xworm | bb80103ac259b0a260fe3fabea6c6ceedf4286f43b24665a9ec30bc1b19bd267

Analysis

max time kernel
37s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74.exe
Size

2.5MB
MD5

a6506ab7846f51acccb092a6164c7677
SHA1

12a675e6434764b98335440220864bdffeb6cbfc
SHA256

1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74
SHA512

44d5c49b54011fed4332ab08375031543108b286a21768b35bd8bfab02cdb413b53cc1bc8e98c554008e9ca9d4ca9a92c03beab01db9a40e87908054b3dd9612
SSDEEP

49152:ZZPjorfOAfRxx13BIq8IYpSqxN7XGQKoBaJ3RIrMQJZipKE1:ZZkzD73i7pSqxNV5wQJwd1

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

remember-gene.gl.at.ply.gg:9389

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral28/files/0x000a000000024269-24.dat	family_xworm
behavioral28/memory/4628-30-0x0000000000730000-0x0000000000748000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74.exe

Executes dropped EXE 2 IoCs

pid	Process
4604	BootstrapperNew.exe
4628	roblox.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	roblox.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4604	4972	1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74.exe	86
PID 4972 wrote to memory of 4604	4972	1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74.exe	86
PID 4972 wrote to memory of 4628	4972	1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74.exe	87
PID 4972 wrote to memory of 4628	4972	1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74.exe	87

C:\Users\Admin\AppData\Local\Temp\Files\1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Users\Admin\AppData\Local\Temp\roblox.exe
  "C:\Users\Admin\AppData\Local\Temp\roblox.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\roblox.exe

Filesize
67KB

MD5
164ce479a8e750ae7f9ed94bf1a9dd70

SHA1
4365d349f9bba19c6568b1a7db444435c8f2a472

SHA256
4dc4aa3db5cc5989c820289038614e287dd347fbd6b64c697c89e6d52042c465

SHA512
a2670563ba3db3e3c55152abfb4f703f13ab71f2a0c449d5e0c774218f76d76bb6f3a226f8be0f1790e284f59f9ea99bcc30c41e99455284010f317078b3600b

Download Submit
memory/4604-39-0x000001C6EDB00000-0x000001C6EDB08000-memory.dmp

Filesize
32KB

Download
memory/4604-23-0x00007FFAB8560000-0x00007FFAB9021000-memory.dmp

Filesize
10.8MB

Download
memory/4604-47-0x00007FFAB8560000-0x00007FFAB9021000-memory.dmp

Filesize
10.8MB

Download
memory/4604-27-0x000001C6EA030000-0x000001C6EA312000-memory.dmp

Filesize
2.9MB

Download
memory/4604-46-0x00007FFAB8560000-0x00007FFAB9021000-memory.dmp

Filesize
10.8MB

Download
memory/4604-43-0x000001C6EDB40000-0x000001C6EDB48000-memory.dmp

Filesize
32KB

Download
memory/4604-35-0x000001C6ED950000-0x000001C6ED95E000-memory.dmp

Filesize
56KB

Download
memory/4604-42-0x000001C6ED970000-0x000001C6ED97A000-memory.dmp

Filesize
40KB

Download
memory/4604-31-0x000001C6EC000000-0x000001C6EC010000-memory.dmp

Filesize
64KB

Download
memory/4604-32-0x000001C6F1430000-0x000001C6F1438000-memory.dmp

Filesize
32KB

Download
memory/4604-41-0x000001C6EDAF0000-0x000001C6EDAFA000-memory.dmp

Filesize
40KB

Download
memory/4604-33-0x00007FFAB8560000-0x00007FFAB9021000-memory.dmp

Filesize
10.8MB

Download
memory/4604-40-0x000001C6EDB10000-0x000001C6EDB26000-memory.dmp

Filesize
88KB

Download
memory/4604-36-0x000001C6ED9C0000-0x000001C6EDAC0000-memory.dmp

Filesize
1024KB

Download
memory/4604-37-0x000001C6ED960000-0x000001C6ED96A000-memory.dmp

Filesize
40KB

Download
memory/4604-38-0x000001C6EDAC0000-0x000001C6EDAE6000-memory.dmp

Filesize
152KB

Download
memory/4604-34-0x000001C6ED980000-0x000001C6ED9B8000-memory.dmp

Filesize
224KB

Download
memory/4628-30-0x0000000000730000-0x0000000000748000-memory.dmp

Filesize
96KB

Download
memory/4628-45-0x00007FFAB8560000-0x00007FFAB9021000-memory.dmp

Filesize
10.8MB

Download
memory/4628-29-0x00007FFAB8560000-0x00007FFAB9021000-memory.dmp

Filesize
10.8MB

Download
memory/4972-0-0x00007FFAB8563000-0x00007FFAB8565000-memory.dmp

Filesize
8KB

Download
memory/4972-3-0x00007FFAB8560000-0x00007FFAB9021000-memory.dmp

Filesize
10.8MB

Download
memory/4972-28-0x00007FFAB8560000-0x00007FFAB9021000-memory.dmp

Filesize
10.8MB

Download
memory/4972-1-0x00000000005B0000-0x0000000000832000-memory.dmp

Filesize
2.5MB

Download