xworm | f8eb9b286a0d33e287568961f883aa9d1be6e9ec8cf5eee3a3a1a6b106d02f74

Analysis

max time kernel
156s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85.exe
Size

1.6MB
MD5

7ea9ab2735abf3ed79269a0b44ddd447
SHA1

92e8b7c97db955d908a108764cb570926d2fa2ed
SHA256

ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85
SHA512

b6bd25318dbab31b4e56ecb35a1a11efff6fcfa3c92a16432f55acf8082fb5f90f0a9a8b1774a11711ffa832fef639edfbf58dbbb4213b356619a2c799433254
SSDEEP

49152:94FdetMVCK1LVXXQezP3+Wgm18VeWoAVvqPDe:OdkCCK3XXQO18VeWTVvqPDe

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

vanechkin-51361.portmap.host:51361

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral27/files/0x000b000000012262-7.dat	family_xworm
behavioral27/memory/2912-9-0x0000000000250000-0x000000000026C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2912	svchost.exe
2804	Extreme Injector v3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	svchost.exe
Token: SeDebugPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: SeDebugPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2804	Extreme Injector v3.exe
Token: 33	2804	Extreme Injector v3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2912	2876	ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85.exe	30
PID 2876 wrote to memory of 2912	2876	ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85.exe	30
PID 2876 wrote to memory of 2912	2876	ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85.exe	30
PID 2876 wrote to memory of 2804	2876	ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85.exe	31
PID 2876 wrote to memory of 2804	2876	ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85.exe	31
PID 2876 wrote to memory of 2804	2876	ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85.exe	31

C:\Users\Admin\AppData\Local\Temp\ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85.exe
"C:\Users\Admin\AppData\Local\Temp\ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
85KB

MD5
2110dce68c8b52f3cfd4e53c5d8434c2

SHA1
b6c51e2e4009c0ab5e8990b85a39ca57659a9b66

SHA256
17b7b15868c80b8190eb9ddc168c420c90f5da386c166c86e51fdcda96911f6a

SHA512
b5dca21533bc1849a70804da37e3787f086513e8d57fe737c265b8ba5b60d8bb85b485b3e46d24f4590686e3d7d2cad32fd77b8f0438be114623987ab9858c2f

Download Submit
memory/2804-17-0x00000000002A0000-0x0000000000486000-memory.dmp

Filesize
1.9MB

Download
memory/2876-5-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-0-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2876-2-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2876-16-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-1-0x0000000000EB0000-0x0000000001046000-memory.dmp

Filesize
1.6MB

Download
memory/2912-9-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/2912-12-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-18-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-20-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-21-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download