xworm | 518bcb384a8be295dacd2516beaaf18dd8b0c081bcb7bdc4a66bb27b393bf97b

Analysis

max time kernel
30s
max time network
13s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09/11/2024, 00:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FullOption_2.1.exe
Size

4.0MB
MD5

9ec7934c2dd0ea95b8a3f7081ae2b9fa
SHA1

4e6807ebbee7490d2188fe1b3332a0a5cec053b0
SHA256

518bcb384a8be295dacd2516beaaf18dd8b0c081bcb7bdc4a66bb27b393bf97b
SHA512

a6d8fab2a3a6e9ab4ddfa81dffa1105c34dfd9cb3ae8093c475465f02678dc288935a866df060605163f1733afb0ee6d7f8e6515e6d4bfd457c1c8d38f613bfd
SSDEEP

98304:9rN+Jkbu8xFUvvU8nbRg3F7Nc1/m7XDjPzeLDRfF:xNZbXxeHU8bK17C/m7XDjzeLDR

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

85.203.4.149:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000004478e-6.dat	family_xworm
behavioral1/memory/1516-16-0x0000000000BE0000-0x0000000000BF6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	FullOption_2.1.exe

Executes dropped EXE 2 IoCs

pid	Process
1516	svchost.exe
3408	FullOption_2.1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1516	4052	FullOption_2.1.exe	83
PID 4052 wrote to memory of 1516	4052	FullOption_2.1.exe	83
PID 4052 wrote to memory of 3408	4052	FullOption_2.1.exe	84
PID 4052 wrote to memory of 3408	4052	FullOption_2.1.exe	84

C:\Users\Admin\AppData\Local\Temp\FullOption_2.1.exe
"C:\Users\Admin\AppData\Local\Temp\FullOption_2.1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Users\Admin\AppData\Roaming\FullOption_2.1.exe
  "C:\Users\Admin\AppData\Roaming\FullOption_2.1.exe"
  2⤵
  - Executes dropped EXE
  PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FullOption_2.1.exe

Filesize
3.9MB

MD5
2f6e9c0dd1c6859a9d6e7acea1db9ac0

SHA1
b0dcd2be62b6a559e479de7745ab0988b8b30522

SHA256
122e3cb0f2ad233d1a364911d433667e7778f00d9a7d10b954c994f4e8093d1f

SHA512
fe3634f46afd5b45f0ffc721a18b5ef1b1344b548f90b8c54ea6995e3d64b7394b56c681b1a0522b67e862fce9d8333b621612a2f03708e7dbc917a28c58c15d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
66KB

MD5
05d84c18651012dfe6f3bcfb45e572e9

SHA1
c3e494e7889a2fa06b10c146f1317a8475b259b3

SHA256
969229eb42b0794f99f50c4d945ce9a7a9283ba97da3c30216127dc151dde23d

SHA512
ac17ffba8ab53adc0c6c6eea865c610647b5dff99943b45ee8cb4ca4f4a09306bd5ad0f1bebeb221812a1416b01675944f508823082bdff79ed7f04352a884ea

Download Submit
memory/1516-16-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

Filesize
88KB

Download
memory/1516-28-0x00007FFF50040000-0x00007FFF50B02000-memory.dmp

Filesize
10.8MB

Download
memory/1516-30-0x00007FFF50040000-0x00007FFF50B02000-memory.dmp

Filesize
10.8MB

Download
memory/4052-0-0x00007FFF50043000-0x00007FFF50045000-memory.dmp

Filesize
8KB

Download
memory/4052-1-0x0000000000E30000-0x000000000122A000-memory.dmp

Filesize
4.0MB

Download