xworm | 0d2e82ca0d95d0ccca529f976f6334bd623a0dbad25be79a3127521e5816fe94

Analysis

max time kernel
128s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ASASQSQ.exe
Size

1.7MB
MD5

1f583cdad39718a3bbb8b25b44ec2ce1
SHA1

fcf80c45499f3f42506e3bbc1cadd4103380b8db
SHA256

0d2e82ca0d95d0ccca529f976f6334bd623a0dbad25be79a3127521e5816fe94
SHA512

91dbcc3dbb43e64d02392a67c1d9fa80b7aafd1c4759b78fb6dbd3f55940c7dc05c00d0091b070c17400ce3a78c3fd3f3ef579604d0c2d5bed39d476bb7f9f57
SSDEEP

49152:qjQ3JroNE7cZchtwBqN9smtUI1293vaRSO3:qcwE7ichtMY9suUIyQf

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.26:38655

Attributes

Install_directory
%AppData%
install_file
♬ ♬.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023d2f-12.dat	family_xworm
behavioral2/memory/3204-21-0x0000000000DF0000-0x0000000000E2A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	ASASQSQ.exe

Executes dropped EXE 2 IoCs

pid	Process
2704	es^p Supreme V1.exe
3204	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASASQSQ.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	XClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2704	1868	ASASQSQ.exe	88
PID 1868 wrote to memory of 2704	1868	ASASQSQ.exe	88
PID 1868 wrote to memory of 3204	1868	ASASQSQ.exe	89
PID 1868 wrote to memory of 3204	1868	ASASQSQ.exe	89

C:\Users\Admin\AppData\Local\Temp\ASASQSQ.exe
"C:\Users\Admin\AppData\Local\Temp\ASASQSQ.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\es^p Supreme V1.exe
  "C:\Users\Admin\AppData\Local\Temp\es^p Supreme V1.exe"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
210KB

MD5
6f44d5dd4b1fb7c1d2aaefa76c078a22

SHA1
d4f08c5390c240e9b049d17d9e194143cff780df

SHA256
cf964077390a9d3ae946829975483f8aae1da1cd2a0385cc66107e4b84e56a18

SHA512
12ef5efa88531b62961d2f13ab32a9b1fb6ba39eca6d2916d217a73765adfe62f4438d2e4b70032aee1f0b376082a633b2cab8082170007d2a8d51a8f0e45824

Download Submit
C:\Users\Admin\AppData\Local\Temp\es^p Supreme V1.exe

Filesize
2.4MB

MD5
13bab5a9b8cf9299313bd11fb57b0d2a

SHA1
9c2b902d6aa01085b0a2a8def75a47852fa316cd

SHA256
f517cf20ddc450820ebddf607250dcfb6c9643c5a58b017118acadf7da181d2e

SHA512
c1e6afbf3d187ea50735440a9525156cf225c0ffe62e5182568b7fffa1fd3c297074cdcc036f2babb53121f08439e8aeaa148910c3ca891aeb52764be6f19ca4

Download Submit
memory/2704-17-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/3204-20-0x00007FFF40953000-0x00007FFF40955000-memory.dmp

Filesize
8KB

Download
memory/3204-21-0x0000000000DF0000-0x0000000000E2A000-memory.dmp

Filesize
232KB

Download
memory/3204-22-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

Filesize
10.8MB

Download
memory/3204-23-0x000000001C030000-0x000000001C132000-memory.dmp

Filesize
1.0MB

Download
memory/3204-24-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

Filesize
10.8MB

Download