Overview

overview

10

Static

static

10

ASASQSQ.exe

windows10-ltsc 2021-x64

10

XClient.exe

windows10-ltsc 2021-x64

10

es^p Supreme V1.exe

windows10-ltsc 2021-x64

1

Analysis

  • max time kernel
    392s
  • max time network
    505s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    05/03/2025, 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ASASQSQ.exe

  • Size

    1.7MB

  • MD5

    1f583cdad39718a3bbb8b25b44ec2ce1

  • SHA1

    fcf80c45499f3f42506e3bbc1cadd4103380b8db

  • SHA256

    0d2e82ca0d95d0ccca529f976f6334bd623a0dbad25be79a3127521e5816fe94

  • SHA512

    91dbcc3dbb43e64d02392a67c1d9fa80b7aafd1c4759b78fb6dbd3f55940c7dc05c00d0091b070c17400ce3a78c3fd3f3ef579604d0c2d5bed39d476bb7f9f57

  • SSDEEP

    49152:qjQ3JroNE7cZchtwBqN9smtUI1293vaRSO3:qcwE7ichtMY9suUIyQf

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.26:38655

Attributes
  • Install_directory

    %AppData%

  • install_file

    ♬ ♬.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ASASQSQ.exe
    "C:\Users\Admin\AppData\Local\Temp\ASASQSQ.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\es^p Supreme V1.exe
      "C:\Users\Admin\AppData\Local\Temp\es^p Supreme V1.exe"
      2⤵
      • Executes dropped EXE
      PID:3064
    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    Filesize

    210KB

    MD5

    6f44d5dd4b1fb7c1d2aaefa76c078a22

    SHA1

    d4f08c5390c240e9b049d17d9e194143cff780df

    SHA256

    cf964077390a9d3ae946829975483f8aae1da1cd2a0385cc66107e4b84e56a18

    SHA512

    12ef5efa88531b62961d2f13ab32a9b1fb6ba39eca6d2916d217a73765adfe62f4438d2e4b70032aee1f0b376082a633b2cab8082170007d2a8d51a8f0e45824

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\es^p Supreme V1.exe
    Filesize

    2.4MB

    MD5

    13bab5a9b8cf9299313bd11fb57b0d2a

    SHA1

    9c2b902d6aa01085b0a2a8def75a47852fa316cd

    SHA256

    f517cf20ddc450820ebddf607250dcfb6c9643c5a58b017118acadf7da181d2e

    SHA512

    c1e6afbf3d187ea50735440a9525156cf225c0ffe62e5182568b7fffa1fd3c297074cdcc036f2babb53121f08439e8aeaa148910c3ca891aeb52764be6f19ca4

    Download Submit

  • memory/1704-26-0x00007FFAFAD23000-0x00007FFAFAD25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1704-27-0x0000000000A40000-0x0000000000A7A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1704-28-0x00007FFAFAD20000-0x00007FFAFB7E2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1704-29-0x00007FFAFAD20000-0x00007FFAFB7E2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3064-22-0x0000000140000000-0x0000000140275000-memory.dmp

    Filesize

    2.5MB

    Download