Malware Analysis Report

2025-08-11 07:49

Sample ID 241029-1yjfzaskbr
Target 3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe
SHA256 c3673d01d7ccd2a3c7735b8b00b050f731e73af3feb6e5b14bf3689bf89b884c
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3673d01d7ccd2a3c7735b8b00b050f731e73af3feb6e5b14bf3689bf89b884c

Threat Level: Known bad

The file 3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Detect Xworm Payload

Xworm

Xworm family

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 22:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 22:03

Reported

2024-10-29 22:04

Platform

win10ltsc2021-20241023-en

Max time kernel

30s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3020 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2492 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2492 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2492 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2492 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com

Processes

C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe

"C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.bat" "

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\mode.com

mode 103,5

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\mode.com

mode 120,17

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 4.245.163.56:443 tcp

Files

memory/3020-0-0x00007FFA346C3000-0x00007FFA346C5000-memory.dmp

memory/3020-1-0x0000000000480000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\Roaming\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.bat

MD5 1a29286ae9d746284b195a34811f5e89
SHA1 2418da95e35c84e8b922cd6c525463bab7e43a06
SHA256 061d3b55f7cfd4bd35e48768fb993a1444d5ed4990cda5ef813220715325f630
SHA512 370288124edecdfb611d65b93f2ed9c0205299653a0819d351b226a595c4a4fda636c50444d3bac2c43c4678119cf53b7c9e5d1bc69f16452be16eb720b90c07

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 ae702d156a2ee10aa0df4e5a365654a1
SHA1 bad92787d53da53bda2f180f770752e679ba80c0
SHA256 07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA512 3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

memory/4876-23-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

memory/4876-25-0x00007FFA346C0000-0x00007FFA35182000-memory.dmp

memory/4876-26-0x00007FFA346C0000-0x00007FFA35182000-memory.dmp