xworm | a50ef8bbeb3468b1eb76246551b98f0500e597c0a1d1cd552e9951cea572f6e0

Analysis

max time kernel
92s
max time network
206s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/03/2025, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XHorionUPDATED/XHorionUPDATED/XHorion/XHorion.exe
Size

381KB
MD5

c32d172e5c95cf1aa5b4c613d80ed560
SHA1

1c035ac306f5f8f4456d3ecc1d3c8df94880d9db
SHA256

dfee0ccb7bec6a99d768fa48b0f604d8fc489a91622a51bcf892aca5a28e3459
SHA512

dc3687096cd0dbb095fadf2db0bf56e64bc7ce9c6cce9f52f5d40ec64e76a9a4f5ffc079acac29b1edc18c5d8cf82b63dbc7046c97f4240ca57772d5ae014ba8
SSDEEP

6144:HLxAmawQT854JZ7AV4NHnKmLJLde/dclUw7giqRe:aZlsYM4hKmdY/2u

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

supersigma9-32916.portmap.host:32916

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000c000000027da6-6.dat	family_xworm
behavioral3/memory/100-33-0x00000000009C0000-0x00000000009EC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	XHorion.exe

Executes dropped EXE 2 IoCs

pid	Process
100	NovalUPD.exe
3684	HorionInjector.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	100	NovalUPD.exe
Token: SeDebugPrivilege	3684	HorionInjector.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 100	2152	XHorion.exe	80
PID 2152 wrote to memory of 100	2152	XHorion.exe	80
PID 2152 wrote to memory of 3684	2152	XHorion.exe	81
PID 2152 wrote to memory of 3684	2152	XHorion.exe	81

C:\Users\Admin\AppData\Local\Temp\XHorionUPDATED\XHorionUPDATED\XHorion\XHorion.exe
"C:\Users\Admin\AppData\Local\Temp\XHorionUPDATED\XHorionUPDATED\XHorion\XHorion.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Roaming\NovalUPD.exe
  "C:\Users\Admin\AppData\Roaming\NovalUPD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:100
- C:\Users\Admin\AppData\Roaming\HorionInjector.exe
  "C:\Users\Admin\AppData\Roaming\HorionInjector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HorionInjector.exe

Filesize
147KB

MD5
6b5b6e625de774e5c285712b7c4a0da7

SHA1
317099aef530afbe3a0c5d6a2743d51e04805267

SHA256
2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

SHA512
104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08

Download Submit
C:\Users\Admin\AppData\Roaming\NovalUPD.exe

Filesize
153KB

MD5
88595aec6cbe608a5d4536d091a6a091

SHA1
83ff553779fc12c8d2ef8df22acd6bc1e9a35e47

SHA256
697f48b11456f5823959906c062384f70f9c8de6521f74feea7ed54912e0874e

SHA512
6efd34a018c46dc2c83611379c480db23f3e76243f3fd16fa4b6876337b2470dccee35ef68017eb688a3be042e246d8169dd7c7c52506396cae0ce07ec95f56a

Download Submit
memory/100-35-0x00007FFAB0460000-0x00007FFAB0F22000-memory.dmp

Filesize
10.8MB

Download
memory/100-33-0x00000000009C0000-0x00000000009EC000-memory.dmp

Filesize
176KB

Download
memory/100-41-0x00007FFAB0460000-0x00007FFAB0F22000-memory.dmp

Filesize
10.8MB

Download
memory/100-42-0x00007FFAB0460000-0x00007FFAB0F22000-memory.dmp

Filesize
10.8MB

Download
memory/2152-1-0x00000000006B0000-0x0000000000716000-memory.dmp

Filesize
408KB

Download
memory/2152-0-0x00007FFAB0463000-0x00007FFAB0465000-memory.dmp

Filesize
8KB

Download
memory/3684-34-0x00000223F6120000-0x00000223F6148000-memory.dmp

Filesize
160KB

Download
memory/3684-36-0x00007FFAB0460000-0x00007FFAB0F22000-memory.dmp

Filesize
10.8MB

Download
memory/3684-37-0x00000223F9F50000-0x00000223FA00A000-memory.dmp

Filesize
744KB

Download
memory/3684-38-0x00000223F9F10000-0x00000223F9F18000-memory.dmp

Filesize
32KB

Download
memory/3684-39-0x00000223FEA60000-0x00000223FEA98000-memory.dmp

Filesize
224KB

Download
memory/3684-40-0x00000223F9F20000-0x00000223F9F2E000-memory.dmp

Filesize
56KB

Download
memory/3684-43-0x00007FFAB0460000-0x00007FFAB0F22000-memory.dmp

Filesize
10.8MB

Download