xworm | 326cf06d90f11f9d0dcbb02e69bdab30635dbbabbda6c886dde897207f019d9d

Analysis

max time kernel
30s
max time network
31s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-11-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FULLOPTION CRACK BY MELT V2.1.exe
Size

4.0MB
MD5

167b9c9fdac699b76270c7de1c5be79f
SHA1

1e30a9c99e3f9d04ab4a5964b209779700df5cf8
SHA256

326cf06d90f11f9d0dcbb02e69bdab30635dbbabbda6c886dde897207f019d9d
SHA512

1015c725d43251a40130929860305ba3cf54df417b5288820f89ca406e7f84400d372d77b0f5fbccd208f4d738c4d8b933488b3ce0fb47e37820932ef0343f1d
SSDEEP

98304:GL9E+Y76D/jak6xrxOEnzPca0n5rK/iS:C9a7C/pUr730nmi

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

45.141.26.214:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002900000004502d-6.dat	family_xworm
behavioral1/memory/1020-16-0x0000000000590000-0x00000000005AA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	FULLOPTION CRACK BY MELT V2.1.exe

Executes dropped EXE 2 IoCs

pid	Process
1020	svchost.exe
2556	FULLOPTION CRACK BY MELT V2.1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 1020	4456	FULLOPTION CRACK BY MELT V2.1.exe	81
PID 4456 wrote to memory of 1020	4456	FULLOPTION CRACK BY MELT V2.1.exe	81
PID 4456 wrote to memory of 2556	4456	FULLOPTION CRACK BY MELT V2.1.exe	83
PID 4456 wrote to memory of 2556	4456	FULLOPTION CRACK BY MELT V2.1.exe	83

C:\Users\Admin\AppData\Local\Temp\FULLOPTION CRACK BY MELT V2.1.exe
"C:\Users\Admin\AppData\Local\Temp\FULLOPTION CRACK BY MELT V2.1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4456
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\ProgramData\FULLOPTION CRACK BY MELT V2.1.exe
  "C:\ProgramData\FULLOPTION CRACK BY MELT V2.1.exe"
  2⤵
  - Executes dropped EXE
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FULLOPTION CRACK BY MELT V2.1.exe

Filesize
3.9MB

MD5
2f6e9c0dd1c6859a9d6e7acea1db9ac0

SHA1
b0dcd2be62b6a559e479de7745ab0988b8b30522

SHA256
122e3cb0f2ad233d1a364911d433667e7778f00d9a7d10b954c994f4e8093d1f

SHA512
fe3634f46afd5b45f0ffc721a18b5ef1b1344b548f90b8c54ea6995e3d64b7394b56c681b1a0522b67e862fce9d8333b621612a2f03708e7dbc917a28c58c15d

Download Submit
C:\ProgramData\svchost.exe

Filesize
79KB

MD5
fc169ccc1b8b979ce630bf8acfc59cdb

SHA1
d3dd2694f2851647e57a7844298f4419a60234dc

SHA256
eef534add9f267cea96058b9b94790eef11768cd51cc0e3c7744ab3913a278fa

SHA512
3a3e631d966b39df400203b3f51b4760f528fa967390deedd033f1fab713d3651f6f0642b3105d0708b147591e46d7a8640c668b5da70a8aac97018b18c0fa77

Download Submit
memory/1020-16-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/1020-23-0x00007FFB6B5F0000-0x00007FFB6C0B2000-memory.dmp

Filesize
10.8MB

Download
memory/1020-30-0x00007FFB6B5F0000-0x00007FFB6C0B2000-memory.dmp

Filesize
10.8MB

Download
memory/4456-0-0x00007FFB6B5F3000-0x00007FFB6B5F5000-memory.dmp

Filesize
8KB

Download
memory/4456-1-0x0000000000290000-0x000000000068E000-memory.dmp

Filesize
4.0MB

Download