xworm | e1969f5cf0a443b9d7416122f6a93da6847abe2a6f098c4088cc93aa0ff54324

Analysis

max time kernel
60s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2025, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EC.exe
Size

606KB
MD5

a360792e294edd8b69a58abf9792e0ab
SHA1

92d7bf026f2690e0955ad40a06450478e2a2169f
SHA256

e1969f5cf0a443b9d7416122f6a93da6847abe2a6f098c4088cc93aa0ff54324
SHA512

991fa53dbede43a38acf1d1ddf575add1e26cd78b5ae517ca68148e5f3d8087b0261695744482ba2f6f30fcdad7be6b555bae5ae73ed07f099a55e11bda26cb7
SSDEEP

12288:ylebH7ETMiQU1mTUBF8YcjXuQwYVl6ai/emTUBjO3AWQlOrRFR:ylM7Ezv8YczuQTlFi/eQmO3AGrRFR

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

2.58.56.237:53

Attributes

Install_directory
%AppData%
install_file
Svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000229c7-6.dat	family_xworm
behavioral1/memory/2236-18-0x0000000000F40000-0x0000000000F58000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	EC.exe

Executes dropped EXE 2 IoCs

pid	Process
2236	XClient.exe
3944	Cheat-Made-by-Covllld;).exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3944	Cheat-Made-by-Covllld;).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	XClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2236	1468	EC.exe	87
PID 1468 wrote to memory of 2236	1468	EC.exe	87
PID 1468 wrote to memory of 3944	1468	EC.exe	88
PID 1468 wrote to memory of 3944	1468	EC.exe	88

C:\Users\Admin\AppData\Local\Temp\EC.exe
"C:\Users\Admin\AppData\Local\Temp\EC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Users\Admin\AppData\Roaming\Cheat-Made-by-Covllld;).exe
  "C:\Users\Admin\AppData\Roaming\Cheat-Made-by-Covllld;).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Cheat-Made-by-Covllld;).exe

Filesize
520KB

MD5
51a539469ad26aa790469eda6863133b

SHA1
b8b3101384192da1d2a4a4475bbddd67a487b621

SHA256
3d09d48543c6b5ec47551237974af3de97528c8f5223f23a93830c0f4f8d7971

SHA512
29b7cd9823a97f2587c4fd54119fcb536daa68c74a5a0bd16d00d96921a43833f4c66146202509d8e9cd5ce48e62e7a8af2ad8b346794e14083460fed42ab9df

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
72KB

MD5
2c5da7d66b8db9b983dd5ee0e1b40bd6

SHA1
3c10875859a68bbef32c93035ac54a7cd9bd44ff

SHA256
ba633233cd70a59416eede6d0036f89fc8ebcbe14f2079076ccf78749f9de087

SHA512
f06f47540e0d2404aae7605926b4bec68b7f3f45cf4d77e4aa141632eadcdbd2a6517c64f97842f772a9a8cb5a3283e245992e8085c931935cb3f92aabb44686

Download Submit
memory/1468-0-0x00007FFCF6543000-0x00007FFCF6545000-memory.dmp

Filesize
8KB

Download
memory/1468-1-0x0000000000470000-0x000000000050E000-memory.dmp

Filesize
632KB

Download
memory/2236-18-0x0000000000F40000-0x0000000000F58000-memory.dmp

Filesize
96KB

Download
memory/2236-23-0x00007FFCF6540000-0x00007FFCF7001000-memory.dmp

Filesize
10.8MB

Download
memory/2236-24-0x00007FFCF6540000-0x00007FFCF7001000-memory.dmp

Filesize
10.8MB

Download
memory/2236-25-0x00007FFCF6540000-0x00007FFCF7001000-memory.dmp

Filesize
10.8MB

Download