xworm | 233b4e09ce8f93d5b8d05fe966b6dee0e8f72a4b044c1f81cb76ab38c840ce7e

Analysis

max time kernel
880s
max time network
890s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NerestCrack.exe
Size

15.0MB
MD5

8acd2d51225c26977b7a6c05133b5d0e
SHA1

f7e78fced38d5cf695a1fc5babbc0087e4c82682
SHA256

233b4e09ce8f93d5b8d05fe966b6dee0e8f72a4b044c1f81cb76ab38c840ce7e
SHA512

71e679fda369fbbf169892c9cfca555bc5d4746292fc78f4207f15ef041bcb7f67a46061688e5dfc2bda3dba54cc064e84c652b58bef1e4114a4dedf03161662
SSDEEP

3072:1jx5U/FRxkan+bgVkvQ2rObGUzaewwQU4OHRemS0:Bx5iWa+b5IjzBuU4OIm

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:30067

florida-leather.gl.at.ply.gg:30067

than-behavioral.gl.at.ply.gg:30067

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2896-1-0x0000000000030000-0x0000000000052000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
2680	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2644	powershell.exe
2680	powershell.exe
2896	NerestCrack.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	NerestCrack.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2896	NerestCrack.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2896	NerestCrack.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2644	2896	NerestCrack.exe	30
PID 2896 wrote to memory of 2644	2896	NerestCrack.exe	30
PID 2896 wrote to memory of 2644	2896	NerestCrack.exe	30
PID 2896 wrote to memory of 2680	2896	NerestCrack.exe	32
PID 2896 wrote to memory of 2680	2896	NerestCrack.exe	32
PID 2896 wrote to memory of 2680	2896	NerestCrack.exe	32

C:\Users\Admin\AppData\Local\Temp\NerestCrack.exe
"C:\Users\Admin\AppData\Local\Temp\NerestCrack.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NerestCrack.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NerestCrack.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JDCALHQXMVV1D5DUF995.temp

Filesize
7KB

MD5
ff2902892dee118f43cb9a0abb666ba7

SHA1
b78214b9333d24251b37c1a4438fb4eb3b4ad6e0

SHA256
fdcecbfe8c9ed9b1d50bd82b98adde358fdcf322e866c85a7704d9a17aa60171

SHA512
76a2cab0709fb18dc8e06a0f856f84485b1efd409d303a9c089afbb6db3d41eb9dfac2401afaf45c993fd9721b97a1fc76f3148820339d5f301c80dd0b0fa446

Download Submit
memory/2644-6-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2644-7-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2644-8-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2680-14-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2680-15-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2896-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

Filesize
4KB

Download
memory/2896-1-0x0000000000030000-0x0000000000052000-memory.dmp

Filesize
136KB

Download
memory/2896-16-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2896-17-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

Filesize
4KB

Download
memory/2896-18-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download