xworm | 02f831b9005ec9d05ee53a84016aae91573bd25637929f944aadd8bae23e2bbc

Analysis

max time kernel
8s
max time network
8s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kdmapper.exe
Size

69KB
MD5

3a84ecb6d7aa88b870c5c03c278568cf
SHA1

7b5b6d52a716fb1b7185d906eecf39dcdf598b53
SHA256

02f831b9005ec9d05ee53a84016aae91573bd25637929f944aadd8bae23e2bbc
SHA512

bcf062a89bf7e5c881fc1c03efdc60d8948f11b470160aaa695bc2985e129f3b24123a61611b5af587d4f3319342a32323891389cac3e5a24ece6aa04877790c
SSDEEP

1536:7ZbYYNTBdvla2CHJ8bW07vzN9AJqt0sOOTs:ph1laHp8bW0LPWLsOOI

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

official-walks.gl.at.ply.gg:57776

Attributes

Install_directory
%AppData%
install_file
Winsxcrv645.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1684-1-0x0000000000DC0000-0x0000000000DD8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1684	kdmapper.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	kdmapper.exe
Token: SeDebugPrivilege	1684	kdmapper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1684	kdmapper.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2092	1684	kdmapper.exe	31
PID 1684 wrote to memory of 2092	1684	kdmapper.exe	31
PID 1684 wrote to memory of 2092	1684	kdmapper.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\kdmapper.exe
"C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winsxcrv645" /tr "C:\Users\Admin\AppData\Roaming\Winsxcrv645.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/1684-1-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

Filesize
96KB

Download
memory/1684-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download