xworm | 01565baa85ddb4b7034c620d9428024b43ae2375b8311e84aa7f06b91cc2c414

General

Target

yr.exe
Size

295KB
MD5

2b6b02943108b009beff18a6001aa8d5
SHA1

3bcaf5f750f36421a234de0423491d9e908ee70e
SHA256

01565baa85ddb4b7034c620d9428024b43ae2375b8311e84aa7f06b91cc2c414
SHA512

9e32a5a6ea07dc8899b66a07f2f78df6cab8c7cbc8fe36e8395bc2df11bedfefbdf6c350bb685730b2c4f75340e92af9c505f0c96120f2b1d5a473329d782563
SSDEEP

6144:ztphTL2ojyoWcUnqaok6vfdUkD4LxG3yat6mfourGr/x+2bMq6YH+zBGh5KihRGf:ztPTL2ojyoWcUnqaok6vfdUkD4LxG3yq

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d7f-14.dat	family_xworm
behavioral1/memory/2720-15-0x0000000000250000-0x0000000000260000-memory.dmp	family_xworm
behavioral1/memory/2620-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2620-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2620-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2620-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2620-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 2620	2720	yr.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2828	2720	yr.exe	30
PID 2720 wrote to memory of 2828	2720	yr.exe	30
PID 2720 wrote to memory of 2828	2720	yr.exe	30
PID 2720 wrote to memory of 2828	2720	yr.exe	30
PID 2828 wrote to memory of 2892	2828	csc.exe	32
PID 2828 wrote to memory of 2892	2828	csc.exe	32
PID 2828 wrote to memory of 2892	2828	csc.exe	32
PID 2828 wrote to memory of 2892	2828	csc.exe	32
PID 2720 wrote to memory of 2620	2720	yr.exe	33
PID 2720 wrote to memory of 2620	2720	yr.exe	33
PID 2720 wrote to memory of 2620	2720	yr.exe	33
PID 2720 wrote to memory of 2620	2720	yr.exe	33
PID 2720 wrote to memory of 2620	2720	yr.exe	33
PID 2720 wrote to memory of 2620	2720	yr.exe	33
PID 2720 wrote to memory of 2620	2720	yr.exe	33
PID 2720 wrote to memory of 2620	2720	yr.exe	33
PID 2720 wrote to memory of 2620	2720	yr.exe	33

C:\Users\Admin\AppData\Local\Temp\yr.exe
"C:\Users\Admin\AppData\Local\Temp\yr.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\41wjitfd\41wjitfd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DD0.tmp" "c:\Users\Admin\AppData\Local\Temp\41wjitfd\CSC656955D6665A4C789AE5B73DE3E8C87.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41wjitfd\41wjitfd.dll

Filesize
41KB

MD5
defc37bdbd400c4f34d62569ca91eedc

SHA1
1a3e82f8c004ef47de94842e7046e083674d9fc3

SHA256
0f295d8fd1baf1b487790e3cef3104a18e2527ffa9bea8973e914bb25c78b3c5

SHA512
a664a74e504061475d6a8871a798a1bf59b614b929c663fce54577482ef909af26394a40c3b3166efccec5d69c7cc609f96689147f5904588383bc6e2ac9ed0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6DD0.tmp

Filesize
1KB

MD5
423e7f0494d767c9a3334cf6419db86d

SHA1
e5118617b3b10aab8b1f711078d63a7baa9fe1a6

SHA256
71122e7ca5af088b0f6c8d82816da4457e588216ec7f5cff10365b13ef62d116

SHA512
f3c1a7f874721a98809eeed644b4df4f6833ccfa376e44ba6fc0616853a626501b96ffc650b08d98ac827592b99616c4d27b21df8b76e19ef6bfbb2b2a786a2a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\41wjitfd\41wjitfd.0.cs

Filesize
101KB

MD5
9e67e68b66e4f47ea3c120085adf937c

SHA1
f14effd191647b8dc4599aabd87273510e7c4e98

SHA256
61452bfbedb04b6f0f8560ca40c99e3adc1802d20df5a64f7467f83f83af38e9

SHA512
2e8929a5758633ab4293924233ff7e0b5f31e722c2aafe0fc83ed2bc89efab43e719e6b5815a010070cb938da3f26af6937db1cc9de610b64233ab34a9981b7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\41wjitfd\41wjitfd.cmdline

Filesize
204B

MD5
c3c773e8f0c352639d958464c7a2eca7

SHA1
c70374082822bfa1ce45b9c6061fbd9685d75386

SHA256
708adc3a72e9c2f84eb53d216e3a8c7ff5430c9f7c278b9806420f746b9c676e

SHA512
655f9dc6e7b393ce0d2971f0423df1c3d75b25a3083b0c1c8675e94e2c6b4ff974dcd0f5df278a2a976ebd5b6bae5006a18114eaeb9bf711d349ed085766405f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\41wjitfd\CSC656955D6665A4C789AE5B73DE3E8C87.TMP

Filesize
652B

MD5
fcca583a57bf23635720554078fb85cd

SHA1
7f5a442a8c4d8f45c5a7cf58356b976052427f04

SHA256
2c2e4a4980ec65971ed8698ae404b479193e7c5ca46fcf6d1a1cce3a64def2e9

SHA512
afe549ddb282a3a7a2db831cad0d56c449a41f677701c720c2ab511aba3ee485e9f4d4e38a01c2894fbc24da2b8e52cd657ec8296b6b7c6d9f7d56062c63cc30

Download Submit
memory/2620-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2620-29-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-32-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-31-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2620-30-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2620-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2620-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2620-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2620-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2620-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2720-28-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-4-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

Filesize
4KB

Download
memory/2720-15-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2720-1-0x0000000001230000-0x0000000001280000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing