Malware Analysis Report

2025-08-11 07:49

Sample ID 241029-1xw1ns1anc
Target X-PROJECT.exe
SHA256 cb30232f405584a8cafc49eb0a44fafa1ef2849d3ebb4281bdad8322258af295
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb30232f405584a8cafc49eb0a44fafa1ef2849d3ebb4281bdad8322258af295

Threat Level: Known bad

The file X-PROJECT.exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Detect Xworm Payload

Xworm

Xworm family

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 22:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 22:02

Reported

2024-10-29 22:02

Platform

win7-20240903-en

Max time kernel

16s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2712 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2712 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2316 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2316 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2316 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2316 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2316 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2316 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2316 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2316 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2316 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe

"C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\X-PROJECT.bat" "

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"

C:\Windows\system32\mode.com

Mode 100,22

C:\Windows\system32\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2712-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

memory/2712-1-0x0000000000FA0000-0x0000000000FC6000-memory.dmp

C:\Users\Admin\AppData\Roaming\X-PROJECT.bat

MD5 c88dac6ec8ab0a19fda1d61924e2802d
SHA1 d76355d70e0e6e0240b354e32d14579f2d1d05e6
SHA256 a89e1d77795e91c62c1157838c6bbff7805ab63b1946039c8ef489237a7c8d86
SHA512 d60003601c6069de6930c47a63bcdc3d3216180da3e3d2e8315c8ec19ff117eeba6d8407d8ff1fb7c3fc1e1a1005534f4d9f5cd4c464a6305069674d9ed2e810

memory/2576-15-0x0000000000820000-0x0000000000838000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 ae702d156a2ee10aa0df4e5a365654a1
SHA1 bad92787d53da53bda2f180f770752e679ba80c0
SHA256 07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA512 3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

memory/2576-17-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/2576-18-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/2576-19-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 22:02

Reported

2024-10-29 22:02

Platform

win10v2004-20241007-en

Max time kernel

30s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe

"C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\X-PROJECT.bat" "

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"

C:\Windows\system32\mode.com

Mode 100,22

C:\Windows\system32\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp

Files

memory/4380-0-0x00007FFEAA393000-0x00007FFEAA395000-memory.dmp

memory/4380-1-0x0000000000F20000-0x0000000000F46000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 ae702d156a2ee10aa0df4e5a365654a1
SHA1 bad92787d53da53bda2f180f770752e679ba80c0
SHA256 07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA512 3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

memory/4744-17-0x0000000000AB0000-0x0000000000AC8000-memory.dmp

C:\Users\Admin\AppData\Roaming\X-PROJECT.bat

MD5 c88dac6ec8ab0a19fda1d61924e2802d
SHA1 d76355d70e0e6e0240b354e32d14579f2d1d05e6
SHA256 a89e1d77795e91c62c1157838c6bbff7805ab63b1946039c8ef489237a7c8d86
SHA512 d60003601c6069de6930c47a63bcdc3d3216180da3e3d2e8315c8ec19ff117eeba6d8407d8ff1fb7c3fc1e1a1005534f4d9f5cd4c464a6305069674d9ed2e810

memory/4744-19-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

memory/4744-20-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp