xworm | e03e0c1d95dbafd94c174b191e42d946b8325b5a3bacf840ffbe95ae6608bf03

Analysis

max time kernel
30s
max time network
19s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-11-2024 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BITXGOD_Crack_Rank1_Fix1.exe
Size

7.9MB
MD5

f6e77b8c7939a65dd8ff319c67298aac
SHA1

467aa64fc82ec6628461c7f2d763a862de336346
SHA256

e03e0c1d95dbafd94c174b191e42d946b8325b5a3bacf840ffbe95ae6608bf03
SHA512

0e81858a6215736960b61022017bf65829652fe3875c88a1762136f14789f4c9fbe07e075fb75238c29c23d0982bd28e20f7dd056b6b8068b307966211527d1f
SSDEEP

196608:sXiMd8bcxr/tkK9WshVu2xZ3FyrkZYqiET8X:sZd8Or/mKp7u2LcwZYqiN

Score

10^/10

xworm rat trojan vmprotect

Malware Config

Extracted

Family

xworm

85.203.4.149:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000004475c-14.dat	family_xworm
behavioral1/memory/5096-16-0x00000000006F0000-0x0000000000708000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	BITXGOD_Crack_Rank1_Fix1.exe

Executes dropped EXE 2 IoCs

pid	Process
5096	svchost.exe
5044	BITXGOD_Crack_Rank1_Fix1.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0028000000045079-21.dat	vmprotect

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 5096	1464	BITXGOD_Crack_Rank1_Fix1.exe	82
PID 1464 wrote to memory of 5096	1464	BITXGOD_Crack_Rank1_Fix1.exe	82
PID 1464 wrote to memory of 5044	1464	BITXGOD_Crack_Rank1_Fix1.exe	83
PID 1464 wrote to memory of 5044	1464	BITXGOD_Crack_Rank1_Fix1.exe	83

C:\Users\Admin\AppData\Local\Temp\BITXGOD_Crack_Rank1_Fix1.exe
"C:\Users\Admin\AppData\Local\Temp\BITXGOD_Crack_Rank1_Fix1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1464
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\ProgramData\BITXGOD_Crack_Rank1_Fix1.exe
  "C:\ProgramData\BITXGOD_Crack_Rank1_Fix1.exe"
  2⤵
  - Executes dropped EXE
  PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BITXGOD_Crack_Rank1_Fix1.exe

Filesize
7.8MB

MD5
0bf7dcd8d5fcf68a0a14b0ee18c1c3d2

SHA1
d777acec3ea61b6f6b956e47f9853e549755ba96

SHA256
2fc402ae9259cd247031a9a45f8a0d00c5c59f9f64f404617d8f8a6b55a60e52

SHA512
2ae84eafdfacf488d2bd82acf4c2474f2f01cc0ab59e19c4287408f570c35c2428cb3dadcf54040acb300f702b37522572cee5480cd0f9c68638f301a06bfcd0

Download Submit
C:\ProgramData\svchost.exe

Filesize
73KB

MD5
a85dd5e8817d7d7027496450b609c35d

SHA1
f7045eab4bcb8a557efc4b08630be324f791d45b

SHA256
7298148e9b7339323d19babc0b1408f3a680d777c7de5680b0bb898987e5ef9b

SHA512
1712c6bb38bd748bd83bf79610f8b398126a358c944d9c881f126e94630e4c30477e2101f786c3355bd91727be8da10ea9820a9f18f17023ec8eea40f81260ac

Download Submit
memory/1464-0-0x00007FFF2A3B3000-0x00007FFF2A3B5000-memory.dmp

Filesize
8KB

Download
memory/1464-1-0x0000000000910000-0x00000000010F4000-memory.dmp

Filesize
7.9MB

Download
memory/5096-16-0x00000000006F0000-0x0000000000708000-memory.dmp

Filesize
96KB

Download
memory/5096-29-0x00007FFF2A3B0000-0x00007FFF2AE72000-memory.dmp

Filesize
10.8MB

Download
memory/5096-33-0x00007FFF2A3B0000-0x00007FFF2AE72000-memory.dmp

Filesize
10.8MB

Download