xworm | 57c78c431dad7a72ab8047b9707f8e740ae4174e253626d494580333226ecb18

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gm.exe
Size

60KB
MD5

f8e80eb256f014dc1a1dcf494f49491e
SHA1

3f8437c9ca5239ea2125aca3456da1f7a0645d66
SHA256

57c78c431dad7a72ab8047b9707f8e740ae4174e253626d494580333226ecb18
SHA512

ee357ddde117a34135201265f20cf3d4235025d1db884142f6a58b99d5bebd4b0bda69d0efc37df4a5d14f079df0a5b08bbcad9b61339dab1aacf355d17e2de8
SSDEEP

1536:KFJjiXMQ4eOJKgZvw6IY+bhxhzRNuOBZXYVFv:KDQR1Q46IY+bhf2OB5YVl

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

poker-dosage.gl.at.ply.gg:10021

Attributes

Install_directory
%AppData%
install_file
RealtekUService86.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/3556-73-0x000000001CB70000-0x000000001CB7E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3556-1-0x00000000000B0000-0x00000000000C6000-memory.dmp	family_xworm
behavioral1/files/0x000b000000023b84-28.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	gm.exe

Executes dropped EXE 2 IoCs

pid	Process
4768	RealtekUService86.exe
64	RealtekUService86.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	mspaint.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4260	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4468	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3556	gm.exe
1016	mspaint.exe
1016	mspaint.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe
3556	gm.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4468	vlc.exe
3556	gm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	gm.exe
Token: SeDebugPrivilege	3556	gm.exe
Token: SeDebugPrivilege	4768	RealtekUService86.exe
Token: SeDebugPrivilege	64	RealtekUService86.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4468	vlc.exe
4468	vlc.exe
4468	vlc.exe
4468	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4468	vlc.exe
4468	vlc.exe
4468	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3556	gm.exe
1016	mspaint.exe
2296	OpenWith.exe
4468	vlc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 4260	3556	gm.exe	84
PID 3556 wrote to memory of 4260	3556	gm.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gm.exe
"C:\Users\Admin\AppData\Local\Temp\gm.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RealtekUService86" /tr "C:\Users\Admin\AppData\Roaming\RealtekUService86.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4260

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\PopUnblock.jpe" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SaveResume.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Users\Admin\AppData\Roaming\RealtekUService86.exe
C:\Users\Admin\AppData\Roaming\RealtekUService86.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:3196

C:\Users\Admin\AppData\Roaming\RealtekUService86.exe
C:\Users\Admin\AppData\Roaming\RealtekUService86.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RealtekUService86.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Roaming\RealtekUService86.exe

Filesize
60KB

MD5
f8e80eb256f014dc1a1dcf494f49491e

SHA1
3f8437c9ca5239ea2125aca3456da1f7a0645d66

SHA256
57c78c431dad7a72ab8047b9707f8e740ae4174e253626d494580333226ecb18

SHA512
ee357ddde117a34135201265f20cf3d4235025d1db884142f6a58b99d5bebd4b0bda69d0efc37df4a5d14f079df0a5b08bbcad9b61339dab1aacf355d17e2de8

Download Submit
memory/3556-0-0x00007FFB42CD3000-0x00007FFB42CD5000-memory.dmp

Filesize
8KB

Download
memory/3556-1-0x00000000000B0000-0x00000000000C6000-memory.dmp

Filesize
88KB

Download
memory/3556-3-0x00007FFB42CD0000-0x00007FFB43791000-memory.dmp

Filesize
10.8MB

Download
memory/3556-4-0x00007FFB42CD3000-0x00007FFB42CD5000-memory.dmp

Filesize
8KB

Download
memory/3556-5-0x00007FFB42CD0000-0x00007FFB43791000-memory.dmp

Filesize
10.8MB

Download
memory/3556-6-0x00000000022D0000-0x00000000022DC000-memory.dmp

Filesize
48KB

Download
memory/3556-73-0x000000001CB70000-0x000000001CB7E000-memory.dmp

Filesize
56KB

Download
memory/3556-54-0x000000001D520000-0x000000001D870000-memory.dmp

Filesize
3.3MB

Download
memory/3720-23-0x000002AF34480000-0x000002AF34481000-memory.dmp

Filesize
4KB

Download
memory/3720-18-0x000002AF34370000-0x000002AF34371000-memory.dmp

Filesize
4KB

Download
memory/3720-22-0x000002AF343F0000-0x000002AF343F1000-memory.dmp

Filesize
4KB

Download
memory/3720-26-0x000002AF34490000-0x000002AF34491000-memory.dmp

Filesize
4KB

Download
memory/3720-25-0x000002AF34490000-0x000002AF34491000-memory.dmp

Filesize
4KB

Download
memory/3720-20-0x000002AF343F0000-0x000002AF343F1000-memory.dmp

Filesize
4KB

Download
memory/3720-7-0x000002AF2C060000-0x000002AF2C070000-memory.dmp

Filesize
64KB

Download
memory/3720-24-0x000002AF34480000-0x000002AF34481000-memory.dmp

Filesize
4KB

Download
memory/3720-11-0x000002AF2C260000-0x000002AF2C270000-memory.dmp

Filesize
64KB

Download
memory/4468-38-0x00007FF6C91B0000-0x00007FF6C92A8000-memory.dmp

Filesize
992KB

Download
memory/4468-41-0x00007FFB389A0000-0x00007FFB39A50000-memory.dmp

Filesize
16.7MB

Download
memory/4468-42-0x00007FFB383D0000-0x00007FFB384DE000-memory.dmp

Filesize
1.1MB

Download
memory/4468-40-0x00007FFB3B500000-0x00007FFB3B7B6000-memory.dmp

Filesize
2.7MB

Download
memory/4468-39-0x00007FFB3B7C0000-0x00007FFB3B7F4000-memory.dmp

Filesize
208KB

Download