xworm | 427f01eebd57a85f57641b32672d2b65840319cb1121f2b724406a17cdf4948b

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FullOption_2.1.exe
Size

4.0MB
MD5

2827f985babed58b7225d336befe5d67
SHA1

85779be1feec0cbf65f72c4dea9f325145f7b951
SHA256

427f01eebd57a85f57641b32672d2b65840319cb1121f2b724406a17cdf4948b
SHA512

01ee2a9b40778be0eddabab39402f65825f6e23367dc0c939605b61ba0794f01480c2d62bb9aa6888305c38926b82eca8f5a492e500a734cac240f71cb62d025
SSDEEP

98304:nBRyRmb7gVNx01+tlHuAIiPlVB7gF2xplA:neFNxNTH7lsSG

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

popular-specialist.gl.at.ply.gg:39463

Attributes

Install_directory
%AppData%
install_file
Services.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023d5e-14.dat	family_xworm
behavioral2/memory/5060-22-0x0000000000C70000-0x0000000000C8A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	FullOption_2.1.exe

Executes dropped EXE 2 IoCs

pid	Process
4400	FullOption_2.1.exe
5060	System and Application.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	System and Application.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4400	3496	FullOption_2.1.exe	86
PID 3496 wrote to memory of 4400	3496	FullOption_2.1.exe	86
PID 3496 wrote to memory of 5060	3496	FullOption_2.1.exe	87
PID 3496 wrote to memory of 5060	3496	FullOption_2.1.exe	87

C:\Users\Admin\AppData\Local\Temp\FullOption_2.1.exe
"C:\Users\Admin\AppData\Local\Temp\FullOption_2.1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\AppData\Roaming\FullOption_2.1.exe
  "C:\Users\Admin\AppData\Roaming\FullOption_2.1.exe"
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Users\Admin\AppData\Roaming\System and Application.exe
  "C:\Users\Admin\AppData\Roaming\System and Application.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FullOption_2.1.exe

Filesize
3.9MB

MD5
2f6e9c0dd1c6859a9d6e7acea1db9ac0

SHA1
b0dcd2be62b6a559e479de7745ab0988b8b30522

SHA256
122e3cb0f2ad233d1a364911d433667e7778f00d9a7d10b954c994f4e8093d1f

SHA512
fe3634f46afd5b45f0ffc721a18b5ef1b1344b548f90b8c54ea6995e3d64b7394b56c681b1a0522b67e862fce9d8333b621612a2f03708e7dbc917a28c58c15d

Download Submit
C:\Users\Admin\AppData\Roaming\System and Application.exe

Filesize
75KB

MD5
a6803eea43873a22a3bc819a28ea1854

SHA1
a378736c27f5c6c557bd933d9c613feec85bd8d0

SHA256
2447044160e3a41bab3d42e25baa706c1fc8f6d92e9a5fa72deb2a7ec31c8de7

SHA512
1a15f39eb6302b1f1dab02f6516a81d8bf749a6f71cea7712814fb5b289607886db3708224253bd964ad4e37d8eeb05c4a9e12f1e90a0cb4b2c351c29bc9c1bb

Download Submit
memory/3496-0-0x00007FF8305F3000-0x00007FF8305F5000-memory.dmp

Filesize
8KB

Download
memory/3496-1-0x0000000000A90000-0x0000000000E8E000-memory.dmp

Filesize
4.0MB

Download
memory/5060-22-0x0000000000C70000-0x0000000000C8A000-memory.dmp

Filesize
104KB

Download
memory/5060-23-0x00007FF8305F0000-0x00007FF8310B1000-memory.dmp

Filesize
10.8MB

Download
memory/5060-24-0x00007FF8305F0000-0x00007FF8310B1000-memory.dmp

Filesize
10.8MB

Download
memory/5060-25-0x00007FF8305F0000-0x00007FF8310B1000-memory.dmp

Filesize
10.8MB

Download