xworm | 233b4e09ce8f93d5b8d05fe966b6dee0e8f72a4b044c1f81cb76ab38c840ce7e

Analysis

max time kernel
884s
max time network
894s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NerestCrack.exe
Size

15.0MB
MD5

8acd2d51225c26977b7a6c05133b5d0e
SHA1

f7e78fced38d5cf695a1fc5babbc0087e4c82682
SHA256

233b4e09ce8f93d5b8d05fe966b6dee0e8f72a4b044c1f81cb76ab38c840ce7e
SHA512

71e679fda369fbbf169892c9cfca555bc5d4746292fc78f4207f15ef041bcb7f67a46061688e5dfc2bda3dba54cc064e84c652b58bef1e4114a4dedf03161662
SSDEEP

3072:1jx5U/FRxkan+bgVkvQ2rObGUzaewwQU4OHRemS0:Bx5iWa+b5IjzBuU4OIm

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:30067

florida-leather.gl.at.ply.gg:30067

than-behavioral.gl.at.ply.gg:30067

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2004-1-0x0000000001360000-0x0000000001382000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1796	powershell.exe
2884	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1796	powershell.exe
2884	powershell.exe
2004	NerestCrack.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	NerestCrack.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2004	NerestCrack.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2004	NerestCrack.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1796	2004	NerestCrack.exe	30
PID 2004 wrote to memory of 1796	2004	NerestCrack.exe	30
PID 2004 wrote to memory of 1796	2004	NerestCrack.exe	30
PID 2004 wrote to memory of 2884	2004	NerestCrack.exe	32
PID 2004 wrote to memory of 2884	2004	NerestCrack.exe	32
PID 2004 wrote to memory of 2884	2004	NerestCrack.exe	32

C:\Users\Admin\AppData\Local\Temp\NerestCrack.exe
"C:\Users\Admin\AppData\Local\Temp\NerestCrack.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NerestCrack.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NerestCrack.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9dccb6a905f3471521bb73117ec70c9b

SHA1
62c1e7829716a5755de990fb24104ff7e194b5bc

SHA256
1446fb2577b5f26f909947e71245253ea9f9bed72f3092808718da913aa05319

SHA512
baa3997a22a8da3443b13a9125e2fd822f1607236bfb60b650193fde26562173e131cb30781ab9e2d74f155ca48c59d4a3aebf5bbebc7cd7cd57cb5aa4ffdcc2

Download Submit
memory/1796-6-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/1796-7-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/1796-8-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2004-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2004-1-0x0000000001360000-0x0000000001382000-memory.dmp

Filesize
136KB

Download
memory/2004-16-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/2004-17-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2004-18-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/2884-14-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2884-15-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download