Malware Analysis Report

2025-08-05 19:41

Sample ID 240402-qg2acaba4w
Target 9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b.zip
SHA256 b0a260a25e79fbd13b521cf03faa79a1ad2c85144be23b8aeb19ef7ff7113963
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0a260a25e79fbd13b521cf03faa79a1ad2c85144be23b8aeb19ef7ff7113963

Threat Level: Known bad

The file 9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b.zip was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Xworm

Detect Xworm Payload

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 13:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 13:14

Reported

2024-04-02 13:17

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Macro_Easy.exe N/A
N/A N/A C:\ProgramData\s.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\Macro_Easy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\s.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b.exe

"C:\Users\Admin\AppData\Local\Temp\9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b.exe"

C:\ProgramData\Macro_Easy.exe

"C:\ProgramData\Macro_Easy.exe"

C:\ProgramData\s.exe

"C:\ProgramData\s.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4988-0-0x0000000000B90000-0x0000000000C00000-memory.dmp

C:\ProgramData\Macro_Easy.exe

MD5 d18b6490413f70ca609f3166bc99a91e
SHA1 252bb5b5082ca99ddbff5d3c44df3b37f314ce6b
SHA256 0a81479feb0ab55cde79ea66787f9db686b774c3a374fca280a74331b02a9649
SHA512 8188edbc14eb8bf05a0e9222527c4c5378c6b6eaeae21240cc50aeba8fc1f7a8310c852a27410b8faade5e821161e8663ee46d5c4b833a32beab0f145e820781

memory/4988-9-0x00007FF888440000-0x00007FF888F01000-memory.dmp

C:\ProgramData\s.exe

MD5 8df47fa5b39878fb3d17c6fff264e1a4
SHA1 425862283b0fb65ad75138203aa2d4fe331febd0
SHA256 829371e9f7b8108a3597cd80e432557069b217a1c3dd01b6d715597a82b611ee
SHA512 83435d70582e4493d0f4ef2bbf38931b2dc3a743fba82199c7e65dd295ad2d0f726df27beca041217c2d0b6a1e1c5c7902a74655efefaec089c0535974bce0a1

memory/4988-25-0x00007FF888440000-0x00007FF888F01000-memory.dmp

memory/3088-27-0x00007FF888440000-0x00007FF888F01000-memory.dmp

memory/3088-26-0x00000000003E0000-0x000000000043A000-memory.dmp

memory/1288-28-0x0000000075540000-0x0000000075AF1000-memory.dmp

memory/1288-29-0x0000000075540000-0x0000000075AF1000-memory.dmp

memory/1288-30-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

memory/1288-31-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

memory/3088-32-0x000000001B030000-0x000000001B040000-memory.dmp

memory/3088-33-0x00007FF888440000-0x00007FF888F01000-memory.dmp

memory/1288-34-0x0000000075540000-0x0000000075AF1000-memory.dmp

memory/1288-35-0x0000000075540000-0x0000000075AF1000-memory.dmp

memory/1288-36-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

memory/1288-37-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 13:14

Reported

2024-04-02 13:17

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Macro_Easy.exe N/A
N/A N/A C:\ProgramData\s.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\Macro_Easy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\s.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b.exe

"C:\Users\Admin\AppData\Local\Temp\9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b.exe"

C:\ProgramData\Macro_Easy.exe

"C:\ProgramData\Macro_Easy.exe"

C:\ProgramData\s.exe

"C:\ProgramData\s.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2164-0-0x0000000000350000-0x00000000003C0000-memory.dmp

memory/2164-1-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

C:\ProgramData\Macro_Easy.exe

MD5 d18b6490413f70ca609f3166bc99a91e
SHA1 252bb5b5082ca99ddbff5d3c44df3b37f314ce6b
SHA256 0a81479feb0ab55cde79ea66787f9db686b774c3a374fca280a74331b02a9649
SHA512 8188edbc14eb8bf05a0e9222527c4c5378c6b6eaeae21240cc50aeba8fc1f7a8310c852a27410b8faade5e821161e8663ee46d5c4b833a32beab0f145e820781

C:\ProgramData\s.exe

MD5 8df47fa5b39878fb3d17c6fff264e1a4
SHA1 425862283b0fb65ad75138203aa2d4fe331febd0
SHA256 829371e9f7b8108a3597cd80e432557069b217a1c3dd01b6d715597a82b611ee
SHA512 83435d70582e4493d0f4ef2bbf38931b2dc3a743fba82199c7e65dd295ad2d0f726df27beca041217c2d0b6a1e1c5c7902a74655efefaec089c0535974bce0a1

memory/2164-13-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

memory/2904-14-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

memory/2904-15-0x0000000000FF0000-0x000000000104A000-memory.dmp

memory/2152-16-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/2152-17-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/2152-18-0x0000000000420000-0x0000000000460000-memory.dmp

memory/2152-19-0x0000000000420000-0x0000000000460000-memory.dmp

memory/2152-20-0x0000000000420000-0x0000000000460000-memory.dmp

memory/2904-21-0x000000001ADD0000-0x000000001AE50000-memory.dmp

memory/2904-22-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

memory/2152-23-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/2152-24-0x0000000000420000-0x0000000000460000-memory.dmp

memory/2152-25-0x0000000000420000-0x0000000000460000-memory.dmp

memory/2152-26-0x0000000000420000-0x0000000000460000-memory.dmp