xworm | 01565baa85ddb4b7034c620d9428024b43ae2375b8311e84aa7f06b91cc2c414

General

Target

yr.exe
Size

295KB
MD5

2b6b02943108b009beff18a6001aa8d5
SHA1

3bcaf5f750f36421a234de0423491d9e908ee70e
SHA256

01565baa85ddb4b7034c620d9428024b43ae2375b8311e84aa7f06b91cc2c414
SHA512

9e32a5a6ea07dc8899b66a07f2f78df6cab8c7cbc8fe36e8395bc2df11bedfefbdf6c350bb685730b2c4f75340e92af9c505f0c96120f2b1d5a473329d782563
SSDEEP

6144:ztphTL2ojyoWcUnqaok6vfdUkD4LxG3yat6mfourGr/x+2bMq6YH+zBGh5KihRGf:ztPTL2ojyoWcUnqaok6vfdUkD4LxG3yq

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022b38-14.dat	family_xworm
behavioral2/memory/1940-15-0x0000000005140000-0x0000000005150000-memory.dmp	family_xworm
behavioral2/memory/4944-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 4944	1940	yr.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3968	1940	yr.exe	91
PID 1940 wrote to memory of 3968	1940	yr.exe	91
PID 1940 wrote to memory of 3968	1940	yr.exe	91
PID 3968 wrote to memory of 5748	3968	csc.exe	93
PID 3968 wrote to memory of 5748	3968	csc.exe	93
PID 3968 wrote to memory of 5748	3968	csc.exe	93
PID 1940 wrote to memory of 4944	1940	yr.exe	94
PID 1940 wrote to memory of 4944	1940	yr.exe	94
PID 1940 wrote to memory of 4944	1940	yr.exe	94
PID 1940 wrote to memory of 4944	1940	yr.exe	94
PID 1940 wrote to memory of 4944	1940	yr.exe	94
PID 1940 wrote to memory of 4944	1940	yr.exe	94
PID 1940 wrote to memory of 4944	1940	yr.exe	94
PID 1940 wrote to memory of 4944	1940	yr.exe	94

C:\Users\Admin\AppData\Local\Temp\yr.exe
"C:\Users\Admin\AppData\Local\Temp\yr.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5i5zezks\5i5zezks.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES433E.tmp" "c:\Users\Admin\AppData\Local\Temp\5i5zezks\CSC5FDCA8C9BD04BB384C768B6D1234B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5i5zezks\5i5zezks.dll

Filesize
41KB

MD5
c814827d12f0c7918603ad914fd5d5cc

SHA1
fb14d8f39d9a0e8f8b3cebc221abe1ff51955d53

SHA256
5e728056d4b71ad436b111e93e530575dcd447d62fa9b142fc8d4fc59a8572de

SHA512
59d8d9645b7898d976049952c4e139f0616d770411af4c2caf39fd8351993504683361978a5ce2ff19ed6f0ca9a818ccbacd7f3a6fa772c34d47549859ddb575

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES433E.tmp

Filesize
1KB

MD5
1fac58db81538ec496ec13b9536fdd51

SHA1
9e734829022498cc4c73efc9a76c0a3ef6dcf227

SHA256
cd0307441ee716dc1a6b90f7a91e5e9934856ed0de408e24b7e917d3b841893f

SHA512
df7a18ad4c99221e612ca8053b14d1979db8e60a1057513cb2fa50135fe5a23651f43b4c84a92274d2ed9a0481146b035089cae69ab4127bc1327e9dbf537e40

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5i5zezks\5i5zezks.0.cs

Filesize
101KB

MD5
9e67e68b66e4f47ea3c120085adf937c

SHA1
f14effd191647b8dc4599aabd87273510e7c4e98

SHA256
61452bfbedb04b6f0f8560ca40c99e3adc1802d20df5a64f7467f83f83af38e9

SHA512
2e8929a5758633ab4293924233ff7e0b5f31e722c2aafe0fc83ed2bc89efab43e719e6b5815a010070cb938da3f26af6937db1cc9de610b64233ab34a9981b7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5i5zezks\5i5zezks.cmdline

Filesize
204B

MD5
388838d7ca7f9894bf7b5674e1de9120

SHA1
6053cb19110f5904f4220f0e5a8a05c6f2d9e1eb

SHA256
825c6f70b5eee1b19d0667df70d6cc590011b2687be0b6a5022e82ba4f73b57b

SHA512
c16e0ca2969e558537f6cceb8e4bda8a206fe5a6576c43f62f74b9fe993702364909797d9ee688fbd7a683fcde68fb1b0909d34d8f598fa6d4be47e38ffc8082

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5i5zezks\CSC5FDCA8C9BD04BB384C768B6D1234B.TMP

Filesize
652B

MD5
7b8b131eda1b1d8622b45d1bd0385270

SHA1
774ec9c21633683a9d464a4650ea25270687dae0

SHA256
f7a4f773b622cf3996de52129d6804f32e93791c66c14c318e711dc21c8f807d

SHA512
4576350112b3750eacc79f2a74a335d04063c2377405a464972b775c82beaef935a5be133391bf385c254b76a20d145ab63f913ed23f7715d5f6c1e4943cd208

Download Submit
memory/1940-15-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/1940-5-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-1-0x0000000000830000-0x0000000000880000-memory.dmp

Filesize
320KB

Download
memory/1940-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/1940-22-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-21-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-19-0x0000000004DC0000-0x0000000004E5C000-memory.dmp

Filesize
624KB

Download
memory/4944-20-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4944-23-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-24-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/4944-25-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-26-0x0000000005E90000-0x0000000005F22000-memory.dmp

Filesize
584KB

Download
memory/4944-27-0x00000000064E0000-0x0000000006A84000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing