xworm | d85a5c0fecaca2bea8850f166dd29dcbc4e007ab34ee7d8ec4a37d80368c1767

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 23:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6/XwormLoader.exe
Size

7.9MB
MD5

004c566cb64a9b99f4422a767c072a22
SHA1

ab709644ce1f58b4a1874351a7971dd3fb9466a6
SHA256

d0c67ff5fa0ac161777a95d150fa523e0b26ea106144f99c32de8716a880236e
SHA512

9c0d2fa2bb5137e2d5934ff985c710a371c8f74d67f92a914da0ece44c2660d8abca5d90188ac5088e885d7e197c4ebb3488faf01516435e9e781c367f6bcc65
SSDEEP

196608:r//b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr3g:r/yvRZBEP3xZi5Oso+PWbXooL4Sa3g

Score

10^/10

xworm execution rat trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral32/files/0x0008000000023ca1-42.dat	family_xworm
behavioral32/memory/1748-54-0x0000000000260000-0x0000000000294000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4784	powershell.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral32/files/0x0008000000023ca1-42.dat	net_reactor
behavioral32/memory/1748-54-0x0000000000260000-0x0000000000294000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	XwormLoader.exe

Executes dropped EXE 2 IoCs

pid	Process
2516	Xworm V5.6.exe
1748	taskhostw.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\taskhostw.exe	XwormLoader.exe
File created	C:\Windows\taskhostw.exe	XwormLoader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2308	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1748	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4784	powershell.exe
4784	powershell.exe
1748	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	XwormLoader.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	1748	taskhostw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1748	taskhostw.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 2516	4872	XwormLoader.exe	82
PID 4872 wrote to memory of 2516	4872	XwormLoader.exe	82
PID 4872 wrote to memory of 4784	4872	XwormLoader.exe	83
PID 4872 wrote to memory of 4784	4872	XwormLoader.exe	83
PID 4872 wrote to memory of 2308	4872	XwormLoader.exe	85
PID 4872 wrote to memory of 2308	4872	XwormLoader.exe	85
PID 4872 wrote to memory of 1748	4872	XwormLoader.exe	87
PID 4872 wrote to memory of 1748	4872	XwormLoader.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "taskhostw" /SC ONLOGON /TR "C:\Windows\taskhostw.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2308
- C:\Windows\taskhostw.exe
  "C:\Windows\taskhostw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe

Filesize
14.9MB

MD5
cac67604904dce94d230953f170d4391

SHA1
9ea639f23a5699bb66ca5da55b2458347aed6f13

SHA256
64e5b7463d340b9a8b9d911860b4d635b0cf68afbe3593ed3cc6cbb13db0b27b

SHA512
af358008abb47a345a53dab222a01ab6c0ed10185fca8d2be9af2892161f150c8cc8a7f75272d1eb1acd17b49f32d3531adbc1cfdd153cc7c3e90841cabe766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yf2dpmva.uch.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\taskhostw.exe

Filesize
183KB

MD5
31207a3ec25c1530f368a0298d108a09

SHA1
e80b4ef16a1f3df9764e6e9ae92a5372276a3a83

SHA256
7063531cc8e3c206a2f5c23c033d382dd1f2296650196179f8c64d68588288c8

SHA512
861538173fed16fbadd131659bc4289cd72f0a716d2d84bd9918a2b8c565e1cfdd4656cc40463d4c17356d6b9ab290f5fb0d323bfce9f3ed194993fc7f4fc523

Download Submit
memory/1748-54-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2516-56-0x00007FF928E93000-0x00007FF928E95000-memory.dmp

Filesize
8KB

Download
memory/2516-55-0x00000208723B0000-0x00000208725A4000-memory.dmp

Filesize
2.0MB

Download
memory/2516-24-0x00007FF928E90000-0x00007FF929951000-memory.dmp

Filesize
10.8MB

Download
memory/2516-57-0x0000020871F00000-0x00000208720A9000-memory.dmp

Filesize
1.7MB

Download
memory/2516-58-0x00007FF928E90000-0x00007FF929951000-memory.dmp

Filesize
10.8MB

Download
memory/2516-20-0x00007FF928E93000-0x00007FF928E95000-memory.dmp

Filesize
8KB

Download
memory/2516-21-0x000002086E990000-0x000002086F878000-memory.dmp

Filesize
14.9MB

Download
memory/4784-37-0x0000019C6B300000-0x0000019C6B44E000-memory.dmp

Filesize
1.3MB

Download
memory/4784-30-0x0000019C52D20000-0x0000019C52D42000-memory.dmp

Filesize
136KB

Download
memory/4872-6-0x00007FF92BEB0000-0x00007FF92C851000-memory.dmp

Filesize
9.6MB

Download
memory/4872-23-0x00007FF92BEB0000-0x00007FF92C851000-memory.dmp

Filesize
9.6MB

Download
memory/4872-22-0x00007FF92C165000-0x00007FF92C166000-memory.dmp

Filesize
4KB

Download
memory/4872-8-0x00007FF92BEB0000-0x00007FF92C851000-memory.dmp

Filesize
9.6MB

Download
memory/4872-7-0x00007FF92BEB0000-0x00007FF92C851000-memory.dmp

Filesize
9.6MB

Download
memory/4872-0-0x00007FF92C165000-0x00007FF92C166000-memory.dmp

Filesize
4KB

Download
memory/4872-53-0x00007FF92BEB0000-0x00007FF92C851000-memory.dmp

Filesize
9.6MB

Download
memory/4872-5-0x00007FF92BEB0000-0x00007FF92C851000-memory.dmp

Filesize
9.6MB

Download
memory/4872-4-0x000000001C880000-0x000000001C926000-memory.dmp

Filesize
664KB

Download
memory/4872-3-0x000000001C360000-0x000000001C3C2000-memory.dmp

Filesize
392KB

Download
memory/4872-2-0x00007FF92BEB0000-0x00007FF92C851000-memory.dmp

Filesize
9.6MB

Download
memory/4872-1-0x00007FF92BEB0000-0x00007FF92C851000-memory.dmp

Filesize
9.6MB

Download