xworm | de4e0c559892f2e6532a81f41f2dc7881abcb21f10cef2f0b8e1c08f028ed274

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VelocitySupportTool.exe
Size

409KB
MD5

89c1e3a7ec9d20a6a19d33733ddfb45d
SHA1

92e295c1a64cb1a7cff25da640d427d494913ea6
SHA256

de4e0c559892f2e6532a81f41f2dc7881abcb21f10cef2f0b8e1c08f028ed274
SHA512

8a0db537fb949c274db4bc0ddf1b8e1075fe9a944c72e0f2790846288844a81870afdd549dfe2850deabf34aebfeca38faddf49128f3a25ce99660421858998d
SSDEEP

6144:WzgYQ6Sr8vQUroyIzypnSiO3duT8dQ5dAGgtxLnCN9eo9kMAfjKFfjqKatZqFYp:Wzg0Qw1mAyQWtxjyeoOpjK8H

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/izCnqikF

Extracted

Family

xworm

Version

5.0

Mutex

qxXFT7Xfzgf1uMiL

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/MNJM1De2

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023d94-6.dat	family_xworm
behavioral1/files/0x0008000000023d9a-17.dat	family_xworm
behavioral1/memory/100-25-0x00000000001D0000-0x0000000000218000-memory.dmp	family_xworm
behavioral1/memory/340-26-0x0000000000500000-0x0000000000528000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe

Executes dropped EXE 2 IoCs

pid	Process
100	VelocitySupportTool.exe
340	VelocitySupport.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	100	VelocitySupportTool.exe
Token: SeDebugPrivilege	340	VelocitySupport.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 100	3932	VelocitySupportTool.exe	85
PID 3932 wrote to memory of 100	3932	VelocitySupportTool.exe	85
PID 3932 wrote to memory of 340	3932	VelocitySupportTool.exe	86
PID 3932 wrote to memory of 340	3932	VelocitySupportTool.exe	86

C:\Users\Admin\AppData\Local\Temp\VelocitySupportTool.exe
"C:\Users\Admin\AppData\Local\Temp\VelocitySupportTool.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
  "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:100
- C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
  "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\VelocitySupport.exe

Filesize
138KB

MD5
a705df8248ae95c4c123793b6235821a

SHA1
4eab0a8288be174489b3858ecb7ef1cb673c2799

SHA256
4ee52b38617c54e3445e3bfadbca1776d577ff50f88169c3613852d16eb39ba2

SHA512
5b41d3ef942c0e5ae137d7dcac59aaa782697e9de35f9a7a8a096f27e3a9c88ba16307ec24caf1d26c7db7f50f3f4568b48f01b9542ea0551db416e43d94bef0

Download Submit
C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe

Filesize
260KB

MD5
b6146f0fe72e1c9095f635f5e16cfa04

SHA1
995aca3575dc15568669b23574c909bd1a32df7e

SHA256
4352c43fd5bca3c41abe3051190ce1f83da64158d564330ed5375d3fd40b156a

SHA512
cb6f968a4fc7390979e03b68cbdc6ad99975be950776dc963f904e0ca21d55bff86ac6010f580e6c6d98015859d7667cade850150c38f2123da29df23b2627c0

Download Submit
memory/100-25-0x00000000001D0000-0x0000000000218000-memory.dmp

Filesize
288KB

Download
memory/100-27-0x00007FF9562F0000-0x00007FF956DB1000-memory.dmp

Filesize
10.8MB

Download
memory/100-30-0x00007FF9562F0000-0x00007FF956DB1000-memory.dmp

Filesize
10.8MB

Download
memory/100-31-0x00007FF9562F0000-0x00007FF956DB1000-memory.dmp

Filesize
10.8MB

Download
memory/340-26-0x0000000000500000-0x0000000000528000-memory.dmp

Filesize
160KB

Download
memory/340-28-0x00007FF9562F0000-0x00007FF956DB1000-memory.dmp

Filesize
10.8MB

Download
memory/340-29-0x00007FF9562F0000-0x00007FF956DB1000-memory.dmp

Filesize
10.8MB

Download
memory/340-32-0x00007FF9562F0000-0x00007FF956DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3932-0-0x00007FF9562F3000-0x00007FF9562F5000-memory.dmp

Filesize
8KB

Download
memory/3932-1-0x0000000000D90000-0x0000000000DFC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads