xworm | 8815d4597cdc668da03392cab1118fda3988a5e0a16bb64711cfc188358887a8

Analysis

max time kernel
120s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MeeV Spoofer/MeeV Spoofer.exe
Size

377KB
MD5

8ff34fc450c3f755da1b83880337f035
SHA1

8d1215fb35c50e097d4e5021a806be80e8dea490
SHA256

54e9d6ea55f022c8fd573bc459a7ba67344aaa2411dfbe6aa23bb682b7b80a68
SHA512

109ba9b6e82770b6595ad2ac0a5dcba3dc37873662323f4765aefa62b47d2d845efbd6097672f46b99d7937f18698471c684e1bd86f7a64c17fb4603f4abdd06
SSDEEP

6144:ujxZqeQSL7PPvyrZ+y6GQoi6xoAAVSC1HJOP8vn:ujxuSLrqQoi6xoNh

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000600000001db07-17.dat	family_xworm
behavioral4/memory/2436-25-0x0000000000BF0000-0x0000000000C04000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	MeeV Spoofer.exe

Executes dropped EXE 2 IoCs

pid	Process
4060	MeeV Spoofer.exe
2436	COM Surrogate.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	COM Surrogate.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 4060	728	MeeV Spoofer.exe	91
PID 728 wrote to memory of 4060	728	MeeV Spoofer.exe	91
PID 728 wrote to memory of 2436	728	MeeV Spoofer.exe	93
PID 728 wrote to memory of 2436	728	MeeV Spoofer.exe	93

C:\Users\Admin\AppData\Local\Temp\MeeV Spoofer\MeeV Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\MeeV Spoofer\MeeV Spoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:728
- C:\Users\Admin\AppData\Local\Temp\MeeV Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\MeeV Spoofer.exe"
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Users\Admin\AppData\Local\Temp\COM Surrogate.exe
  "C:\Users\Admin\AppData\Local\Temp\COM Surrogate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COM Surrogate.exe

Filesize
52KB

MD5
fc7f9ceb3cd313939f207839cb0eb406

SHA1
36cd7bd3ce02398e232c75c3f5969418ee517269

SHA256
7172680dce1c2d66c5911e3f0f79eff645d51219ffc43a649406fb927bcde89d

SHA512
d9b87245018808914f3aeddd3aaf07d2b9d8ba453355f66a6d55bcaafe0373dbff3273a871bcc3b0b58bc2d787889eea4301ac4f2ad3a1145bb406929c8f54cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MeeV Spoofer.exe

Filesize
395KB

MD5
2e3baa869f8db046d68ca0b7492b89cc

SHA1
0c9b1919221d5db2f9b508ca3d024c362196131e

SHA256
32cddf91c8e174b4a2028ce4c6fa3f314fda723774b778826e941034f595364b

SHA512
84c6685515631c150464b21ee6d5028df69b6aadb5ba1ef1976d6de2b41eb39ab0d06bb8cc74aa6baa1fc3cd68bcfc85c58ae6d2de1e81a96943f908f4431018

Download Submit
memory/728-0-0x00007FFD88FE3000-0x00007FFD88FE5000-memory.dmp

Filesize
8KB

Download
memory/728-1-0x00000000009F0000-0x0000000000A54000-memory.dmp

Filesize
400KB

Download
memory/728-10-0x00007FFD88FE0000-0x00007FFD89AA1000-memory.dmp

Filesize
10.8MB

Download
memory/728-28-0x00007FFD88FE0000-0x00007FFD89AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2436-25-0x0000000000BF0000-0x0000000000C04000-memory.dmp

Filesize
80KB

Download
memory/2436-27-0x00007FFD88FE0000-0x00007FFD89AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2436-29-0x00007FFD88FE0000-0x00007FFD89AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2436-30-0x000000001C000000-0x000000001C102000-memory.dmp

Filesize
1.0MB

Download
memory/2436-31-0x00007FFD88FE0000-0x00007FFD89AA1000-memory.dmp

Filesize
10.8MB

Download