xworm | 01e7b0486debabca8a91c3e3fc9681029abac9c5fdee43dc100bf3a63dd787b3

Analysis

max time kernel
140s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOLSA.exe
Size

76KB
MD5

621dcab53a15d786df2dfeb98a8adfb1
SHA1

b12ee4ca64b434cc1ab4d69aab3e4775701bfbec
SHA256

01e7b0486debabca8a91c3e3fc9681029abac9c5fdee43dc100bf3a63dd787b3
SHA512

87861a052238be7ef723ca4b3467a4fb761001756a8449137ca71c50098a3ea00583876021693a325c3f72d83d0aa4a2f584367856ff9ba439679ef068ab091d
SSDEEP

1536:OEO2Gh2SX1ntBuH10rogO2Gh2SX1ptBuH10g2r4n:Otvh2SX5tBCXRvh2SXPtBCwy

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

10.0.0.2:12973

10.0.0.2:9999

Mutex

EfwDU1ytTlCoqnzG

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012117-5.dat	family_xworm
behavioral1/files/0x0008000000016d0e-11.dat	family_xworm
behavioral1/memory/2680-12-0x00000000013D0000-0x00000000013DE000-memory.dmp	family_xworm
behavioral1/memory/1960-13-0x0000000001050000-0x000000000105E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2680	XClie1nt.exe
1960	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	XClient.exe
Token: SeDebugPrivilege	2680	XClie1nt.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2680	1192	LOLSA.exe	30
PID 1192 wrote to memory of 2680	1192	LOLSA.exe	30
PID 1192 wrote to memory of 2680	1192	LOLSA.exe	30
PID 1192 wrote to memory of 1960	1192	LOLSA.exe	31
PID 1192 wrote to memory of 1960	1192	LOLSA.exe	31
PID 1192 wrote to memory of 1960	1192	LOLSA.exe	31

C:\Users\Admin\AppData\Local\Temp\LOLSA.exe
"C:\Users\Admin\AppData\Local\Temp\LOLSA.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Roaming\XClie1nt.exe
  "C:\Users\Admin\AppData\Roaming\XClie1nt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XClie1nt.exe

Filesize
33KB

MD5
3dbd0527815ab24d296b233d8be1b149

SHA1
0b13b56571af9cab67a327e2cda41fbafd739436

SHA256
358ab451763002ab0ce80b3de9e86471fe4ff7b50537003ad8e097ed45fa68db

SHA512
98bfe54c9bd74073b9b6ce603771d534b51ca4dc74fbf220d34589dc87917382d317c6e5aae6e0e1546ad1f3244c24b3d750e4901fce436861215f1865fdac0d

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
33KB

MD5
b92bd4ef0d62c07cf2ec33f65e97dcd9

SHA1
4d8c7ab061eee4a8f50e25bed0c3ec1a64540d60

SHA256
9cddec2b93b417e0713aaa0fca2f6e4c7fd7732f4e3d3cda8b2903100702fa60

SHA512
dbb780cb0aa31a92e201d59091ef8ff7667f85dcd69562ded07c16f7ea2c0caab174b4b1a5338de4d81e93b9bf5b37907e0a52547bc5f7c19700146ea6461233

Download Submit
memory/1192-0-0x000007FEF6263000-0x000007FEF6264000-memory.dmp

Filesize
4KB

Download
memory/1192-1-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/1960-13-0x0000000001050000-0x000000000105E000-memory.dmp

Filesize
56KB

Download
memory/2680-12-0x00000000013D0000-0x00000000013DE000-memory.dmp

Filesize
56KB

Download
memory/2680-14-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-15-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-16-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-17-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download