xworm | d7cd72ec3e5d8d84b48e8ed4afa16b439ae5239b49c8de1c384a8e9e41216ca8

Analysis

max time kernel
96s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

แทงปิดตัวชุบ_CRACKED.exe
Size

784KB
MD5

730cb7a48694edb6f98f2124e2bd2b87
SHA1

8a30859731dae02efcbda2c4595adbfe79a79ff7
SHA256

d7cd72ec3e5d8d84b48e8ed4afa16b439ae5239b49c8de1c384a8e9e41216ca8
SHA512

2ba6e6c4568a1502390dd1bf1c977667ce1c01fd39d8464a6a5d7e30430d9a13fda6d62b48953c9c5a3bcb257de8270ad68b3069b11302b7f53b5c53eb0cf616
SSDEEP

12288:orCq4krfi+b1jZGNnFTUmEogsFEcFGxwpoWx2W4GMCqRVyuz4762Qx0gy+9KX3+:eb9ZsUmEo1KMjx2whJ2KgYH+

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

85.203.4.149:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b21-6.dat	family_xworm
behavioral2/files/0x000a000000023b75-17.dat	family_xworm
behavioral2/memory/4344-44-0x00000000004F0000-0x0000000000508000-memory.dmp	family_xworm
behavioral2/memory/1788-43-0x0000000000D90000-0x0000000000DAC000-memory.dmp	family_xworm
behavioral2/memory/4504-37-0x0000000000DD0000-0x0000000000DE6000-memory.dmp	family_xworm
behavioral2/files/0x0031000000023b76-36.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	แทงปิดตัวชุบ_CRACKED.exe

Executes dropped EXE 4 IoCs

pid	Process
4344	System.exe
4504	svchost.exe
1788	winlogon.exe
1740	loader.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1860	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe
1740	loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	svchost.exe
Token: SeDebugPrivilege	1788	winlogon.exe
Token: SeDebugPrivilege	4344	System.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 4344	1940	แทงปิดตัวชุบ_CRACKED.exe	83
PID 1940 wrote to memory of 4344	1940	แทงปิดตัวชุบ_CRACKED.exe	83
PID 1940 wrote to memory of 4504	1940	แทงปิดตัวชุบ_CRACKED.exe	84
PID 1940 wrote to memory of 4504	1940	แทงปิดตัวชุบ_CRACKED.exe	84
PID 1940 wrote to memory of 1788	1940	แทงปิดตัวชุบ_CRACKED.exe	85
PID 1940 wrote to memory of 1788	1940	แทงปิดตัวชุบ_CRACKED.exe	85
PID 1940 wrote to memory of 1740	1940	แทงปิดตัวชุบ_CRACKED.exe	86
PID 1940 wrote to memory of 1740	1940	แทงปิดตัวชุบ_CRACKED.exe	86
PID 1740 wrote to memory of 2088	1740	loader.exe	88
PID 1740 wrote to memory of 2088	1740	loader.exe	88
PID 2088 wrote to memory of 1540	2088	cmd.exe	89
PID 2088 wrote to memory of 1540	2088	cmd.exe	89
PID 2088 wrote to memory of 1992	2088	cmd.exe	90
PID 2088 wrote to memory of 1992	2088	cmd.exe	90
PID 2088 wrote to memory of 3736	2088	cmd.exe	91
PID 2088 wrote to memory of 3736	2088	cmd.exe	91
PID 1740 wrote to memory of 3012	1740	loader.exe	106
PID 1740 wrote to memory of 3012	1740	loader.exe	106
PID 1740 wrote to memory of 2416	1740	loader.exe	108
PID 1740 wrote to memory of 2416	1740	loader.exe	108
PID 2416 wrote to memory of 1292	2416	cmd.exe	109
PID 2416 wrote to memory of 1292	2416	cmd.exe	109
PID 1292 wrote to memory of 1860	1292	cmd.exe	113
PID 1292 wrote to memory of 1860	1292	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\แทงปิดตัวชุบ_CRACKED.exe
"C:\Users\Admin\AppData\Local\Temp\แทงปิดตัวชุบ_CRACKED.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Roaming\System.exe
  "C:\Users\Admin\AppData\Roaming\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Users\Admin\AppData\Roaming\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Users\Admin\AppData\Roaming\loader.exe
  "C:\Users\Admin\AppData\Roaming\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Roaming\loader.exe" MD5
      4⤵
      PID:1540
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:1992
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Session not found. Use latest code. You can only have app opened 1 at a time. && timeout /t 5"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\system32\cmd.exe
      cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Session not found. Use latest code. You can only have app opened 1 at a time. && timeout /t 5"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\System.exe

Filesize
70KB

MD5
fff86a6313864de8b7b9935ecb7754f4

SHA1
972218085130a313e78d65065509c29dafb6ed99

SHA256
140085a75f2e864e0d8572575f1a46c52b423da6cb63f7cfc5adec13eff708a1

SHA512
ba28e5a3ccd1ddca02bb490811b5be89c87a34f0cb10e1937a420d04f366c69f409067fb5501745cd25c0b510bce697d834c2cc8dcbc61dd25f7e42fb77ee9c5

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe

Filesize
554KB

MD5
b2a5a5592efed3e8e66429e9a02b6c49

SHA1
52e2f194fb00dfbc63b99af0bf7cbf8bcb57584f

SHA256
da94706aefcb3290609dc7f2049a6da5ea1238c4263820b7110fb09e54a552ec

SHA512
ccfb8f6662f772dc8abcebfff73a0e14330626cbf339753f56de6acca0301711f3808bbc7f4b319cb4a0ba6b9b22ea106b86f0530ecf3c131b04aa9c11099bda

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
66KB

MD5
05d84c18651012dfe6f3bcfb45e572e9

SHA1
c3e494e7889a2fa06b10c146f1317a8475b259b3

SHA256
969229eb42b0794f99f50c4d945ce9a7a9283ba97da3c30216127dc151dde23d

SHA512
ac17ffba8ab53adc0c6c6eea865c610647b5dff99943b45ee8cb4ca4f4a09306bd5ad0f1bebeb221812a1416b01675944f508823082bdff79ed7f04352a884ea

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
83KB

MD5
6beeaf93fec0ba8b2e13051e88f6fabd

SHA1
e9fe3513d1f197ba7dc8ce4d2b4d1088bf126189

SHA256
96b89ef1c491eb677624b9247af8f3abb45f265c8a11c8b3c8d347441c75f455

SHA512
f108fcaa01f63c84dfa3a06cc29e32885700d101e4315616b9ea8fd0803a1dfb4e71e650520499874d0268a392d9d8b639327051b1350972cfea23ca9b85ce99

Download Submit
memory/1788-43-0x0000000000D90000-0x0000000000DAC000-memory.dmp

Filesize
112KB

Download
memory/1940-48-0x00007FFC4D680000-0x00007FFC4D71E000-memory.dmp

Filesize
632KB

Download
memory/1940-0-0x00007FFC4D680000-0x00007FFC4D71E000-memory.dmp

Filesize
632KB

Download
memory/1940-1-0x0000000000D60000-0x0000000000E2A000-memory.dmp

Filesize
808KB

Download
memory/4344-44-0x00000000004F0000-0x0000000000508000-memory.dmp

Filesize
96KB

Download
memory/4344-30-0x00007FFC4D680000-0x00007FFC4D71E000-memory.dmp

Filesize
632KB

Download
memory/4344-51-0x00007FFC4D680000-0x00007FFC4D71E000-memory.dmp

Filesize
632KB

Download
memory/4504-38-0x00007FFC4D680000-0x00007FFC4D71E000-memory.dmp

Filesize
632KB

Download
memory/4504-37-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

Filesize
88KB

Download
memory/4504-50-0x00007FFC4D680000-0x00007FFC4D71E000-memory.dmp

Filesize
632KB

Download