xworm | e2b875684ea73c67806091b51f2fb27b7f784f93435074f570a3eb463efc573a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exe
Size

8.5MB
MD5

82edfa1b3ecde491c27dd45a4e1eaf2a
SHA1

efdb3e54f2713b11c75e614354db267750b60c31
SHA256

e2b875684ea73c67806091b51f2fb27b7f784f93435074f570a3eb463efc573a
SHA512

d4ae7de28c28d17211a7806ba62ff8869bbbdecff4fca7cd7cd0c44f757345cf2cdb637fa8561892865a5d35c61f979a013c67af60431967048ea72394de1c33
SSDEEP

196608:GrXsUMEtp66sGT9GZXv9WaQl+12YctXZ4m4dx0dZlt:GrTMEtPs+uFWNJnXZ4Vdx0

Score

10^/10

xworm rat trojan upx

Malware Config

Extracted

Family

xworm

127.0.0.1:14182

figure-cement.gl.at.ply.gg:14182

Attributes

Install_directory
%AppData%
install_file
Loader.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1888-7-0x0000000000CB0000-0x0000000000CCC000-memory.dmp	family_xworm
behavioral1/files/0x000c00000001202c-6.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 4 IoCs

pid	Process
1888	Loader.exe
1876	AkOmnJfH02FH@912EDM#.exe
2604	AkOmnJfH02FH@912EDM#.exe
1128	Process not Found

Loads dropped DLL 8 IoCs

pid	Process
2988	SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exe
2604	AkOmnJfH02FH@912EDM#.exe
2604	AkOmnJfH02FH@912EDM#.exe
2604	AkOmnJfH02FH@912EDM#.exe
2604	AkOmnJfH02FH@912EDM#.exe
2604	AkOmnJfH02FH@912EDM#.exe
2604	AkOmnJfH02FH@912EDM#.exe
2604	AkOmnJfH02FH@912EDM#.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-91-0x000007FEF1FB0000-0x000007FEF2614000-memory.dmp	upx
behavioral1/files/0x000500000001962b-90.dat	upx
behavioral1/memory/2604-95-0x000007FEF1FB0000-0x000007FEF2614000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	Loader.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1888	2988	SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exe	30
PID 2988 wrote to memory of 1888	2988	SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exe	30
PID 2988 wrote to memory of 1888	2988	SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exe	30
PID 2988 wrote to memory of 1876	2988	SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exe	31
PID 2988 wrote to memory of 1876	2988	SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exe	31
PID 2988 wrote to memory of 1876	2988	SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exe	31
PID 1876 wrote to memory of 2604	1876	AkOmnJfH02FH@912EDM#.exe	32
PID 1876 wrote to memory of 2604	1876	AkOmnJfH02FH@912EDM#.exe	32
PID 1876 wrote to memory of 2604	1876	AkOmnJfH02FH@912EDM#.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Roaming\Loader.exe
  "C:\Users\Admin\AppData\Roaming\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Users\Admin\AppData\Roaming\AkOmnJfH02FH@912EDM#.exe
  "C:\Users\Admin\AppData\Roaming\AkOmnJfH02FH@912EDM#.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Users\Admin\AppData\Roaming\AkOmnJfH02FH@912EDM#.exe
    "C:\Users\Admin\AppData\Roaming\AkOmnJfH02FH@912EDM#.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AkOmnJfH02FH@912EDM#.exe

Filesize
8.4MB

MD5
854c20ac6ea6e2b964a5ca8205f9ebbc

SHA1
76e9da35d8b0f3acf66a5d4b174242c251957a01

SHA256
953f7b4a94c68264f7da2d473b26e37c08cc68de3fa8fc8b6c88416e8cc7954f

SHA512
0caa40a8888538840d831adda020f7a21800c01da611c46f8c53515f82377d638e972645eb61a0c8ef56244d9df73b1c3a5367175d9ebd78db10825db9d0e38e

Download Submit
C:\Users\Admin\AppData\Roaming\Loader.exe

Filesize
85KB

MD5
3ec7b8b05f5e7c605b78d59a41779ec9

SHA1
23b43d015f1ccc0d6e9b0209654d2688512eda8a

SHA256
6c2b376872b8b966ff746a1d7a4092c9d70f7d070bd0e27d8956dbf9999d76c1

SHA512
317812006c4e4d4cda69138d91c76fee330301c0f15523ed2e51746b55729b071ef501e85f150e54b3b573c5f044129b87bde126f1d254de59ac710aa7a21069

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
33f2eeb40f245d3114df277f00d3160c

SHA1
54ebdde675d1f921988a404deef6c52bcfd5ac9d

SHA256
12bce3364b96571e89a8bec10ecaa3131959b40d2f6a8bec13086919020ee054

SHA512
4ef5653c3f781f0d7b999c89a48172cd8c4321cb54f3cf4aa9f0c116821f328e408f8bc91fb051723a813f6c3c8c16f2944fef5bf4a7e016898ae8bd994ab9ce

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\api-ms-win-core-file-l2-1-0.dll

Filesize
20KB

MD5
50abf0a7ee67f00f247bada185a7661c

SHA1
0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1

SHA256
f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7

SHA512
c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
f5716e905c45e27ab2bcde0f962c22be

SHA1
72a196c93f43d00da7791c9bc6334a93dc8c6e16

SHA256
f0384cdc9015ccf808b27d89aab47ff62d77701f9d8ef96096a1b213204ef41d

SHA512
fe43857608600f8a3450f52f5b4f6a69ee0edcafe26440257d064bc434aaf3f2d3be581a3b3985e45dc1919adfa438369f64b8f91d962d210cc2ab0b51f74c4c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
ab3986b27d4f6eb2b304c20a424e5ea5

SHA1
5f7f012acb02fb1606d0c0dffd0f1cc88276b340

SHA256
840d6953082758031ed604853447bdd3509b1e21bf80a30355db45f52a367c43

SHA512
9f5918baf2f8f0997728c8d3242f2ffffaf06eb34e34e9f100aca396ab80611e42f77a163db2dbf27aa7755647d260f6a2529efed66d1c5b4278b7a4aa0692e6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
a776cc5105fd23c1fc68a122c8607def

SHA1
5b7b7defe72d9a2c3209a96430d62fe09e007689

SHA256
b34171187edcdb6c3700919ac791b0ac9762058e7b5268d1b44e7428d06585cf

SHA512
4b1f6b376428903751f046ade693808423306e8fb5925119751439320ba1afb6a50b097864cb436a7f704468af0d68458bcd354ebb8852e01bafde0cf9b9d264

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\python313.dll

Filesize
1.8MB

MD5
2a4aad7818d527bbea76e9e81077cc21

SHA1
4db3b39874c01bf3ba1ab8659957bbc28aab1ab2

SHA256
4712a6bb81b862fc292fcd857cef931ca8e4c142e70eaa4fd7a8d0a96aff5e7e

SHA512
d10631b7fc25a8b9cc038514e9db1597cec0580ee34a56ce5cfc5a33e7010b5e1df7f15ec30ebb351356e2b815528fb4161956f26b5bfaf3dce7bc6701b79c68

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
memory/1888-10-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-7-0x0000000000CB0000-0x0000000000CCC000-memory.dmp

Filesize
112KB

Download
memory/1888-92-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-94-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-91-0x000007FEF1FB0000-0x000007FEF2614000-memory.dmp

Filesize
6.4MB

Download
memory/2604-95-0x000007FEF1FB0000-0x000007FEF2614000-memory.dmp

Filesize
6.4MB

Download
memory/2988-1-0x0000000000990000-0x0000000001218000-memory.dmp

Filesize
8.5MB

Download
memory/2988-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download