44bbeb37626f399c11d1405fd6eb8e2156330a684e2a3d28f6dd4ff93660816515896dc82f7a1f7d0d338
SSDEEP

6144:PzU2+BjwsX7+LtOKcvGj94+Y2MlP2yOjxK70NTDx9agjjkRE2aMoiFSV:PzU2+FwsX7+LtOKcvGj94+Y2MlP2yOj7

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e983-14.dat	family_xworm
behavioral2/memory/3292-15-0x00000000052E0000-0x00000000052F0000-memory.dmp	family_xworm
behavioral2/memory/4044-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3292 set thread context of 4044	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	98

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1692	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	95
PID 3292 wrote to memory of 1692	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	95
PID 3292 wrote to memory of 1692	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	95
PID 1692 wrote to memory of 2088	1692	csc.exe	97
PID 1692 wrote to memory of 2088	1692	csc.exe	97
PID 1692 wrote to memory of 2088	1692	csc.exe	97
PID 3292 wrote to memory of 4044	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	98
PID 3292 wrote to memory of 4044	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	98
PID 3292 wrote to memory of 4044	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	98
PID 3292 wrote to memory of 4044	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	98
PID 3292 wrote to memory of 4044	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	98
PID 3292 wrote to memory of 4044	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	98
PID 3292 wrote to memory of 4044	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	98
PID 3292 wrote to memory of 4044	3292	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	98

C:\Users\Admin\AppData\Local\Temp\c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe
"C:\Users\Admin\AppData\Local\Temp\c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vxkt0azr\vxkt0azr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD978.tmp" "c:\Users\Admin\AppData\Local\Temp\vxkt0azr\CSCC323BAEA75BF4C1480EA7A335D4783B4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD978.tmp

Filesize
1KB

MD5
eca7107cd21dbd805cb7f489b851528e

SHA1
c0d6100fa8fdf6b976a6309e400154cbd78142d0

SHA256
edaa7f596ce6bb41ff43d0df8743cda9cfd738a6909201e3ad442b5c833b7acb

SHA512
131b7c19a36349de957b5f83a73b1865061cf0a2b68e54e94feac62b9b8bc15486147daf108c1dcda446e45e6d2f8d21037567e642043df9b84097a38623a24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxkt0azr\vxkt0azr.dll

Filesize
42KB

MD5
34f1abad4083e4e24f3b8c49b5606109

SHA1
ae6726cd73dd09d10d443e466771eff89ff99980

SHA256
737e9d0c450f38b2b92fb7f8018c5a1414f43e064645d4d04ccf03ac8e25a44e

SHA512
86366620218fb06923336d644f0dccfcf1529301142c947207e964c747b06d632ae8bd2ad3279b6ae45dbe64e52eb995eb7626d3b729e3a418a0473f9483c51b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vxkt0azr\CSCC323BAEA75BF4C1480EA7A335D4783B4.TMP

Filesize
652B

MD5
7ca0d9c0226f6a668962605a6c02218a

SHA1
6793e791e6de1eb6c4830938b62945933c8db244

SHA256
a8947277717fdd8dd4be93903f912f6eee96e23df9f8b46465285cdf088b445d

SHA512
8b0e2d604e10b009ad1ed9bb2a23027302e1f60a7f194e54ae2a44d9f831c846b6e6892c58da1bf0a896560493c7249b403b79ed1733de142bb62b3477dc7e29

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vxkt0azr\vxkt0azr.0.cs

Filesize
104KB

MD5
4c235e59a96c8c09a6f7e97b95772164

SHA1
7350cfb88fbf6a2e7a9b12ad85f12e174b22b76a

SHA256
3a8459f7033c4dec0a2a8ee37090fa2fe38a2013667c969ac870965deb0b8c8d

SHA512
0857cc0c6c0aa7204772873a02fbeb11a05d0c890241eedaee6bf4fdd3a4ceaf18e6d612c7e3d47ba1c077104cf91809b133dc2420864d16cd15315c2d47cdf9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vxkt0azr\vxkt0azr.cmdline

Filesize
204B

MD5
20a26f3a479ce4b2f732ebfe8aa324b1

SHA1
762802908c20ce8474791af892d937780f65a5f2

SHA256
58704e0592f5b3a1fa54f60c420972560997bf3fbd53a6264e9e5fac57643106

SHA512
a13f6f7cd68571c16d04bd6cdde2c2a0f90915e9301f0723e37084133b470788067ec43a972135c2b34f30b6c40952490717e7a48f9875cd3c3b1e67dd9e43c5

Download Submit
memory/3292-15-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/3292-19-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3292-1-0x0000000000AE0000-0x0000000000B36000-memory.dmp

Filesize
344KB

Download
memory/3292-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/3292-5-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4044-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4044-20-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/4044-21-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4044-22-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4044-23-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4044-24-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/4044-25-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4044-26-0x0000000006540000-0x00000000065D2000-memory.dmp

Filesize
584KB

Download
memory/4044-27-0x0000000006B90000-0x0000000007134000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing