xworm | a02f4d66be93cac92899b5c049d2eb5758bcd928908123e344806b7568faeded

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nurik 1.12.2-1.16.5.rar
Size

9.7MB
MD5

9c24f5afafb5485602bb389ac6b92867
SHA1

d129eec0347c9ed7136508fa9c53d52d7be32fe4
SHA256

a02f4d66be93cac92899b5c049d2eb5758bcd928908123e344806b7568faeded
SHA512

87af3614369e0258e500596ff872a09395085bae4de1d34a3ad134f98ae563e29fb435e375d25eaa046df22fe740154e19b3084bd57473b36c80ab7d20ca5af3
SSDEEP

196608:zufLYMePTVw+Qo3dnhQAiJBcH7Y3r7ufvnQwAWRjt0P7s9vMu70klu/o:zuTr6p1hQD3cH23SnQwFRjtiWvMfro

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Idlerkik-51025.portmap.host:51025

Mutex

rSFFOfqaVoKkdUae

Attributes

Install_directory
%AppData%
install_file
svhost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001200000002af25-8.dat	family_xworm
behavioral1/memory/4684-16-0x0000000000760000-0x0000000000770000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 4 IoCs

pid	Process
4684	CrackLauncher.exe
3868	CrackLauncher.exe
1820	CrackLauncher.exe
3848	CrackLauncher.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2600	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3100	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	3100	7zFM.exe
Token: 35	3100	7zFM.exe
Token: SeSecurityPrivilege	3100	7zFM.exe
Token: SeSecurityPrivilege	3100	7zFM.exe
Token: SeDebugPrivilege	4684	CrackLauncher.exe
Token: SeSecurityPrivilege	3100	7zFM.exe
Token: SeDebugPrivilege	3868	CrackLauncher.exe
Token: SeSecurityPrivilege	3100	7zFM.exe
Token: SeDebugPrivilege	1820	CrackLauncher.exe
Token: SeSecurityPrivilege	3100	7zFM.exe
Token: SeDebugPrivilege	3848	CrackLauncher.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe
3100	7zFM.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 2600	3100	7zFM.exe	82
PID 3100 wrote to memory of 2600	3100	7zFM.exe	82
PID 3100 wrote to memory of 4684	3100	7zFM.exe	83
PID 3100 wrote to memory of 4684	3100	7zFM.exe	83
PID 3100 wrote to memory of 3868	3100	7zFM.exe	90
PID 3100 wrote to memory of 3868	3100	7zFM.exe	90
PID 3100 wrote to memory of 1820	3100	7zFM.exe	91
PID 3100 wrote to memory of 1820	3100	7zFM.exe	91
PID 3100 wrote to memory of 3848	3100	7zFM.exe	96
PID 3100 wrote to memory of 3848	3100	7zFM.exe	96

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nurik 1.12.2-1.16.5.rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC1C5E7B7\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\7zOC1C101D7\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC1C101D7\CrackLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\7zOC1CE62F7\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC1CE62F7\CrackLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Users\Admin\AppData\Local\Temp\7zOC1C9B1F7\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC1C9B1F7\CrackLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Users\Admin\AppData\Local\Temp\7zOC1C13E68\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC1C13E68\CrackLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC1C101D7\CrackLauncher.exe

Filesize
42KB

MD5
4f7d0cb075b81a3923661409b47e8a31

SHA1
d3aa635fedd9adff2a821fa20e7f8b9fac838ed4

SHA256
4e3b031bcd6552a48501e629c37e53d58721cde1b494ee96f8ba9473be7ff6d6

SHA512
3e3fea0be7af651bb2b7eba42543112912808931a9f8f84e7ab8f424910b190c113a99bf4859d032bc0ae3478398b93ffe5d025b7dc1dffe37111ea6d3e7a66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC1C5E7B7\README.txt

Filesize
681B

MD5
34578667f77fa59649706a6c587a58f5

SHA1
ff767944782940dcee585506182081407802aea5

SHA256
e8084a2a6fa17638faee8f9ef1fc37d5c8d3bd600c2db18290f9085939e3ca6e

SHA512
3523fff51dfc477903f452b7395c4636f081e84d4a4e88caf661bfcbe3566f6acfdbad2f760e6d006274f9b164a7f5b36f2456171805357ee20ca4de1e2fe888

Download Submit
memory/4684-16-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download