xworm | 73fb3918ca62572de658babcbcde7f5c198068913dd15bab65cbe8cff23c9526

Analysis

max time kernel
36s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CelestialCrack.exe
Size

146KB
MD5

b9170d37ddb8bfbad5afd93a550232fa
SHA1

8004867d262c27f0b0464f7ed686cac434da024a
SHA256

ca13b369259edd192dad0120a8d267bc9aaa8cbd10232db2f011d7b043cfff32
SHA512

a224e9027049fedffcac56f4cb7f4acb0184c4ddea1f9bf1ed9a03141d06a9ba113f8cca55773932078668ccfc43a5fb20dfd7e5a72d443c0a43c9f5cf507a62
SSDEEP

3072:+tO3dom2hHDOxycn+XnQ5LueGKQGT2XgvL0fSUb6jYt:25mwm+A5Lu3O2XgkSvi

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

add-springer.gl.at.ply.gg:60216

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0005000000022b08-6.dat	family_xworm
behavioral1/memory/4984-17-0x0000000000AF0000-0x0000000000B0A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	CelestialCrack.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Celestial.lnk	celka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Celestial.lnk	celka.exe

Executes dropped EXE 1 IoCs

pid	Process
4984	celka.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Celestial = "C:\\Users\\Admin\\AppData\\Roaming\\Celestial"	celka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4984	celka.exe
4984	celka.exe
4984	celka.exe
4984	celka.exe
4984	celka.exe
4984	celka.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	celka.exe
Token: SeDebugPrivilege	4984	celka.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4984	celka.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 4984	2720	CelestialCrack.exe	88
PID 2720 wrote to memory of 4984	2720	CelestialCrack.exe	88
PID 2720 wrote to memory of 800	2720	CelestialCrack.exe	89
PID 2720 wrote to memory of 800	2720	CelestialCrack.exe	89

C:\Users\Admin\AppData\Local\Temp\CelestialCrack.exe
"C:\Users\Admin\AppData\Local\Temp\CelestialCrack.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\celka.exe
  "C:\Users\Admin\AppData\Local\Temp\celka.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.bat" "
  2⤵
  PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\celka.exe

Filesize
77KB

MD5
25dda19bc8a216cec9cfa1b2f2840d5d

SHA1
30c0ed5ae5ae59787527287c86a2ee5b6648672a

SHA256
358bbd520da818689555912328bd9e9089ccca1594d5214d3ea77ba934d37396

SHA512
6006fa62e78ba6a360dffaf3b017e15aec21ba3739af9d2898d06534ad2cb2a056af14c71632fc03e9115eed9279de2293783966a590c8d4a0f67ff22dc5960f

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.bat

Filesize
77B

MD5
158ce2f9697c91517968d31ea72612fc

SHA1
1f40ea232322012331c029053c72a632420f6bf3

SHA256
6bc8400d7c7e6e84ed6b74f99c872b50d286d62d02f671fb21e30669aaaebafc

SHA512
412492e444ac047670499782d53e863a973f57bb895f5595a924c59ad187ff4e385b7c5b6003c89fe52ce95227352e01a312f095383421dc532b4833d7182b55

Download Submit
memory/2720-0-0x00007FF894AA3000-0x00007FF894AA5000-memory.dmp

Filesize
8KB

Download
memory/2720-1-0x0000000000F60000-0x0000000000F88000-memory.dmp

Filesize
160KB

Download
memory/2720-18-0x00007FF894AA0000-0x00007FF895561000-memory.dmp

Filesize
10.8MB

Download
memory/2720-26-0x00007FF894AA0000-0x00007FF895561000-memory.dmp

Filesize
10.8MB

Download
memory/4984-17-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download
memory/4984-19-0x00007FF894AA0000-0x00007FF895561000-memory.dmp

Filesize
10.8MB

Download
memory/4984-24-0x00007FF894AA0000-0x00007FF895561000-memory.dmp

Filesize
10.8MB

Download
memory/4984-27-0x00007FF894AA0000-0x00007FF895561000-memory.dmp

Filesize
10.8MB

Download
memory/4984-28-0x00007FF894AA0000-0x00007FF895561000-memory.dmp

Filesize
10.8MB

Download