xworm | d7cd72ec3e5d8d84b48e8ed4afa16b439ae5239b49c8de1c384a8e9e41216ca8

Analysis

max time kernel
35s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

แทงปิดตัวชุบ_CRACKED.exe
Size

784KB
MD5

730cb7a48694edb6f98f2124e2bd2b87
SHA1

8a30859731dae02efcbda2c4595adbfe79a79ff7
SHA256

d7cd72ec3e5d8d84b48e8ed4afa16b439ae5239b49c8de1c384a8e9e41216ca8
SHA512

2ba6e6c4568a1502390dd1bf1c977667ce1c01fd39d8464a6a5d7e30430d9a13fda6d62b48953c9c5a3bcb257de8270ad68b3069b11302b7f53b5c53eb0cf616
SSDEEP

12288:orCq4krfi+b1jZGNnFTUmEogsFEcFGxwpoWx2W4GMCqRVyuz4762Qx0gy+9KX3+:eb9ZsUmEo1KMjx2whJ2KgYH+

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

85.203.4.149:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000f0000000139a5-5.dat	family_xworm
behavioral1/memory/2500-9-0x00000000001B0000-0x00000000001C8000-memory.dmp	family_xworm
behavioral1/files/0x000a00000001739b-11.dat	family_xworm
behavioral1/files/0x00080000000173b2-18.dat	family_xworm
behavioral1/memory/1428-16-0x0000000000380000-0x0000000000396000-memory.dmp	family_xworm
behavioral1/memory/3064-24-0x0000000000BF0000-0x0000000000C0C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 4 IoCs

pid	Process
2500	System.exe
1428	svchost.exe
3064	winlogon.exe
2668	loader.exe

Loads dropped DLL 1 IoCs

pid	Process
1628	แทงปิดตัวชุบ_CRACKED.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
13	ip-api.com
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe
2668	loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	svchost.exe
Token: SeDebugPrivilege	2500	System.exe
Token: SeDebugPrivilege	3064	winlogon.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2500	1628	แทงปิดตัวชุบ_CRACKED.exe	31
PID 1628 wrote to memory of 2500	1628	แทงปิดตัวชุบ_CRACKED.exe	31
PID 1628 wrote to memory of 2500	1628	แทงปิดตัวชุบ_CRACKED.exe	31
PID 1628 wrote to memory of 1428	1628	แทงปิดตัวชุบ_CRACKED.exe	32
PID 1628 wrote to memory of 1428	1628	แทงปิดตัวชุบ_CRACKED.exe	32
PID 1628 wrote to memory of 1428	1628	แทงปิดตัวชุบ_CRACKED.exe	32
PID 1628 wrote to memory of 3064	1628	แทงปิดตัวชุบ_CRACKED.exe	33
PID 1628 wrote to memory of 3064	1628	แทงปิดตัวชุบ_CRACKED.exe	33
PID 1628 wrote to memory of 3064	1628	แทงปิดตัวชุบ_CRACKED.exe	33
PID 1628 wrote to memory of 2668	1628	แทงปิดตัวชุบ_CRACKED.exe	34
PID 1628 wrote to memory of 2668	1628	แทงปิดตัวชุบ_CRACKED.exe	34
PID 1628 wrote to memory of 2668	1628	แทงปิดตัวชุบ_CRACKED.exe	34
PID 2668 wrote to memory of 2684	2668	loader.exe	36
PID 2668 wrote to memory of 2684	2668	loader.exe	36
PID 2668 wrote to memory of 2684	2668	loader.exe	36
PID 2684 wrote to memory of 2568	2684	cmd.exe	37
PID 2684 wrote to memory of 2568	2684	cmd.exe	37
PID 2684 wrote to memory of 2568	2684	cmd.exe	37
PID 2684 wrote to memory of 2288	2684	cmd.exe	38
PID 2684 wrote to memory of 2288	2684	cmd.exe	38
PID 2684 wrote to memory of 2288	2684	cmd.exe	38
PID 2684 wrote to memory of 2676	2684	cmd.exe	39
PID 2684 wrote to memory of 2676	2684	cmd.exe	39
PID 2684 wrote to memory of 2676	2684	cmd.exe	39
PID 2668 wrote to memory of 840	2668	loader.exe	41
PID 2668 wrote to memory of 840	2668	loader.exe	41
PID 2668 wrote to memory of 840	2668	loader.exe	41

C:\Users\Admin\AppData\Local\Temp\แทงปิดตัวชุบ_CRACKED.exe
"C:\Users\Admin\AppData\Local\Temp\แทงปิดตัวชุบ_CRACKED.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Roaming\System.exe
  "C:\Users\Admin\AppData\Roaming\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Users\Admin\AppData\Roaming\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Users\Admin\AppData\Roaming\loader.exe
  "C:\Users\Admin\AppData\Roaming\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Roaming\loader.exe" MD5
      4⤵
      PID:2568
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2288
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\System.exe

Filesize
70KB

MD5
fff86a6313864de8b7b9935ecb7754f4

SHA1
972218085130a313e78d65065509c29dafb6ed99

SHA256
140085a75f2e864e0d8572575f1a46c52b423da6cb63f7cfc5adec13eff708a1

SHA512
ba28e5a3ccd1ddca02bb490811b5be89c87a34f0cb10e1937a420d04f366c69f409067fb5501745cd25c0b510bce697d834c2cc8dcbc61dd25f7e42fb77ee9c5

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
66KB

MD5
05d84c18651012dfe6f3bcfb45e572e9

SHA1
c3e494e7889a2fa06b10c146f1317a8475b259b3

SHA256
969229eb42b0794f99f50c4d945ce9a7a9283ba97da3c30216127dc151dde23d

SHA512
ac17ffba8ab53adc0c6c6eea865c610647b5dff99943b45ee8cb4ca4f4a09306bd5ad0f1bebeb221812a1416b01675944f508823082bdff79ed7f04352a884ea

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
83KB

MD5
6beeaf93fec0ba8b2e13051e88f6fabd

SHA1
e9fe3513d1f197ba7dc8ce4d2b4d1088bf126189

SHA256
96b89ef1c491eb677624b9247af8f3abb45f265c8a11c8b3c8d347441c75f455

SHA512
f108fcaa01f63c84dfa3a06cc29e32885700d101e4315616b9ea8fd0803a1dfb4e71e650520499874d0268a392d9d8b639327051b1350972cfea23ca9b85ce99

Download Submit
\Users\Admin\AppData\Roaming\loader.exe

Filesize
554KB

MD5
b2a5a5592efed3e8e66429e9a02b6c49

SHA1
52e2f194fb00dfbc63b99af0bf7cbf8bcb57584f

SHA256
da94706aefcb3290609dc7f2049a6da5ea1238c4263820b7110fb09e54a552ec

SHA512
ccfb8f6662f772dc8abcebfff73a0e14330626cbf339753f56de6acca0301711f3808bbc7f4b319cb4a0ba6b9b22ea106b86f0530ecf3c131b04aa9c11099bda

Download Submit
memory/1428-16-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/1628-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/1628-1-0x0000000000880000-0x000000000094A000-memory.dmp

Filesize
808KB

Download
memory/2500-9-0x00000000001B0000-0x00000000001C8000-memory.dmp

Filesize
96KB

Download
memory/2500-26-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2500-27-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-24-0x0000000000BF0000-0x0000000000C0C000-memory.dmp

Filesize
112KB

Download