Overview

overview

10

Static

static

10

ILOADER.exe

windows7-x64

10

ILOADER.exe

windows10-2004-x64

10

ILOADER.exe

windows10-ltsc 2021-x64

10

ILOADER.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ILOADER.exe

  • Size

    102KB

  • MD5

    f3071053a4a5b7c6116390e2d4aed29d

  • SHA1

    5056680a6e64137d31edfcd8a163225c642badc9

  • SHA256

    a52967cd57ab936447fb9d631ea2c1caa904aa37b698ac18919d57e42017df55

  • SHA512

    db7398671f2c9e49d81691edb7157f6dc98eea14e9034bbbf86a21a1ad190d4b3a04a6a640979dc3e7535e9ca4c62a68aa4df0c9d6c3f78c59724842eceb1f0d

  • SSDEEP

    3072:H3/zbgow3dlSHbG+btjnOBQnC3GDNdZwCxaOKFmh5:H3/vgZsPbpCKGLMh

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

26.ip.gl.ply.gg:45556

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7993755657:AAFO640EjOsY8e2cOR8daPzBSHn1uGW4C9s/sendMessage?chat_id=6749074492

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ILOADER.exe
    "C:\Users\Admin\AppData\Local\Temp\ILOADER.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ILOADER.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ILOADER.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    e93cb6b4a6dcfb86756f374039532b5a

    SHA1

    7dacdc0a61019f1b7f3ba54d9efa219e90f057ae

    SHA256

    80e83f741c13f3393b080fc9fc09f4d18474bc3e5d50628517b07ba8775a8f1f

    SHA512

    3fa85b4fdfdc2ed3c8111e24a39924f020e0378f8ea1956ec3edecab231e9bfb3280d2c201a215b18e08730430179f74078bc5e810bd3ca7129b644b9239e800

    Download Submit

  • memory/1868-0-0x000007FEF6473000-0x000007FEF6474000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1868-1-0x0000000000340000-0x000000000035E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1868-27-0x000000001B2A0000-0x000000001B320000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1868-28-0x000007FEF6473000-0x000007FEF6474000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1868-29-0x000000001B2A0000-0x000000001B320000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2808-6-0x0000000002BC0000-0x0000000002C40000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2808-7-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2808-8-0x0000000000560000-0x0000000000568000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2868-14-0x000000001B560000-0x000000001B842000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2868-15-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

    Filesize

    32KB

    Download