xworm | fd96a23ae800a272e8bdf46dba1c8a3ac285cf1c7f6c6f5ae4b473a00e3cf43d

General

Target

D73UC_2025-01-17-13-06-51.exe
Size

83KB
MD5

45b9c22e416482de6446d6422f37fd17
SHA1

7db3bdee144cb804d73ecb8fcafa4748024f67a2
SHA256

fd96a23ae800a272e8bdf46dba1c8a3ac285cf1c7f6c6f5ae4b473a00e3cf43d
SHA512

731ea90275dbc39ac0ad9c16afa9b61488d5a6ff5a1fbe5af7800a7a38b54b4623c26857b4caec2a5c15c4afee788bc98215ce22ce9764c44e8d90b698e5ae03
SSDEEP

1536:uaPkD+QdQoTFuUer5QhORVx/KzNHUSWUiuCLWm2XiZs8hfNG7xEa1af:uQ89lfo/eJWWCLWm1fNkGakf

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

trip-thesaurus.gl.at.ply.gg:16715

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023bc5-4.dat	family_xworm
behavioral2/memory/4496-12-0x00000000003E0000-0x00000000003FA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1152	powershell.exe
4836	powershell.exe
1240	powershell.exe
1568	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	D73UC_2025-01-17-13-06-51.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2025-01-17-13-06-51.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	2025-01-17-13-06-51.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	2025-01-17-13-06-51.exe

Executes dropped EXE 1 IoCs

pid	Process
4496	2025-01-17-13-06-51.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSystray"	2025-01-17-13-06-51.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D73UC_2025-01-17-13-06-51.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2908	powershell.exe
2908	powershell.exe
1152	powershell.exe
1152	powershell.exe
4836	powershell.exe
4836	powershell.exe
1240	powershell.exe
1240	powershell.exe
1568	powershell.exe
1568	powershell.exe
4496	2025-01-17-13-06-51.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	2025-01-17-13-06-51.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	4496	2025-01-17-13-06-51.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4496	2025-01-17-13-06-51.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2908	1184	D73UC_2025-01-17-13-06-51.exe	82
PID 1184 wrote to memory of 2908	1184	D73UC_2025-01-17-13-06-51.exe	82
PID 1184 wrote to memory of 2908	1184	D73UC_2025-01-17-13-06-51.exe	82
PID 1184 wrote to memory of 4496	1184	D73UC_2025-01-17-13-06-51.exe	84
PID 1184 wrote to memory of 4496	1184	D73UC_2025-01-17-13-06-51.exe	84
PID 4496 wrote to memory of 1152	4496	2025-01-17-13-06-51.exe	86
PID 4496 wrote to memory of 1152	4496	2025-01-17-13-06-51.exe	86
PID 4496 wrote to memory of 4836	4496	2025-01-17-13-06-51.exe	88
PID 4496 wrote to memory of 4836	4496	2025-01-17-13-06-51.exe	88
PID 4496 wrote to memory of 1240	4496	2025-01-17-13-06-51.exe	90
PID 4496 wrote to memory of 1240	4496	2025-01-17-13-06-51.exe	90
PID 4496 wrote to memory of 1568	4496	2025-01-17-13-06-51.exe	92
PID 4496 wrote to memory of 1568	4496	2025-01-17-13-06-51.exe	92

C:\Users\Admin\AppData\Local\Temp\D73UC_2025-01-17-13-06-51.exe
"C:\Users\Admin\AppData\Local\Temp\D73UC_2025-01-17-13-06-51.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAdABpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AdQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAagBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB5ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Users\Admin\AppData\Roaming\2025-01-17-13-06-51.exe
  "C:\Users\Admin\AppData\Roaming\2025-01-17-13-06-51.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\2025-01-17-13-06-51.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2025-01-17-13-06-51.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b1a1d8b05525b7b0c5babfd80488c1f2

SHA1
c85bbd6b7d0143676916c20fd52720499c2bb5c6

SHA256
adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

SHA512
346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
690c516f066561439e15ea5e5ef34c96

SHA1
b41c883e29e3c211207fecfa9e8f54922608cfdd

SHA256
df4a4bcbf655962fce03b6b3e93267414c076578bf1e9ba86c2283d977bb7fe7

SHA512
f3ba4f09f2c795e4500efffb554892fc901981f1048f442001acb0cc4f0371735436e3d62cfb748c504a46b82c2a3dd13f46ef96540987823ab33579d5b913b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
41ac47e52d901688f4c46823eb12c6ae

SHA1
c80f6ae3584d3ebd94b753dd7ef1039ed541f078

SHA256
ab4a7be7634267aaf9c5db321924ee34f6e8c97267bf0844138bde233c409c8f

SHA512
1ccb1c694c6d61027b223cf7c79ce5fdc6046a4a32dc15f22b722d6f063c127f4b5f5f3740f2c8b2447504f54d6e0d9afa47d202a61946e29bbcbac41d83c5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_doyjpkjy.l13.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\2025-01-17-13-06-51.exe

Filesize
77KB

MD5
e2b82b4f39f2527e850756664e5462a1

SHA1
8de7c878e724e1667cc90f3fad7b109f5ed65927

SHA256
e41f276291b01717c78ffe3d6a288bf95b42da33445c0c8490e0b546fe380935

SHA512
5cb25a33e937febb5f8255e2a80eaa1fccc4b5f6442e831d47839ba896727b85e139af5195c46957187b422c7f010f2349320ef977d4598f4b26f8ca2d573a82

Download Submit
memory/1152-61-0x000001B3DC8D0000-0x000001B3DC8F2000-memory.dmp

Filesize
136KB

Download
memory/2908-45-0x00000000073B0000-0x0000000007453000-memory.dmp

Filesize
652KB

Download
memory/2908-50-0x0000000007540000-0x000000000754A000-memory.dmp

Filesize
40KB

Download
memory/2908-19-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/2908-29-0x0000000005CF0000-0x0000000006044000-memory.dmp

Filesize
3.3MB

Download
memory/2908-30-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/2908-31-0x00000000061D0000-0x000000000621C000-memory.dmp

Filesize
304KB

Download
memory/2908-34-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2908-33-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/2908-32-0x0000000007170000-0x00000000071A2000-memory.dmp

Filesize
200KB

Download
memory/2908-44-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/2908-17-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/2908-46-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2908-47-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2908-48-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/2908-49-0x00000000074D0000-0x00000000074EA000-memory.dmp

Filesize
104KB

Download
memory/2908-18-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/2908-51-0x0000000007760000-0x00000000077F6000-memory.dmp

Filesize
600KB

Download
memory/2908-52-0x00000000076D0000-0x00000000076E1000-memory.dmp

Filesize
68KB

Download
memory/2908-13-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

Filesize
4KB

Download
memory/2908-54-0x0000000007710000-0x000000000771E000-memory.dmp

Filesize
56KB

Download
memory/2908-55-0x0000000007720000-0x0000000007734000-memory.dmp

Filesize
80KB

Download
memory/2908-56-0x0000000007800000-0x000000000781A000-memory.dmp

Filesize
104KB

Download
memory/2908-57-0x0000000007750000-0x0000000007758000-memory.dmp

Filesize
32KB

Download
memory/2908-60-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2908-15-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2908-16-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/2908-14-0x0000000004BD0000-0x0000000004C06000-memory.dmp

Filesize
216KB

Download
memory/4496-53-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

Filesize
64KB

Download
memory/4496-12-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/4496-11-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/4496-108-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads