xworm | 233b4e09ce8f93d5b8d05fe966b6dee0e8f72a4b044c1f81cb76ab38c840ce7e

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NerestCrack.exe
Size

15.0MB
MD5

8acd2d51225c26977b7a6c05133b5d0e
SHA1

f7e78fced38d5cf695a1fc5babbc0087e4c82682
SHA256

233b4e09ce8f93d5b8d05fe966b6dee0e8f72a4b044c1f81cb76ab38c840ce7e
SHA512

71e679fda369fbbf169892c9cfca555bc5d4746292fc78f4207f15ef041bcb7f67a46061688e5dfc2bda3dba54cc064e84c652b58bef1e4114a4dedf03161662
SSDEEP

3072:1jx5U/FRxkan+bgVkvQ2rObGUzaewwQU4OHRemS0:Bx5iWa+b5IjzBuU4OIm

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:30067

florida-leather.gl.at.ply.gg:30067

than-behavioral.gl.at.ply.gg:30067

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2424-1-0x00000000001A0000-0x00000000001C2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe
2832	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2316	powershell.exe
2832	powershell.exe
2424	NerestCrack.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	NerestCrack.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2424	NerestCrack.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2424	NerestCrack.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2316	2424	NerestCrack.exe	30
PID 2424 wrote to memory of 2316	2424	NerestCrack.exe	30
PID 2424 wrote to memory of 2316	2424	NerestCrack.exe	30
PID 2424 wrote to memory of 2832	2424	NerestCrack.exe	33
PID 2424 wrote to memory of 2832	2424	NerestCrack.exe	33
PID 2424 wrote to memory of 2832	2424	NerestCrack.exe	33

C:\Users\Admin\AppData\Local\Temp\NerestCrack.exe
"C:\Users\Admin\AppData\Local\Temp\NerestCrack.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NerestCrack.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NerestCrack.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0JDHLIECCAPP1J82B3ZD.temp

Filesize
7KB

MD5
bc9725a9515008c1267a3a4b4c224f34

SHA1
bbbd5c177bb7730045553b429f63ff83bdc37d7b

SHA256
a5a0821eec447030dd19ed8bb1f5c40a9c7ec08751da77e19198985f3e46adb2

SHA512
600aa811b170d46830080b18aa12a08974995998d0c2e52caa3c02b8dd2c29d7ff538359d3eebd888e94136fba2f36f1614a9df677e997a19469243bf7a1ddc1

Download Submit
memory/2316-6-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2316-7-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2316-8-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2424-0-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

Filesize
4KB

Download
memory/2424-1-0x00000000001A0000-0x00000000001C2000-memory.dmp

Filesize
136KB

Download
memory/2424-16-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2424-17-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

Filesize
4KB

Download
memory/2424-18-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2832-14-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2832-15-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download