Overview

overview

10

Static

static

3

SecuriteIn...79.exe

windows7-x64

10

SecuriteIn...79.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.5196.22979.exe

  • Size

    315KB

  • MD5

    918f83cd6d935bd729990142f8e276e0

  • SHA1

    bd15b5a29a83b86d1ab177f16f6d0f3a54dc6741

  • SHA256

    8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088

  • SHA512

    c8e529a268fa1ca589d362538b9b9368a518cdead33cbe383dbb7ffdcced101950911e0cea4ebf0b5343583e48e3b8b490c3167874505a09d53da57cf25f05f1

  • SSDEEP

    1536:LTJkxPIwcXpo/s/wyQC7CEJ0nMbYcj/RPc4YjDI4ox0V+s4jDu3Eyufeso1+qUQB:LNqP3UW/s4LQYGhcC1yufwqXYoQN

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.211:4444

aes.plain

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.5196.22979.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.5196.22979.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xejoth2n\xejoth2n.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF71.tmp" "c:\Users\Admin\AppData\Local\Temp\xejoth2n\CSC7ACAE22E489248AE959025F8E2AB7BC.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1108
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:3816
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
          PID:3468
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESEF71.tmp
        Filesize

        1KB

        MD5

        9048ee86608030a558e8233fdca2d02b

        SHA1

        df969a6bd1a9c414468a1d6a1e406d0ab456b152

        SHA256

        77ab1de4a4db162ce620f7686f62bb323978e3e45b6b20076047a65910bd50a9

        SHA512

        b92deee01e9d56339f3f7d83c349d7985a6be53740729a89f5d2beaf6e73ea94dc4f13e70da6330d04336c6be01e6beb53576f9f035a7ced482993dcbf6f2976

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xejoth2n\xejoth2n.dll
        Filesize

        41KB

        MD5

        0f1809ae5d942b07fe2bcb11504dbfaa

        SHA1

        25c25b396dce2b34f9b524efe5660e13d1e9815c

        SHA256

        cb31496a16f1c3cd78c57cd22bc1a49566ce88dc211ae84ef9bf951a288ab2a1

        SHA512

        df6f5e92ca57949aa1c4926ed81ab5ac7ac9377d6afe0f3ae0e2447c994cad94b0b0150a08c9fcbc3bb094fb773c14480b8adc7afd02df4e10cb2986917e36f2

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xejoth2n\CSC7ACAE22E489248AE959025F8E2AB7BC.TMP
        Filesize

        652B

        MD5

        5339e6834f660b4b18a41102e62dda99

        SHA1

        373ddd1dbcae8e013be575183e2362289eb5ea87

        SHA256

        f778379b4773a14402f15482cf10322e7930a410d6592c6de129dc0c01a290c4

        SHA512

        785d5ed2d8727ce0f7fdde0d1da6e5c968bf4e269e3b933a89b9d84ee0fdcdaf0480f3d1a3a06d6ac704a09f49aa8a2ebabf1325fcd87e7799c174b0deb91df6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xejoth2n\xejoth2n.0.cs
        Filesize

        101KB

        MD5

        321752ec5d5fef01d4f146035796f9df

        SHA1

        a46dbf6fb95d498fd733d4fde9a3d1b5917ba1f3

        SHA256

        9e9c63652e73aeaf0904794cfe6428f5f72faa493a6d9815dadceb3ef911a393

        SHA512

        5a52ac4a13f4bb6b5813fc3ca446e3366e4902acb7675356a2d675ee612d2bd3affdebc1c446e59a1cc2ab64640b59a09b2e00c25729ccb4c93b1985249b9d73

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xejoth2n\xejoth2n.cmdline
        Filesize

        204B

        MD5

        8b512ed09dbd6c8c2223159916735073

        SHA1

        e60f39d1ce6a8da070bc995f5ff4a42cd9a5179a

        SHA256

        40cad58f816363a64ed165b248b3e87d7768cb30ee39c611f8dd0282e522d4aa

        SHA512

        d059a79d501ba73db97b0e4e9910721592f7fe25d95443fc723a401e62bcb3a623acfe3b8097b9f370e3fe6cdd91f065ead40fc21c0372db420e39f1289cfe50

        Download Submit

      • memory/4236-15-0x0000000003030000-0x0000000003040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4236-19-0x0000000074AA0000-0x0000000075250000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4236-1-0x0000000000DD0000-0x0000000000E24000-memory.dmp

        Filesize

        336KB

        Download

      • memory/4236-0-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4236-5-0x0000000074AA0000-0x0000000075250000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4612-21-0x0000000005740000-0x00000000057DC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4612-20-0x0000000074AA0000-0x0000000075250000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4612-17-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4612-22-0x0000000074AA0000-0x0000000075250000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4612-23-0x0000000005E40000-0x0000000005EA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4612-24-0x0000000074AA0000-0x0000000075250000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4612-25-0x0000000074AA0000-0x0000000075250000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4612-26-0x0000000006830000-0x00000000068C2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4612-27-0x0000000006E80000-0x0000000007424000-memory.dmp

        Filesize

        5.6MB

        Download