xworm | 01565baa85ddb4b7034c620d9428024b43ae2375b8311e84aa7f06b91cc2c414

General

Target

yr.exe
Size

295KB
MD5

2b6b02943108b009beff18a6001aa8d5
SHA1

3bcaf5f750f36421a234de0423491d9e908ee70e
SHA256

01565baa85ddb4b7034c620d9428024b43ae2375b8311e84aa7f06b91cc2c414
SHA512

9e32a5a6ea07dc8899b66a07f2f78df6cab8c7cbc8fe36e8395bc2df11bedfefbdf6c350bb685730b2c4f75340e92af9c505f0c96120f2b1d5a473329d782563
SSDEEP

6144:ztphTL2ojyoWcUnqaok6vfdUkD4LxG3yat6mfourGr/x+2bMq6YH+zBGh5KihRGf:ztPTL2ojyoWcUnqaok6vfdUkD4LxG3yq

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000500000001e957-14.dat	family_xworm
behavioral2/memory/4932-15-0x0000000000B80000-0x0000000000B90000-memory.dmp	family_xworm
behavioral2/memory/3672-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4932 set thread context of 3672	4932	yr.exe	97

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3884	4932	yr.exe	94
PID 4932 wrote to memory of 3884	4932	yr.exe	94
PID 4932 wrote to memory of 3884	4932	yr.exe	94
PID 3884 wrote to memory of 2500	3884	csc.exe	96
PID 3884 wrote to memory of 2500	3884	csc.exe	96
PID 3884 wrote to memory of 2500	3884	csc.exe	96
PID 4932 wrote to memory of 3672	4932	yr.exe	97
PID 4932 wrote to memory of 3672	4932	yr.exe	97
PID 4932 wrote to memory of 3672	4932	yr.exe	97
PID 4932 wrote to memory of 3672	4932	yr.exe	97
PID 4932 wrote to memory of 3672	4932	yr.exe	97
PID 4932 wrote to memory of 3672	4932	yr.exe	97
PID 4932 wrote to memory of 3672	4932	yr.exe	97
PID 4932 wrote to memory of 3672	4932	yr.exe	97

C:\Users\Admin\AppData\Local\Temp\yr.exe
"C:\Users\Admin\AppData\Local\Temp\yr.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zzy0wfxk\zzy0wfxk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF26E.tmp" "c:\Users\Admin\AppData\Local\Temp\zzy0wfxk\CSC821CC5163B9B432A98732BA6987CA2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF26E.tmp

Filesize
1KB

MD5
400d13fd2d9121e91947c6ae76f0fb7d

SHA1
012df3c31315cb2b0c9b3534b83115280e95715f

SHA256
b24b9f4774011a890bd893bd2a0a283858d1a3a2421eb677f613f12fa217fbf3

SHA512
7f0c531a23e85204c3adb34f7c7e1ad06860c11cdbbc90a35e346686ef1aff3303ec40dfa51a7352c120fff0abc80ef7dd40bfa374d61ce0cedd303b56ec8056

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzy0wfxk\zzy0wfxk.dll

Filesize
41KB

MD5
338438a029b7ddce3c17aa5b7547ca8c

SHA1
e81b34dcbf0567021ad58952a9afc655bdfa7b7f

SHA256
3dba16b55bdc0f0dcdb06f6eb6bf7e2cbb374c99d930db09e6ef71787edc8fa5

SHA512
ba0c01c54bbc3733c1719e4ae9f47e5bef7d60a607a703e0b8f98b70c31f072a3150f12489e81c58a5c38a049ca4796f168b905a11cfb82c63572a0eb6433344

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzy0wfxk\CSC821CC5163B9B432A98732BA6987CA2.TMP

Filesize
652B

MD5
002e3cce3824f8d4cb156aebbb68e31f

SHA1
921abfa15a306cf70ba4e5a7c1e8f0ee895db9ac

SHA256
44c063a8debf37e794b26d5dfe9376f0edd1c4b204b43fb6f311b1109a1c321b

SHA512
e9c51e6fc24548f813c6d04721ff97a5371bd1b853fb3215ec96513810fdf62b3e5dbd22fc756112237ae103a8ab29bc0551d3165b827772e38a34dbf3a93be1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzy0wfxk\zzy0wfxk.0.cs

Filesize
101KB

MD5
9e67e68b66e4f47ea3c120085adf937c

SHA1
f14effd191647b8dc4599aabd87273510e7c4e98

SHA256
61452bfbedb04b6f0f8560ca40c99e3adc1802d20df5a64f7467f83f83af38e9

SHA512
2e8929a5758633ab4293924233ff7e0b5f31e722c2aafe0fc83ed2bc89efab43e719e6b5815a010070cb938da3f26af6937db1cc9de610b64233ab34a9981b7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzy0wfxk\zzy0wfxk.cmdline

Filesize
204B

MD5
cbb3dc876f57f5895dc7d29e692315ba

SHA1
eaa02e741a16a5168777c8b640c14fbbf2236ad7

SHA256
040f384fdfebbb4206e2b4f4905f28151be573bfc07aa55e92689db05e799946

SHA512
285266bb3eb7efc441908b0bb3c0de999e3ade3e7aa29f282459415189e7d6b9fa7517ac865502e4892153d3ef4909b944339db933b406d74778a76648d1fa4a

Download Submit
memory/3672-21-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download
memory/3672-24-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/3672-27-0x00000000069C0000-0x0000000006F64000-memory.dmp

Filesize
5.6MB

Download
memory/3672-26-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/3672-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3672-25-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/3672-20-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/3672-23-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/3672-22-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4932-0-0x000000007516E000-0x000000007516F000-memory.dmp

Filesize
4KB

Download
memory/4932-5-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4932-19-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4932-15-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/4932-1-0x0000000000070000-0x00000000000C0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing