xworm | hxxps://gofile[.]io/d/4yaOMG

Analysis

max time kernel
62s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/4yaOMG

Score

10^/10

xworm agilenet discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d49-233.dat	family_xworm
behavioral1/memory/5416-235-0x0000000000700000-0x000000000071A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5784	powershell.exe
6004	powershell.exe
4976	powershell.exe
3456	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RunThisBefore!.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	RunThisBefore!.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	RunThisBefore!.exe

Executes dropped EXE 3 IoCs

pid	Process
5416	RunThisBefore!.exe
5560	XWorm V5.0.exe
6132	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
5560	XWorm V5.0.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0007000000023d4f-236.dat	agile_net
behavioral1/memory/5560-239-0x000001E9724B0000-0x000001E972F22000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	RunThisBefore!.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.0.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
764	msedge.exe
764	msedge.exe
4272	msedge.exe
4272	msedge.exe
4308	identity_helper.exe
4308	identity_helper.exe
1484	msedge.exe
1484	msedge.exe
5784	powershell.exe
5784	powershell.exe
5784	powershell.exe
6004	powershell.exe
6004	powershell.exe
6004	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	2656	7zG.exe
Token: 35	2656	7zG.exe
Token: SeSecurityPrivilege	2656	7zG.exe
Token: SeSecurityPrivilege	2656	7zG.exe
Token: SeDebugPrivilege	5416	RunThisBefore!.exe
Token: SeDebugPrivilege	5560	XWorm V5.0.exe
Token: SeDebugPrivilege	5784	powershell.exe
Token: SeDebugPrivilege	6004	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	5416	RunThisBefore!.exe
Token: SeDebugPrivilege	6132	svchost.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
2656	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3128	4272	msedge.exe	83
PID 4272 wrote to memory of 3128	4272	msedge.exe	83
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 2200	4272	msedge.exe	84
PID 4272 wrote to memory of 764	4272	msedge.exe	85
PID 4272 wrote to memory of 764	4272	msedge.exe	85
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86
PID 4272 wrote to memory of 2460	4272	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/4yaOMG
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcc2046f8,0x7ffbcc204708,0x7ffbcc204718
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3259828808851621274,12571761916811839112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:5512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4208

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm V5.0\" -ad -an -ai#7zMap16735:82:7zEvent8935
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2656

C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0\RunThisBefore!.exe
"C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0\RunThisBefore!.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0\RunThisBefore!.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RunThisBefore!.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5876

C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0\XWorm V5.0.exe
"C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0\XWorm V5.0.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5560

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
51b1a0258b466b85fbe02f77b22e5b6e

SHA1
1b15b7f9c0c05e8bf054ffb2db6a2bdf2dc5b147

SHA256
dfe7685bbae2786c826f6b0b7ff7bdec11ee0a5784dc9a1a0bf07e509656927f

SHA512
a1ed9ed92f273e66bf4e4af65a1c6fae0bea5810c75df28fcbc34e923543cf123f6bccc4b3077236c5e36ae7bda954348f658ef37ea67a773f032a8b42249e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b70ee526fdf93869e4533d21d83cb732

SHA1
87821103d5c762ccfe907b9af05cc504a934c743

SHA256
288637977d80309d8b3a17b59d61ded0c23b0aef716400af380b515d39d8599f

SHA512
89dd557972996bc0ccdeed04c35dad9d3b346a2b2136ada8eb6bdbe6bd79ab6f72798f2236344f50c212d9384c010c02832fc5918490a59d15714e50cbdb2369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
346873718c8e543e0419d5c34cad435a

SHA1
a148fe6cda159ac98e8e6237098d46e95f978048

SHA256
29f14811fc9a4e40f616ba984a21af410670a11e8cc6ebbd996808445312e8bf

SHA512
6c1868dc567ccddc5483a6876f58ea9647bf28502d852ac5eade89efb1f699e6b6c6a8558939610ee57449939bc46ec2c8e2709cc28fdd7f9bcf6d61ea8d499c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8cd52fef8b80405a3e8f0f616ff3f318

SHA1
755b922f80cdd2558bdd34c6280815738c6b7d5c

SHA256
c0ceb9c5049146d457174ee3e0394e89a5718eae322578a5136d8a5ba670b37c

SHA512
8379a8f2839add69f4d2dd80cb46173a8a77f20e8c8698213e59d26cbbe71c00b4ef4231550454b9216776e84770352fe510253a9c36c05a57e0d2da1521beb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\dfac59de-dda7-40b2-9f2a-ac2dc0bb9d46.tmp

Filesize
10KB

MD5
a841a908e271fa469fb43d567b9a50a1

SHA1
7aa1885603b8f87d11fba5966833960b125eca71

SHA256
313b23a635912a025e00ba0a194c74351a77b69aabee41cff1518c769bacc6c0

SHA512
95404ad5d5654c151aadeda590cdbc3c460907a9101e78c178ef200187ca57d00a668a0db3cfb1915efbc68b2a6c54ceab4918d6b2c2a3d99aa4d6f38b6e4852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll

Filesize
112KB

MD5
a239b7cac8be034a23e7e231d3bcc6df

SHA1
ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d

SHA256
063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8

SHA512
c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dlmghjg1.k4m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\XWorm V5.0.zip

Filesize
29.5MB

MD5
9288cfad797954339984d2585422713c

SHA1
d77891a1457f976c13e3328584d90f588ebf1152

SHA256
4410342d2f68023846ee685ec290e208ca445c5d4dd0064cb289e4c166d0b4a0

SHA512
98513a620f436b9b8d3c5922049aec6d336ece8e39b548e40749767c19ca4c61f52244a8f813105b170a1020daddc519bf3e07cd1e46ff6124e2953e1de3f961

Download Submit
C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0\RunThisBefore!.exe

Filesize
77KB

MD5
c74390df283683cd7ca9a32b210b6895

SHA1
f0b53014a2075c1585874219fa92ebd8da8ed5f2

SHA256
cc2073589f7cd621bc7298137d8d17ef57c4df7dd6cf76b3ff0f581e567ef378

SHA512
3e08f9f8eb9128ba36f23bbcaaac0ffa2ae22d9bca4761df5d067324cbfb9adc4dfe48b39e07cc161d4d7d8fe342aa45ff1af01141747c096e12afe7b35ae863

Download Submit
C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0\XWorm V5.0.exe

Filesize
10.4MB

MD5
227494b22a4ee99f48a269c362fd5f19

SHA1
d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9

SHA256
7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2

SHA512
71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0

Download Submit
C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0\XWorm V5.0.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/3456-301-0x0000029269FD0000-0x000002926A11E000-memory.dmp

Filesize
1.3MB

Download
memory/4976-289-0x00000186E4970000-0x00000186E4ABE000-memory.dmp

Filesize
1.3MB

Download
memory/5416-235-0x0000000000700000-0x000000000071A000-memory.dmp

Filesize
104KB

Download
memory/5416-310-0x000000001B990000-0x000000001BA92000-memory.dmp

Filesize
1.0MB

Download
memory/5416-326-0x000000001B370000-0x000000001B37C000-memory.dmp

Filesize
48KB

Download
memory/5416-339-0x000000001B990000-0x000000001BA92000-memory.dmp

Filesize
1.0MB

Download
memory/5560-239-0x000001E9724B0000-0x000001E972F22000-memory.dmp

Filesize
10.4MB

Download
memory/5560-247-0x000001E975CF0000-0x000001E9768A6000-memory.dmp

Filesize
11.7MB

Download
memory/5560-249-0x000001E976AB0000-0x000001E976CA4000-memory.dmp

Filesize
2.0MB

Download
memory/5784-258-0x0000029BC7080000-0x0000029BC70A2000-memory.dmp

Filesize
136KB

Download
memory/5784-262-0x0000029BDF880000-0x0000029BDF9CE000-memory.dmp

Filesize
1.3MB

Download
memory/6004-275-0x00000203FE110000-0x00000203FE25E000-memory.dmp

Filesize
1.3MB

Download