Overview

overview

10

Static

static

10

ILOADER.exe

windows7-x64

10

ILOADER.exe

windows10-2004-x64

10

ILOADER.exe

windows10-ltsc 2021-x64

10

ILOADER.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    145s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07/03/2025, 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ILOADER.exe

  • Size

    102KB

  • MD5

    f3071053a4a5b7c6116390e2d4aed29d

  • SHA1

    5056680a6e64137d31edfcd8a163225c642badc9

  • SHA256

    a52967cd57ab936447fb9d631ea2c1caa904aa37b698ac18919d57e42017df55

  • SHA512

    db7398671f2c9e49d81691edb7157f6dc98eea14e9034bbbf86a21a1ad190d4b3a04a6a640979dc3e7535e9ca4c62a68aa4df0c9d6c3f78c59724842eceb1f0d

  • SSDEEP

    3072:H3/zbgow3dlSHbG+btjnOBQnC3GDNdZwCxaOKFmh5:H3/vgZsPbpCKGLMh

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

26.ip.gl.ply.gg:45556

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7993755657:AAFO640EjOsY8e2cOR8daPzBSHn1uGW4C9s/sendMessage?chat_id=6749074492

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ILOADER.exe
    "C:\Users\Admin\AppData\Local\Temp\ILOADER.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ILOADER.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ILOADER.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:4356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c67441dfa09f61bca500bb43407c56b8

    SHA1

    5a56cf7cbeb48c109e2128c31b681fac3959157b

    SHA256

    63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

    SHA512

    325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    29d056d9bc9b4ec73b3c65ff2ab3de06

    SHA1

    dc003908eba5553852886f062ad1c37072e2ffe1

    SHA256

    65290526acdf94c202c88fe590659e4358495e3ad18040f6a380aae80bec3044

    SHA512

    f24d3803b7acbbc627655ce4ea0bf3f3f8a33ce094555688e0ff09192625c068af34cb5694dc00b7f0b9ec1d00dcc060c2df03f967bc5cdb7e3b53c69c7ef326

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f4c1c18ed669bc2f21801f8490e5db92

    SHA1

    3e169527b65b12d7c11e00bdf565006c98ac1af0

    SHA256

    ea4f89ca8e96fb8c4f0cd3cc9fca017c2011ae0be23c175a94e0da3cad4834ee

    SHA512

    e08fe0985f1ebeaf3a0568cb6757a7f2349b2519e1138034f183e637549c133d15f085576dd6d2a0d6171e6ef55c93b677af958873ba5919f7c567b56f9c6ca0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vavrzgey.dkf.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4396-12-0x00007FFD2FD20000-0x00007FFD307E2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4396-14-0x00007FFD2FD20000-0x00007FFD307E2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4396-15-0x00007FFD2FD20000-0x00007FFD307E2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4396-16-0x00007FFD2FD20000-0x00007FFD307E2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4396-19-0x00007FFD2FD20000-0x00007FFD307E2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4396-13-0x00007FFD2FD20000-0x00007FFD307E2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4396-2-0x00000289BC920000-0x00000289BC942000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4976-0-0x00007FFD2FD23000-0x00007FFD2FD25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4976-1-0x0000000000DE0000-0x0000000000DFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4976-54-0x00007FFD2FD23000-0x00007FFD2FD25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4976-56-0x00007FFD2FD20000-0x00007FFD307E2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4976-57-0x00007FFD2FD20000-0x00007FFD307E2000-memory.dmp

    Filesize

    10.8MB

    Download