xworm | a50ef8bbeb3468b1eb76246551b98f0500e597c0a1d1cd552e9951cea572f6e0

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XHorionUPDATED/XHorionUPDATED/XHorion/XHorion.exe
Size

381KB
MD5

c32d172e5c95cf1aa5b4c613d80ed560
SHA1

1c035ac306f5f8f4456d3ecc1d3c8df94880d9db
SHA256

dfee0ccb7bec6a99d768fa48b0f604d8fc489a91622a51bcf892aca5a28e3459
SHA512

dc3687096cd0dbb095fadf2db0bf56e64bc7ce9c6cce9f52f5d40ec64e76a9a4f5ffc079acac29b1edc18c5d8cf82b63dbc7046c97f4240ca57772d5ae014ba8
SSDEEP

6144:HLxAmawQT854JZ7AV4NHnKmLJLde/dclUw7giqRe:aZlsYM4hKmdY/2u

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

supersigma9-32916.portmap.host:32916

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000c000000012262-5.dat	family_xworm
behavioral5/memory/1796-9-0x0000000000070000-0x000000000009C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
1796	NovalUPD.exe
2448	HorionInjector.exe
1200	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2064	XHorion.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	NovalUPD.exe
Token: SeDebugPrivilege	2448	HorionInjector.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1796	2064	XHorion.exe	30
PID 2064 wrote to memory of 1796	2064	XHorion.exe	30
PID 2064 wrote to memory of 1796	2064	XHorion.exe	30
PID 2064 wrote to memory of 2448	2064	XHorion.exe	31
PID 2064 wrote to memory of 2448	2064	XHorion.exe	31
PID 2064 wrote to memory of 2448	2064	XHorion.exe	31

C:\Users\Admin\AppData\Local\Temp\XHorionUPDATED\XHorionUPDATED\XHorion\XHorion.exe
"C:\Users\Admin\AppData\Local\Temp\XHorionUPDATED\XHorionUPDATED\XHorion\XHorion.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Roaming\NovalUPD.exe
  "C:\Users\Admin\AppData\Roaming\NovalUPD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Users\Admin\AppData\Roaming\HorionInjector.exe
  "C:\Users\Admin\AppData\Roaming\HorionInjector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NovalUPD.exe

Filesize
153KB

MD5
88595aec6cbe608a5d4536d091a6a091

SHA1
83ff553779fc12c8d2ef8df22acd6bc1e9a35e47

SHA256
697f48b11456f5823959906c062384f70f9c8de6521f74feea7ed54912e0874e

SHA512
6efd34a018c46dc2c83611379c480db23f3e76243f3fd16fa4b6876337b2470dccee35ef68017eb688a3be042e246d8169dd7c7c52506396cae0ce07ec95f56a

Download Submit
\Users\Admin\AppData\Roaming\HorionInjector.exe

Filesize
147KB

MD5
6b5b6e625de774e5c285712b7c4a0da7

SHA1
317099aef530afbe3a0c5d6a2743d51e04805267

SHA256
2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

SHA512
104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08

Download Submit
memory/1796-9-0x0000000000070000-0x000000000009C000-memory.dmp

Filesize
176KB

Download
memory/1796-15-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/1796-19-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/1796-21-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2064-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x00000000013D0000-0x0000000001436000-memory.dmp

Filesize
408KB

Download
memory/2448-14-0x000000013F680000-0x000000013F6A8000-memory.dmp

Filesize
160KB

Download
memory/2448-16-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/2448-17-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/2448-20-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download