xworm | f4111d30be32600233ad61440ff2f9a6484f3ba6c04fae4b522fc09ab0de3831

Analysis

max time kernel
102s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae.exe
Size

3.7MB
MD5

9fca2a5278edc3a95d546f0ae7f3cbff
SHA1

c97159bcbf621e7b9374472ed53a4dd963f75cf7
SHA256

4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae
SHA512

447deeb5021f15c46ca4eb70cc46065d3bd041afde860dfa2a7b9a7fbd9c4640712ad4c221f220015d28251780e124ea0bc9a548f97e822946eafffe8169f211
SSDEEP

98304:AkSzpYRKKe/I765KN6fXVwfbC6gz5IfMTJInd:GPKeC65U69wfxUTa

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

expected-sega.gl.at.ply.gg:4730

chat-poster.gl.at.ply.gg:41534

193.161.193.99:21764

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral12/files/0x000d000000023f03-6.dat	family_xworm
behavioral12/memory/2448-13-0x0000000000B30000-0x0000000000B4C000-memory.dmp	family_xworm
behavioral12/files/0x000700000002406b-39.dat	family_xworm
behavioral12/files/0x000700000002406e-60.dat	family_xworm
behavioral12/memory/4064-67-0x0000000000830000-0x0000000000846000-memory.dmp	family_xworm
behavioral12/memory/4988-40-0x00000000007C0000-0x00000000007DC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	SolaraExecutor(1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	BootStrapper(1).exe

Executes dropped EXE 6 IoCs

pid	Process
2448	XClient.exe
2668	BootStrapper(1).exe
4988	BootStrapper.exe
4960	SolaraExecutor(1).exe
4064	SolaraSupport.exe
3944	BootstrapperNew.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	XClient.exe
Token: SeDebugPrivilege	4988	BootStrapper.exe
Token: SeDebugPrivilege	4064	SolaraSupport.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 2448	4920	4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae.exe	86
PID 4920 wrote to memory of 2448	4920	4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae.exe	86
PID 4920 wrote to memory of 2668	4920	4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae.exe	87
PID 4920 wrote to memory of 2668	4920	4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae.exe	87
PID 2668 wrote to memory of 4988	2668	BootStrapper(1).exe	88
PID 2668 wrote to memory of 4988	2668	BootStrapper(1).exe	88
PID 2668 wrote to memory of 4960	2668	BootStrapper(1).exe	89
PID 2668 wrote to memory of 4960	2668	BootStrapper(1).exe	89
PID 4960 wrote to memory of 4064	4960	SolaraExecutor(1).exe	90
PID 4960 wrote to memory of 4064	4960	SolaraExecutor(1).exe	90
PID 4960 wrote to memory of 3944	4960	SolaraExecutor(1).exe	91
PID 4960 wrote to memory of 3944	4960	SolaraExecutor(1).exe	91

C:\Users\Admin\AppData\Local\Temp\4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae.exe
"C:\Users\Admin\AppData\Local\Temp\4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Users\Admin\AppData\Roaming\BootStrapper(1).exe
  "C:\Users\Admin\AppData\Roaming\BootStrapper(1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\BootStrapper.exe
    "C:\Users\Admin\AppData\Roaming\BootStrapper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- - C:\Users\Admin\AppData\Roaming\SolaraExecutor(1).exe
    "C:\Users\Admin\AppData\Roaming\SolaraExecutor(1).exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Users\Admin\AppData\Roaming\SolaraSupport.exe
      "C:\Users\Admin\AppData\Roaming\SolaraSupport.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Users\Admin\AppData\Roaming\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Roaming\BootstrapperNew.exe"
      4⤵
      Executes dropped EXE
      PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BootStrapper(1).exe

Filesize
3.6MB

MD5
81fa80bed6f2f08ba07e9b06090df70e

SHA1
2df20de5a0ff2ea48159592a9ce4477998df32c3

SHA256
b365693f6cd3af2b86cf10839a5d098a5d081344bb0ad89211a2845991b43b7c

SHA512
7f2d2e6ad87d4e75083bc22cdc0eb5b6633a04b2fb8201f0c8bf9c5dec9a98d5734fae0da397d9448d14936ead20eea55d3587dbee765f418953578973a99edd

Download Submit
C:\Users\Admin\AppData\Roaming\BootStrapper.exe

Filesize
92KB

MD5
f3bc54ff38ea22dd33c72d9e054c47e2

SHA1
f5298333bb813c1ae4b4bcea9e2850d9ff3e2ba0

SHA256
2bbe176ba629ad6f1d2a14b2d545ad6467f8394095fbcae58ff063c93510d45d

SHA512
ee0ad86298b8aeeaec86689c83ee31de656e4eef1fd5c07d073e02382e6e2bcefce7153134293217922d814340f2835bc4fe20931fdb73949bc3ef10ffb5f0f0

Download Submit
C:\Users\Admin\AppData\Roaming\BootstrapperNew.exe

Filesize
3.4MB

MD5
37d3fcd5058c45d2c2bba065a5c22296

SHA1
22debc7d8cdf3efd9b65ad099592c68ad7fa2713

SHA256
774cc2deb69d990bb908b5b4a77314e474b357268dad92d917dcd85176f43ffd

SHA512
fcad1f64c733180c7812a673379a35e488ed3306ca6146b187c7627a670012cec2a9166bf88815fbc1468cb70e7a1215a54e34aab37cba0f4ded8ce914323bdc

Download Submit
C:\Users\Admin\AppData\Roaming\SolaraExecutor(1).exe

Filesize
3.5MB

MD5
ef9423e6d9a4040436177ca7b910a099

SHA1
0b04c65721e560f946c07dfb242ec312b9e303bc

SHA256
a7b00def0da39ce6cf45cb072e82ead00f9affa99710313276cff335afdfcef3

SHA512
11d17c27dfa7c773cff903ee7f220c1ba7cf76fe5caef77e14937f7fde5a972536f5ba99d48e3c8beb2a200e31dc13190d3101fe1d903268e347425a898bb5f1

Download Submit
C:\Users\Admin\AppData\Roaming\SolaraSupport.exe

Filesize
59KB

MD5
472fe7fe7163333db68640dc7827bc17

SHA1
35a127ed3c08379dd270761547f209bb56d6b9e8

SHA256
08da7551995bad095ca9e22ad11264e565a023caf9ef799f298f4c235ec44d26

SHA512
deeb4d4cc2234475ee6b0d21a259a91e38f8317324f4c2f68497e9081bdd87dd59c9f1cb89e2ef0cdb4c063ef5be95e6afd6aad9c63cf199c631533528aba006

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
91KB

MD5
32d4957922b7bd2d0a9c5a8218092787

SHA1
46d915d80472d970e5276650879c373d6cd2ed09

SHA256
aa82d5e314e7a13d4b038ee9359ec996028371fd3eb38bccff5ced6afe548663

SHA512
782ae2b2cd8390a5bc884ee534f43eb032a8715fba00edd843bbab8f3d12a0c478e7e1cfb66ef455a54522e825c31000a63c988fd2043f443d15575158e831f4

Download Submit
memory/2448-13-0x0000000000B30000-0x0000000000B4C000-memory.dmp

Filesize
112KB

Download
memory/2448-94-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/2448-93-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/2448-17-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/2668-28-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/2668-27-0x0000000000AD0000-0x0000000000E70000-memory.dmp

Filesize
3.6MB

Download
memory/2668-54-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/3944-86-0x000001A700070000-0x000001A700096000-memory.dmp

Filesize
152KB

Download
memory/3944-88-0x000001A700BC0000-0x000001A700BD6000-memory.dmp

Filesize
88KB

Download
memory/3944-83-0x000001A77DF80000-0x000001A77DF8E000-memory.dmp

Filesize
56KB

Download
memory/3944-79-0x000001A75DE40000-0x000001A75E1B0000-memory.dmp

Filesize
3.4MB

Download
memory/3944-89-0x000001A700BA0000-0x000001A700BAA000-memory.dmp

Filesize
40KB

Download
memory/3944-80-0x000001A75FE40000-0x000001A75FE50000-memory.dmp

Filesize
64KB

Download
memory/3944-87-0x000001A700BB0000-0x000001A700BB8000-memory.dmp

Filesize
32KB

Download
memory/3944-90-0x000001A700060000-0x000001A70006A000-memory.dmp

Filesize
40KB

Download
memory/3944-81-0x000001A77DF70000-0x000001A77DF78000-memory.dmp

Filesize
32KB

Download
memory/3944-84-0x000001A700AA0000-0x000001A700BA0000-memory.dmp

Filesize
1024KB

Download
memory/3944-91-0x000001A77DF90000-0x000001A77DF98000-memory.dmp

Filesize
32KB

Download
memory/3944-82-0x000001A77DFC0000-0x000001A77DFF8000-memory.dmp

Filesize
224KB

Download
memory/3944-85-0x000001A700050000-0x000001A70005A000-memory.dmp

Filesize
40KB

Download
memory/4064-67-0x0000000000830000-0x0000000000846000-memory.dmp

Filesize
88KB

Download
memory/4920-1-0x0000000000020000-0x00000000003DA000-memory.dmp

Filesize
3.7MB

Download
memory/4920-0-0x00007FFA59893000-0x00007FFA59895000-memory.dmp

Filesize
8KB

Download
memory/4960-53-0x0000000000690000-0x0000000000A14000-memory.dmp

Filesize
3.5MB

Download
memory/4988-40-0x00000000007C0000-0x00000000007DC000-memory.dmp

Filesize
112KB

Download