xworm | a36885c797f9c9c2970c185c103953c6c1f86a5d49606bf675fdf01c2d32d9ff

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V3.0.exe
Size

6.4MB
MD5

fd9e0297a3481184eadd1da037253980
SHA1

23fc94ab1e1df30b6b9d988461f8a9d85e1ae4ca
SHA256

a36885c797f9c9c2970c185c103953c6c1f86a5d49606bf675fdf01c2d32d9ff
SHA512

e44545b127a0ddadec79fbcf9633fb56782dc80614b899d6db744852038dcb1aed1d47cb017c55d47ce62980e366f4e288d9bf7b52669fe08638f886f3da1904
SSDEEP

196608:AB1D4Z5XqQSmFQB2QGYCa5ZOBhe2wuF0:aUXImFI4YCakB05r

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

147.185.221.25:6864

Mutex

aaF53Xl91CZagti1

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c9d-7.dat	family_xworm
behavioral2/memory/3980-16-0x0000000000300000-0x000000000030E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XWorm V3.0.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm Info.lnk	XWorm Info.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm Info.lnk	XWorm Info.exe

Executes dropped EXE 1 IoCs

pid	Process
3980	XWorm Info.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWorm Info = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XWorm Info.exe"	XWorm V3.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWorm Info = "C:\\Users\\Admin\\AppData\\Roaming\\XWorm Info.exe"	XWorm Info.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	XWorm Info.exe
Token: SeDebugPrivilege	3980	XWorm Info.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3980	3380	XWorm V3.0.exe	82
PID 3380 wrote to memory of 3980	3380	XWorm V3.0.exe	82
PID 3380 wrote to memory of 2840	3380	XWorm V3.0.exe	83
PID 3380 wrote to memory of 2840	3380	XWorm V3.0.exe	83
PID 2840 wrote to memory of 3556	2840	XWorm V3.0.exe	85
PID 2840 wrote to memory of 3556	2840	XWorm V3.0.exe	85
PID 3556 wrote to memory of 220	3556	XWorm V3.0.exe	88
PID 3556 wrote to memory of 220	3556	XWorm V3.0.exe	88
PID 220 wrote to memory of 1848	220	XWorm V3.0.exe	90
PID 220 wrote to memory of 1848	220	XWorm V3.0.exe	90
PID 1848 wrote to memory of 828	1848	XWorm V3.0.exe	92
PID 1848 wrote to memory of 828	1848	XWorm V3.0.exe	92
PID 828 wrote to memory of 4404	828	XWorm V3.0.exe	95
PID 828 wrote to memory of 4404	828	XWorm V3.0.exe	95
PID 4404 wrote to memory of 4400	4404	XWorm V3.0.exe	96
PID 4404 wrote to memory of 4400	4404	XWorm V3.0.exe	96
PID 4400 wrote to memory of 4112	4400	XWorm V3.0.exe	97
PID 4400 wrote to memory of 4112	4400	XWorm V3.0.exe	97
PID 4112 wrote to memory of 4056	4112	XWorm V3.0.exe	98
PID 4112 wrote to memory of 4056	4112	XWorm V3.0.exe	98
PID 4056 wrote to memory of 4232	4056	XWorm V3.0.exe	99
PID 4056 wrote to memory of 4232	4056	XWorm V3.0.exe	99
PID 4232 wrote to memory of 2824	4232	XWorm V3.0.exe	100
PID 4232 wrote to memory of 2824	4232	XWorm V3.0.exe	100
PID 2824 wrote to memory of 4336	2824	XWorm V3.0.exe	101
PID 2824 wrote to memory of 4336	2824	XWorm V3.0.exe	101
PID 4336 wrote to memory of 2320	4336	XWorm V3.0.exe	103
PID 4336 wrote to memory of 2320	4336	XWorm V3.0.exe	103
PID 2320 wrote to memory of 1380	2320	XWorm V3.0.exe	104
PID 2320 wrote to memory of 1380	2320	XWorm V3.0.exe	104
PID 1380 wrote to memory of 4988	1380	XWorm V3.0.exe	105
PID 1380 wrote to memory of 4988	1380	XWorm V3.0.exe	105
PID 4988 wrote to memory of 2120	4988	XWorm V3.0.exe	106
PID 4988 wrote to memory of 2120	4988	XWorm V3.0.exe	106
PID 2120 wrote to memory of 2572	2120	XWorm V3.0.exe	107
PID 2120 wrote to memory of 2572	2120	XWorm V3.0.exe	107
PID 2572 wrote to memory of 720	2572	XWorm V3.0.exe	109
PID 2572 wrote to memory of 720	2572	XWorm V3.0.exe	109
PID 720 wrote to memory of 2840	720	XWorm V3.0.exe	110
PID 720 wrote to memory of 2840	720	XWorm V3.0.exe	110
PID 2840 wrote to memory of 1340	2840	XWorm V3.0.exe	111
PID 2840 wrote to memory of 1340	2840	XWorm V3.0.exe	111
PID 1340 wrote to memory of 1704	1340	XWorm V3.0.exe	112
PID 1340 wrote to memory of 1704	1340	XWorm V3.0.exe	112
PID 1704 wrote to memory of 3784	1704	XWorm V3.0.exe	113
PID 1704 wrote to memory of 3784	1704	XWorm V3.0.exe	113
PID 3784 wrote to memory of 4244	3784	XWorm V3.0.exe	114
PID 3784 wrote to memory of 4244	3784	XWorm V3.0.exe	114
PID 4244 wrote to memory of 3588	4244	XWorm V3.0.exe	115
PID 4244 wrote to memory of 3588	4244	XWorm V3.0.exe	115
PID 3588 wrote to memory of 828	3588	XWorm V3.0.exe	116
PID 3588 wrote to memory of 828	3588	XWorm V3.0.exe	116
PID 828 wrote to memory of 3960	828	XWorm V3.0.exe	117
PID 828 wrote to memory of 3960	828	XWorm V3.0.exe	117
PID 3960 wrote to memory of 4472	3960	XWorm V3.0.exe	118
PID 3960 wrote to memory of 4472	3960	XWorm V3.0.exe	118
PID 4472 wrote to memory of 4156	4472	XWorm V3.0.exe	119
PID 4472 wrote to memory of 4156	4472	XWorm V3.0.exe	119
PID 4156 wrote to memory of 4600	4156	XWorm V3.0.exe	120
PID 4156 wrote to memory of 4600	4156	XWorm V3.0.exe	120
PID 4600 wrote to memory of 1488	4600	XWorm V3.0.exe	121
PID 4600 wrote to memory of 1488	4600	XWorm V3.0.exe	121
PID 1488 wrote to memory of 3092	1488	XWorm V3.0.exe	122
PID 1488 wrote to memory of 3092	1488	XWorm V3.0.exe	122

C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Users\Admin\AppData\Local\Temp\XWorm Info.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm Info.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        11⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        12⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        13⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        14⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        15⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        16⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        17⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        18⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        19⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        20⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        21⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        22⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        23⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        24⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        25⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        26⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        27⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        28⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        29⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        30⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        31⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        32⤵
        Checks computer location settings
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        33⤵
        Checks computer location settings
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        34⤵
        Checks computer location settings
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        35⤵
        Checks computer location settings
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        36⤵
        Checks computer location settings
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        37⤵
        Checks computer location settings
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        38⤵
        Checks computer location settings
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        39⤵
        Checks computer location settings
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        40⤵
        Checks computer location settings
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        41⤵
        Checks computer location settings
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        42⤵
        Checks computer location settings
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        43⤵
        Checks computer location settings
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        44⤵
        Checks computer location settings
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        45⤵
        Checks computer location settings
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        46⤵
        Checks computer location settings
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        47⤵
        Checks computer location settings
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        48⤵
        Checks computer location settings
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        49⤵
        Checks computer location settings
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        50⤵
        Checks computer location settings
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        51⤵
        Checks computer location settings
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        52⤵
        Checks computer location settings
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        53⤵
        Checks computer location settings
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        54⤵
        Checks computer location settings
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        55⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        56⤵
        Checks computer location settings
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        57⤵
        Checks computer location settings
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        58⤵
        Checks computer location settings
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        59⤵
        Checks computer location settings
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        60⤵
        Checks computer location settings
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        61⤵
        Checks computer location settings
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        62⤵
        Checks computer location settings
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        63⤵
        Checks computer location settings
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        64⤵
        Checks computer location settings
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        65⤵
        Checks computer location settings
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
        66⤵
        
        PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V3.0.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm Info.exe

Filesize
34KB

MD5
1e628185b7962dae0db3031acaa8ca9a

SHA1
d50590ac9fd7876ba5b3a551a7c2ca931a30a008

SHA256
8a0e03bade1b0cd0fcf9771db9ec4e1af3be04a0516f8b59ef196c7ebdbbe3ee

SHA512
faa645f3ed6d6c0dbfd7b688007d289a58ae334e41cda9883cc64a2f682a2172c5da706d1ebb0c1f21ea642876c7fb2fd0dd7d07e673c93ede3e43c31c58181e

Download Submit
memory/2840-20-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-22-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-4-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-0-0x00007FF9A05F3000-0x00007FF9A05F5000-memory.dmp

Filesize
8KB

Download
memory/3380-1-0x0000000000290000-0x00000000008F8000-memory.dmp

Filesize
6.4MB

Download
memory/3380-19-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-15-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-16-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/3980-21-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-29-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-30-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads