xworm | efe289b38f29032f648a26974cca1c68599a7e24f0cb58e62fdc9e79b4d3c3c2

Analysis

max time kernel
50s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Delta cracked (1337).zip
Size

35.9MB
MD5

257c597061d8d887671a85fc6ccb1d6b
SHA1

ddd2ae6bfc2e4d8ab778b914b18b162b049ae807
SHA256

efe289b38f29032f648a26974cca1c68599a7e24f0cb58e62fdc9e79b4d3c3c2
SHA512

9ea0b587f75bb9b52f2f70ebc781bb23420dbe64541a7bb6544836169771070b76c4cf57cc2fd8bc8e0dd8f7bf44df27535e229fbf7f6441efb5de6ab4531757
SSDEEP

786432:Qj314x6Lf72SddZU7uKuFOu/fxAvIWXw7GmnuEhI7mNn5QSc:Qjlcuf75ZU6VtfxAvkamnu77mNnU

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

registered-marilyn.gl.at.ply.gg:38151

Attributes

Install_directory
%AppData%
install_file
NursultanCrack.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0002000000022b58-8.dat	family_xworm
behavioral1/memory/1180-10-0x00000000006F0000-0x0000000000708000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
1180	Delta cracked.exe
1336	Delta cracked.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
59	ip-api.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4792	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4792	7zFM.exe
Token: 35	4792	7zFM.exe
Token: SeSecurityPrivilege	4792	7zFM.exe
Token: SeSecurityPrivilege	4792	7zFM.exe
Token: SeDebugPrivilege	1180	Delta cracked.exe
Token: SeDebugPrivilege	1336	Delta cracked.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4792	7zFM.exe
4792	7zFM.exe
4792	7zFM.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Delta cracked (1337).zip"
1⤵
PID:3752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3636

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Delta cracked (1337).zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4792

C:\Users\Admin\Desktop\Delta cracked.exe
"C:\Users\Admin\Desktop\Delta cracked.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Users\Admin\Desktop\Delta cracked.exe
"C:\Users\Admin\Desktop\Delta cracked.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Delta cracked.exe

Filesize
71KB

MD5
de8984199cea928c5ce0773ce065a545

SHA1
1f85e446829d06841869eda7cc0a9767ee4b7c1e

SHA256
a3b73fded2b9faa31303d7dc5905781ddfed85b17beff7042b212554fb25acac

SHA512
677c58836e563dc708bc89ca2f70b675783762dbdd28b070dece97c66f7aacc969dfe575ab4b68c0dd93b809746373eb61d63253ce2d7ecea170fe3c52747d60

Download Submit
memory/1180-10-0x00000000006F0000-0x0000000000708000-memory.dmp

Filesize
96KB

Download