xworm | 326cf06d90f11f9d0dcbb02e69bdab30635dbbabbda6c886dde897207f019d9d

Analysis

max time kernel
30s
max time network
32s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-11-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FULLOPTION CRACK BY MELT V2.1 (1).exe
Size

4.0MB
MD5

167b9c9fdac699b76270c7de1c5be79f
SHA1

1e30a9c99e3f9d04ab4a5964b209779700df5cf8
SHA256

326cf06d90f11f9d0dcbb02e69bdab30635dbbabbda6c886dde897207f019d9d
SHA512

1015c725d43251a40130929860305ba3cf54df417b5288820f89ca406e7f84400d372d77b0f5fbccd208f4d738c4d8b933488b3ce0fb47e37820932ef0343f1d
SSDEEP

98304:GL9E+Y76D/jak6xrxOEnzPca0n5rK/iS:C9a7C/pUr730nmi

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

45.141.26.214:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00290000000450da-7.dat	family_xworm
behavioral1/memory/2224-16-0x00000000001D0000-0x00000000001EA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1324	powershell.exe
3604	powershell.exe
4848	powershell.exe
2348	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	FULLOPTION CRACK BY MELT V2.1 (1).exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2224	svchost.exe
1376	FULLOPTION CRACK BY MELT V2.1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1324	powershell.exe
1324	powershell.exe
3604	powershell.exe
3604	powershell.exe
4848	powershell.exe
4848	powershell.exe
2348	powershell.exe
2348	powershell.exe
2224	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeIncreaseQuotaPrivilege	1324	powershell.exe
Token: SeSecurityPrivilege	1324	powershell.exe
Token: SeTakeOwnershipPrivilege	1324	powershell.exe
Token: SeLoadDriverPrivilege	1324	powershell.exe
Token: SeSystemProfilePrivilege	1324	powershell.exe
Token: SeSystemtimePrivilege	1324	powershell.exe
Token: SeProfSingleProcessPrivilege	1324	powershell.exe
Token: SeIncBasePriorityPrivilege	1324	powershell.exe
Token: SeCreatePagefilePrivilege	1324	powershell.exe
Token: SeBackupPrivilege	1324	powershell.exe
Token: SeRestorePrivilege	1324	powershell.exe
Token: SeShutdownPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeSystemEnvironmentPrivilege	1324	powershell.exe
Token: SeRemoteShutdownPrivilege	1324	powershell.exe
Token: SeUndockPrivilege	1324	powershell.exe
Token: SeManageVolumePrivilege	1324	powershell.exe
Token: 33	1324	powershell.exe
Token: 34	1324	powershell.exe
Token: 35	1324	powershell.exe
Token: 36	1324	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeIncreaseQuotaPrivilege	3604	powershell.exe
Token: SeSecurityPrivilege	3604	powershell.exe
Token: SeTakeOwnershipPrivilege	3604	powershell.exe
Token: SeLoadDriverPrivilege	3604	powershell.exe
Token: SeSystemProfilePrivilege	3604	powershell.exe
Token: SeSystemtimePrivilege	3604	powershell.exe
Token: SeProfSingleProcessPrivilege	3604	powershell.exe
Token: SeIncBasePriorityPrivilege	3604	powershell.exe
Token: SeCreatePagefilePrivilege	3604	powershell.exe
Token: SeBackupPrivilege	3604	powershell.exe
Token: SeRestorePrivilege	3604	powershell.exe
Token: SeShutdownPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeSystemEnvironmentPrivilege	3604	powershell.exe
Token: SeRemoteShutdownPrivilege	3604	powershell.exe
Token: SeUndockPrivilege	3604	powershell.exe
Token: SeManageVolumePrivilege	3604	powershell.exe
Token: 33	3604	powershell.exe
Token: 34	3604	powershell.exe
Token: 35	3604	powershell.exe
Token: 36	3604	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeIncreaseQuotaPrivilege	4848	powershell.exe
Token: SeSecurityPrivilege	4848	powershell.exe
Token: SeTakeOwnershipPrivilege	4848	powershell.exe
Token: SeLoadDriverPrivilege	4848	powershell.exe
Token: SeSystemProfilePrivilege	4848	powershell.exe
Token: SeSystemtimePrivilege	4848	powershell.exe
Token: SeProfSingleProcessPrivilege	4848	powershell.exe
Token: SeIncBasePriorityPrivilege	4848	powershell.exe
Token: SeCreatePagefilePrivilege	4848	powershell.exe
Token: SeBackupPrivilege	4848	powershell.exe
Token: SeRestorePrivilege	4848	powershell.exe
Token: SeShutdownPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeSystemEnvironmentPrivilege	4848	powershell.exe
Token: SeRemoteShutdownPrivilege	4848	powershell.exe
Token: SeUndockPrivilege	4848	powershell.exe
Token: SeManageVolumePrivilege	4848	powershell.exe
Token: 33	4848	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2224	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2224	1932	FULLOPTION CRACK BY MELT V2.1 (1).exe	82
PID 1932 wrote to memory of 2224	1932	FULLOPTION CRACK BY MELT V2.1 (1).exe	82
PID 1932 wrote to memory of 1376	1932	FULLOPTION CRACK BY MELT V2.1 (1).exe	83
PID 1932 wrote to memory of 1376	1932	FULLOPTION CRACK BY MELT V2.1 (1).exe	83
PID 2224 wrote to memory of 1324	2224	svchost.exe	88
PID 2224 wrote to memory of 1324	2224	svchost.exe	88
PID 2224 wrote to memory of 3604	2224	svchost.exe	92
PID 2224 wrote to memory of 3604	2224	svchost.exe	92
PID 2224 wrote to memory of 4848	2224	svchost.exe	94
PID 2224 wrote to memory of 4848	2224	svchost.exe	94
PID 2224 wrote to memory of 2348	2224	svchost.exe	96
PID 2224 wrote to memory of 2348	2224	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\FULLOPTION CRACK BY MELT V2.1 (1).exe
"C:\Users\Admin\AppData\Local\Temp\FULLOPTION CRACK BY MELT V2.1 (1).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1932
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- C:\ProgramData\FULLOPTION CRACK BY MELT V2.1.exe
  "C:\ProgramData\FULLOPTION CRACK BY MELT V2.1.exe"
  2⤵
  - Executes dropped EXE
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FULLOPTION CRACK BY MELT V2.1.exe

Filesize
3.9MB

MD5
2f6e9c0dd1c6859a9d6e7acea1db9ac0

SHA1
b0dcd2be62b6a559e479de7745ab0988b8b30522

SHA256
122e3cb0f2ad233d1a364911d433667e7778f00d9a7d10b954c994f4e8093d1f

SHA512
fe3634f46afd5b45f0ffc721a18b5ef1b1344b548f90b8c54ea6995e3d64b7394b56c681b1a0522b67e862fce9d8333b621612a2f03708e7dbc917a28c58c15d

Download Submit
C:\ProgramData\svchost.exe

Filesize
79KB

MD5
fc169ccc1b8b979ce630bf8acfc59cdb

SHA1
d3dd2694f2851647e57a7844298f4419a60234dc

SHA256
eef534add9f267cea96058b9b94790eef11768cd51cc0e3c7744ab3913a278fa

SHA512
3a3e631d966b39df400203b3f51b4760f528fa967390deedd033f1fab713d3651f6f0642b3105d0708b147591e46d7a8640c668b5da70a8aac97018b18c0fa77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67ef0f14508f4a9afefb7d29af6df045

SHA1
dec3ac938341f94880e234cc14c03551d347376c

SHA256
d66c5d46d0e7fbecbccabccc861c245e8999cf38882453a9f905dcbecbf0af51

SHA512
8c6389063fdcfeed823bdbc888b7a1f429711c8061cf409e3987979d97386f76f4afe9b14dc32fd99cf15c627954d65f352f20d56958554ef9771f09c893d5a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cf99ed8b0e39341a0d5ea76f3df3dbb

SHA1
07a5b3f40ef4a27adb58d726fb149f116c186e98

SHA256
af1e5d40be62aba949dabfee49fff69986dacc5ca0300a674d6b9e9b5deab695

SHA512
06ace96322a037f2d4cdb56633fe1e4ef3940dcb62d2797eb9fbafa55857b1f99ae9b5f4ce29200d4b310c46a7faa39c3028379bc9b430d680710f51c6e44601

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndkmdz0r.ywq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1324-30-0x000001CDEA650000-0x000001CDEA672000-memory.dmp

Filesize
136KB

Download
memory/1932-0-0x00007FFB49E33000-0x00007FFB49E35000-memory.dmp

Filesize
8KB

Download
memory/1932-1-0x0000000000140000-0x000000000053E000-memory.dmp

Filesize
4.0MB

Download
memory/2224-27-0x00007FFB49E30000-0x00007FFB4A8F2000-memory.dmp

Filesize
10.8MB

Download
memory/2224-16-0x00000000001D0000-0x00000000001EA000-memory.dmp

Filesize
104KB

Download
memory/2224-80-0x00007FFB49E30000-0x00007FFB4A8F2000-memory.dmp

Filesize
10.8MB

Download