Overview

overview

10

Static

static

10

ILOADER.exe

windows7-x64

10

ILOADER.exe

windows10-2004-x64

10

ILOADER.exe

windows10-ltsc 2021-x64

10

ILOADER.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    143s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/03/2025, 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ILOADER.exe

  • Size

    102KB

  • MD5

    f3071053a4a5b7c6116390e2d4aed29d

  • SHA1

    5056680a6e64137d31edfcd8a163225c642badc9

  • SHA256

    a52967cd57ab936447fb9d631ea2c1caa904aa37b698ac18919d57e42017df55

  • SHA512

    db7398671f2c9e49d81691edb7157f6dc98eea14e9034bbbf86a21a1ad190d4b3a04a6a640979dc3e7535e9ca4c62a68aa4df0c9d6c3f78c59724842eceb1f0d

  • SSDEEP

    3072:H3/zbgow3dlSHbG+btjnOBQnC3GDNdZwCxaOKFmh5:H3/vgZsPbpCKGLMh

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

26.ip.gl.ply.gg:45556

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7993755657:AAFO640EjOsY8e2cOR8daPzBSHn1uGW4C9s/sendMessage?chat_id=6749074492

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ILOADER.exe
    "C:\Users\Admin\AppData\Local\Temp\ILOADER.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ILOADER.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ILOADER.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:6140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    aa4f31835d07347297d35862c9045f4a

    SHA1

    83e728008935d30f98e5480fba4fbccf10cefb05

    SHA256

    99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

    SHA512

    ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    3f6782e9efc05a9bf8b8dc803a5fcbc9

    SHA1

    f610eaa889a504cf1118ec63bcc504c4b797e8c6

    SHA256

    774db181f85af841f045f785f8e253c72848fc4bd0fb867f67c5e8dcbb19064a

    SHA512

    a404de6b21c032b4cad6569816c4e7d95a025191a4b4ce7d312bbd2bc71c868413e2b790433641714c1120c52712ae43c45cb7a9c9be59f18031c01a773ab4c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    8082885362359f72fb414d2fa6ad357d

    SHA1

    c6111820bcf1adf9ac4e8a441d984790465b6393

    SHA256

    0b70605985f4148a236426049c44406110e9edc165a0501f636015a30340beef

    SHA512

    b5d227b5ac6549566d7456616b98fe9aa62f6721be43a9e5674c35c2c9d218f7fec0fea978bdaff3ec73b6591c6e41efa8946526c2ab473da1c443a5a851a145

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2copqsyv.ood.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1928-12-0x00007FFDA4B30000-0x00007FFDA55F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1928-13-0x00007FFDA4B30000-0x00007FFDA55F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1928-14-0x00007FFDA4B30000-0x00007FFDA55F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1928-17-0x00007FFDA4B30000-0x00007FFDA55F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1928-18-0x00007FFDA4B30000-0x00007FFDA55F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1928-10-0x000001CBCB670000-0x000001CBCB692000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1928-11-0x00007FFDA4B30000-0x00007FFDA55F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4996-0-0x00007FFDA4B33000-0x00007FFDA4B35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4996-1-0x0000000000D90000-0x0000000000DAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4996-50-0x00007FFDA4B33000-0x00007FFDA4B35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4996-52-0x00007FFDA4B30000-0x00007FFDA55F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4996-53-0x00007FFDA4B30000-0x00007FFDA55F2000-memory.dmp

    Filesize

    10.8MB

    Download