xworm | 9c8f9348a7104a6477335a4115c0a1fcb881540c3b66b3cc13991f38bd73a70c

Analysis

max time kernel
271s
max time network
252s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/03/2025, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NovalUPDATED.rar
Size

1.1MB
MD5

959faa9bf0a5b11762834b1054d4e422
SHA1

6c062b48bacbbae3c4143f54e693bf1cd9270cbb
SHA256

9c8f9348a7104a6477335a4115c0a1fcb881540c3b66b3cc13991f38bd73a70c
SHA512

a15e765ae8d5be6e3b79850564ea2dab5c84455dd34a792f65ab68b4299524ab8b945271699620795863c5f4a5ec75280219c271f43ee9cb4a3a8b7b78cddc0a
SSDEEP

24576:B+Ivn2D8FXj52SQvEYDni0jairneTGGPc8a4yIHN1aws5nK08:B+I5Xj52Zv7Di7iiBE8a4JHXawHr

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

supersigma9-32916.portmap.host:32916

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000027ec0-26.dat	family_xworm
behavioral1/memory/3528-29-0x0000000000640000-0x000000000066C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 4 IoCs

pid	Process
3528	NovalUPD.exe
4596	NovalClient.exe
4600	NovalUPD.exe
2604	NovalClient.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ip-api.com
55	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NovalClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NovalClient.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1252571373-3012572919-3982031544-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
188	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3544	7zFM.exe
2580	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3544	7zFM.exe
Token: 35	3544	7zFM.exe
Token: SeSecurityPrivilege	3544	7zFM.exe
Token: SeDebugPrivilege	3528	NovalUPD.exe
Token: SeDebugPrivilege	4600	NovalUPD.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3544	7zFM.exe
3544	7zFM.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 2872	4596	NovalClient.exe	104
PID 4596 wrote to memory of 2872	4596	NovalClient.exe	104
PID 2604 wrote to memory of 4476	2604	NovalClient.exe	109
PID 2604 wrote to memory of 4476	2604	NovalClient.exe	109
PID 2580 wrote to memory of 188	2580	OpenWith.exe	113
PID 2580 wrote to memory of 188	2580	OpenWith.exe	113

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NovalUPDATED.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3348

C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalUPD.exe
"C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalUPD.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalClient.exe
"C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\44CF.tmp\44D0.tmp\44D1.bat C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalClient.exe"
  2⤵
  PID:2872

C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalUPD.exe
"C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalUPD.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalClient.exe
"C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\193C.tmp\193D.tmp\193E.bat C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalClient.exe"
  2⤵
  PID:4476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\NovalUPDATED\Noval\msdelta.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44CF.tmp\44D0.tmp\44D1.bat

Filesize
22B

MD5
deafc0c01bad3e97f1edbd3d1e1b1872

SHA1
3fd54162bc00f745dfbd033d5830dd1a8a8ab662

SHA256
2a7024692b56de7f7b1b3b6588704e033e1b9eefc79d75730ebc87142fc67e63

SHA512
8c14349e6a18fa6b59a0aedc96f8008f89c3ec93552af196ed78db2d9e66e18108a15704777fdb32cdcad33f4194b65c297d6988014b8aad0b3775a49182c782

Download Submit
C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalClient.exe

Filesize
89KB

MD5
193cf6ebb53410e9d283c7fa249cbc27

SHA1
de4ce04aaf927f35df0c049c0c7c759aa89de8ea

SHA256
efa4393fd460946721a1cfe9e6d65b29248836af9e1eeabef2d3a90fd02f3368

SHA512
4a775b43e7a8ba5c6642ccbcf34f68ce1456e8f50e2c8a8e812f825bc6822e70735b4de895f6bdd4ab06bd6b78c797560521f0e7b4551337e1042e8d402bc7ea

Download Submit
C:\Users\Admin\Downloads\NovalUPDATED\Noval\NovalUPD.exe

Filesize
153KB

MD5
88595aec6cbe608a5d4536d091a6a091

SHA1
83ff553779fc12c8d2ef8df22acd6bc1e9a35e47

SHA256
697f48b11456f5823959906c062384f70f9c8de6521f74feea7ed54912e0874e

SHA512
6efd34a018c46dc2c83611379c480db23f3e76243f3fd16fa4b6876337b2470dccee35ef68017eb688a3be042e246d8169dd7c7c52506396cae0ce07ec95f56a

Download Submit
C:\Users\Admin\Downloads\NovalUPDATED\Noval\msdelta.dll

Filesize
545KB

MD5
4bc8ff2d8b8ebb742b6d801af0ccd4d0

SHA1
980d331a2b0a24042a99e703b929b8bf626f2983

SHA256
098a2a12856c374b418013a1806a9f9f14517c733aed83886ec657c21b57d755

SHA512
dcd27a668cfa7b1692b269d062cce2633290979f958b8f7e2357e73d77b3f384b7b961c3fd6d34923f365180489164a5a76674479716906d0a16727c54cedaad

Download Submit
memory/3528-28-0x00007FFB7B003000-0x00007FFB7B005000-memory.dmp

Filesize
8KB

Download
memory/3528-29-0x0000000000640000-0x000000000066C000-memory.dmp

Filesize
176KB

Download
memory/3528-30-0x00007FFB7B000000-0x00007FFB7BAC2000-memory.dmp

Filesize
10.8MB

Download
memory/3528-31-0x00007FFB7B000000-0x00007FFB7BAC2000-memory.dmp

Filesize
10.8MB

Download