xworm | 545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe
Size

4.1MB
MD5

9527ef0d6e62331be36135edcc600ae5
SHA1

2b5dd4d06c19fba9942a5b946a6464f7c4e349d0
SHA256

68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb
SHA512

6025e530b6f409d0619368e48bf7578ac06355f71d120c79ba42e15ef39334eb07c449ac707fae46e045de35404413e7ae412815140fcf5608ec256a0c4f9fec
SSDEEP

98304:5/rCoiMeed3IE1/xbUoEe78elDBupBPg8zUUdXT07/5/j2CoReeOnL8lZoJDXpFW:5jBiMeeR1/xbUoEe78elDBupBPg8zUUv

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

185.84.160.71:7000

Mutex

jmAK2aVwB6NI7XLe

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral17/files/0x00050000000194f6-10.dat	family_xworm
behavioral17/memory/2892-12-0x00000000013C0000-0x00000000013EE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2652	FullOption_2.1.exe
2892	Microsoft Edge.exe

Loads dropped DLL 1 IoCs

pid	Process
2748	68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	Microsoft Edge.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2652	2748	68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe	30
PID 2748 wrote to memory of 2652	2748	68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe	30
PID 2748 wrote to memory of 2652	2748	68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe	30
PID 2748 wrote to memory of 2892	2748	68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe	31
PID 2748 wrote to memory of 2892	2748	68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe	31
PID 2748 wrote to memory of 2892	2748	68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe	31

C:\Users\Admin\AppData\Local\Temp\68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe
"C:\Users\Admin\AppData\Local\Temp\68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\FullOption_2.1.exe
  "C:\Users\Admin\AppData\Local\FullOption_2.1.exe"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Users\Admin\AppData\Local\Microsoft Edge.exe
  "C:\Users\Admin\AppData\Local\Microsoft Edge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FullOption_2.1.exe

Filesize
3.9MB

MD5
2f6e9c0dd1c6859a9d6e7acea1db9ac0

SHA1
b0dcd2be62b6a559e479de7745ab0988b8b30522

SHA256
122e3cb0f2ad233d1a364911d433667e7778f00d9a7d10b954c994f4e8093d1f

SHA512
fe3634f46afd5b45f0ffc721a18b5ef1b1344b548f90b8c54ea6995e3d64b7394b56c681b1a0522b67e862fce9d8333b621612a2f03708e7dbc917a28c58c15d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft Edge.exe

Filesize
167KB

MD5
b044c30943520250fc885f18f6427b58

SHA1
35bfd3ec28c0a5aa157465f8f07fe7066e9f2ee7

SHA256
b9632fbce0d6d45f75bd59a99681a6543c381e9c3dc301c6c52c5d32ebc20e54

SHA512
e98db057e1203a99072ad27fa0a0190cedc03fd87a00ee48e285168b3fd5afd16aad63f5d212ee4a5216492bd7a475102522cb47265316ccf52bb459c5bb416e

Download Submit
memory/2748-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x0000000000340000-0x0000000000754000-memory.dmp

Filesize
4.1MB

Download
memory/2892-12-0x00000000013C0000-0x00000000013EE000-memory.dmp

Filesize
184KB

Download
memory/2892-13-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-14-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-15-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download