xworm | c72be52442b2f6bf8bcbc0b75729e4dd8d06a0753bc7d2e184757053f86f1578

Analysis

max time kernel
148s
max time network
145s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-02-2025 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xworm/Xworm V5.6 (2).exe
Size

8.7MB
MD5

9530dd473ed704de0b1fb9005d0b1596
SHA1

d745fcb740939681c166a9a06744ecb118d86aa4
SHA256

7afa79c97a3585ef9280e4a5157f45dcc5f8908322f7c7fce33825114a9c5dff
SHA512

4a2a6101372a46dc01f57b6304f4a0e28b606509f2dad05ea211707755d3648407b1126e91bf49c2bd4a3b27cf98117fcef23fbe4039ae5ebec73f6bb07dfcef
SSDEEP

196608:11gDSqGHoQtAq9xXsfE5mxqEfduHDFEyBWqpwWEEQoyHo54:11eSqGVXsfe0qEfdYnpwWEloyk

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

193.123.88.61:4444

Mutex

1cAjmT6r87cbZXRe

Attributes

Install_directory
%AppData%
install_file
host.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1308-87-0x0000000002380000-0x0000000002390000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1872	powershell.exe
2524	powershell.exe
236	powershell.exe
1100	powershell.exe
2520	powershell.exe
1916	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-590766166-4003350121-2036565200-1000\Control Panel\International\Geo\Nation	Xworm V5.6 (2).exe
Key value queried	\REGISTRY\USER\S-1-5-21-590766166-4003350121-2036565200-1000\Control Panel\International\Geo\Nation	Uhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-590766166-4003350121-2036565200-1000\Control Panel\International\Geo\Nation	rolexspoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-590766166-4003350121-2036565200-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	unsecapp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rolexspoofer.exe	Uhid.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	unsecapp.exe

Executes dropped EXE 4 IoCs

pid	Process
4988	Uhid.exe
3224	Xworm V5.6.exe
804	rolexspoofer.exe
1308	unsecapp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-590766166-4003350121-2036565200-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\host = "C:\\Users\\Admin\\AppData\\Roaming\\host.exe"	unsecapp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
4	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1916	powershell.exe
1916	powershell.exe
1872	powershell.exe
1872	powershell.exe
2524	powershell.exe
2524	powershell.exe
236	powershell.exe
236	powershell.exe
1100	powershell.exe
1100	powershell.exe
2520	powershell.exe
2520	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	804	rolexspoofer.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeIncreaseQuotaPrivilege	1916	powershell.exe
Token: SeSecurityPrivilege	1916	powershell.exe
Token: SeTakeOwnershipPrivilege	1916	powershell.exe
Token: SeLoadDriverPrivilege	1916	powershell.exe
Token: SeSystemProfilePrivilege	1916	powershell.exe
Token: SeSystemtimePrivilege	1916	powershell.exe
Token: SeProfSingleProcessPrivilege	1916	powershell.exe
Token: SeIncBasePriorityPrivilege	1916	powershell.exe
Token: SeCreatePagefilePrivilege	1916	powershell.exe
Token: SeBackupPrivilege	1916	powershell.exe
Token: SeRestorePrivilege	1916	powershell.exe
Token: SeShutdownPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeSystemEnvironmentPrivilege	1916	powershell.exe
Token: SeRemoteShutdownPrivilege	1916	powershell.exe
Token: SeUndockPrivilege	1916	powershell.exe
Token: SeManageVolumePrivilege	1916	powershell.exe
Token: 33	1916	powershell.exe
Token: 34	1916	powershell.exe
Token: 35	1916	powershell.exe
Token: 36	1916	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeIncreaseQuotaPrivilege	1872	powershell.exe
Token: SeSecurityPrivilege	1872	powershell.exe
Token: SeTakeOwnershipPrivilege	1872	powershell.exe
Token: SeLoadDriverPrivilege	1872	powershell.exe
Token: SeSystemProfilePrivilege	1872	powershell.exe
Token: SeSystemtimePrivilege	1872	powershell.exe
Token: SeProfSingleProcessPrivilege	1872	powershell.exe
Token: SeIncBasePriorityPrivilege	1872	powershell.exe
Token: SeCreatePagefilePrivilege	1872	powershell.exe
Token: SeBackupPrivilege	1872	powershell.exe
Token: SeRestorePrivilege	1872	powershell.exe
Token: SeShutdownPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeSystemEnvironmentPrivilege	1872	powershell.exe
Token: SeRemoteShutdownPrivilege	1872	powershell.exe
Token: SeUndockPrivilege	1872	powershell.exe
Token: SeManageVolumePrivilege	1872	powershell.exe
Token: 33	1872	powershell.exe
Token: 34	1872	powershell.exe
Token: 35	1872	powershell.exe
Token: 36	1872	powershell.exe
Token: SeDebugPrivilege	1308	unsecapp.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeIncreaseQuotaPrivilege	2524	powershell.exe
Token: SeSecurityPrivilege	2524	powershell.exe
Token: SeTakeOwnershipPrivilege	2524	powershell.exe
Token: SeLoadDriverPrivilege	2524	powershell.exe
Token: SeSystemProfilePrivilege	2524	powershell.exe
Token: SeSystemtimePrivilege	2524	powershell.exe
Token: SeProfSingleProcessPrivilege	2524	powershell.exe
Token: SeIncBasePriorityPrivilege	2524	powershell.exe
Token: SeCreatePagefilePrivilege	2524	powershell.exe
Token: SeBackupPrivilege	2524	powershell.exe
Token: SeRestorePrivilege	2524	powershell.exe
Token: SeShutdownPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeSystemEnvironmentPrivilege	2524	powershell.exe
Token: SeRemoteShutdownPrivilege	2524	powershell.exe
Token: SeUndockPrivilege	2524	powershell.exe
Token: SeManageVolumePrivilege	2524	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4988	4524	Xworm V5.6 (2).exe	80
PID 4524 wrote to memory of 4988	4524	Xworm V5.6 (2).exe	80
PID 4524 wrote to memory of 3224	4524	Xworm V5.6 (2).exe	81
PID 4524 wrote to memory of 3224	4524	Xworm V5.6 (2).exe	81
PID 4988 wrote to memory of 804	4988	Uhid.exe	82
PID 4988 wrote to memory of 804	4988	Uhid.exe	82
PID 804 wrote to memory of 1916	804	rolexspoofer.exe	84
PID 804 wrote to memory of 1916	804	rolexspoofer.exe	84
PID 804 wrote to memory of 1872	804	rolexspoofer.exe	87
PID 804 wrote to memory of 1872	804	rolexspoofer.exe	87
PID 1308 wrote to memory of 2524	1308	unsecapp.exe	90
PID 1308 wrote to memory of 2524	1308	unsecapp.exe	90
PID 1308 wrote to memory of 236	1308	unsecapp.exe	92
PID 1308 wrote to memory of 236	1308	unsecapp.exe	92
PID 1308 wrote to memory of 1100	1308	unsecapp.exe	94
PID 1308 wrote to memory of 1100	1308	unsecapp.exe	94
PID 1308 wrote to memory of 2520	1308	unsecapp.exe	96
PID 1308 wrote to memory of 2520	1308	unsecapp.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\xworm\Xworm V5.6 (2).exe
"C:\Users\Admin\AppData\Local\Temp\xworm\Xworm V5.6 (2).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\xworm\Uhid.exe
  "C:\Users\Admin\AppData\Local\Temp\xworm\Uhid.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rolexspoofer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rolexspoofer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\unsecapp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'unsecapp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1872
- C:\Users\Admin\AppData\Local\Temp\xworm\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\xworm\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:3224

C:\Users\Admin\AppData\Roaming\unsecapp.exe
"C:\Users\Admin\AppData\Roaming\unsecapp.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\host.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'host.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60ba7ac90c0e466144b48a90919960b6

SHA1
fe7f5d9e1d317f9409d8daa35d9c890f7e222d6a

SHA256
43d3c3113c66141b3a1f1f1bbf2d32a80128d029903ca58db09e9c6a9410ef9e

SHA512
92a1d912fd7be06820ec97b192b965d04ff44ff6a1c76b55405ecf20ca995762d823f52f174d8f48feb1d454716ab244adb4945febbf4fe4a6f91dd9791f87f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99199f0dca5c84eac4de42c111d371a1

SHA1
d1cc7081758d7a10b74803b57afeb4d54915095c

SHA256
507312151bf33d8012c2ffe2839ba8359cb89c1f4a7042c620d3776bf2687986

SHA512
c5305c133200f55e11864e252ac74b5041e6af6716bdde04410a27550647ca0231ca135c4de92a9b9e249da45feb6fab0c13ba53e1c8deb8b60b2e65431622da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b9d65631ec37ba2570048dc421d8cbc

SHA1
c4880e2786543e45c339fad7d09ff7c986b759b1

SHA256
0c8e02d405d9392bd67f428d0412acedb879d54bf6a9e6715ff4c4ba90865ec8

SHA512
525c5d9aeef38b91cd567339588c234573e9fb94bcf5bbd7a2b083478c2325fc506d8001d97c1b9abbe493c041b7424080adc9f4ed6b447bffdb8ee14aef0a81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f610391d572bbcbb69c4844b8d95cbf

SHA1
ab38eb5889168c1b470fba487e8f1f1d2c336629

SHA256
5ced165534b0112bca6b11eb54f2ca28452d93f497c2e6ec8d3cd5bf488dc7a8

SHA512
f85aac21ab59862ce412f6bfc18d674b811a952b3079bd83656e3bf843ed27b64ff9fef48b535ac3e674a0d015729e07e7dc7749bf9d03dfae361ba4b44f5de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ak0cabbh.ve1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xworm\Uhid.exe

Filesize
2.1MB

MD5
7b8dd3335c25460fe7170005fd24ca6e

SHA1
1a6be7c3d12b8cc1a4e18fcca860be3ec0d0bdab

SHA256
203ccbd5bea87e28cc74053a24c0e08027ab0ae531f1274cbc804800afa4fe4f

SHA512
ae043f68c037882829ba873afe7162882bc620c91e740c7ca5ca7067bd4172cfc29cf18554622b38d3dfb6c7e63974c71020c6736703f70f6bee287616019418

Download Submit
C:\Users\Admin\AppData\Local\Temp\xworm\Xworm V5.6.exe

Filesize
14.9MB

MD5
714f51eb76e1d01b1b646962224910a8

SHA1
affe3aba05cdb0ab78fea81be9bae2ffb7dc7a8f

SHA256
6be79ff4d5c370639bfb4c3dbd4f2bc3332a009ccfbda08ed0a88524e3ee5b31

SHA512
a9faa8043b2d9498e78d921e05e3e299ea121af1a95682a70fb76b67df78c8101a6f55fbc1939a2858f282346e35bef9a2ae106bb4a5ae32e84e26107f33c905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rolexspoofer.exe

Filesize
230KB

MD5
7b717949121ea9b9d1dc54f2bc7202f9

SHA1
631524acfd80c2ab405c2af566969ec48bb99595

SHA256
7007221dc3d3019a0471deeafff20183530d7f54bf8aad71e137653f13e5d98d

SHA512
f582b34d097c12547e33da58a4377043c5608605c8bacabb13937fb33af023cdd4eb49d0b29dc7af781ff86dd1fecafa64bf77dbc8347f824b52bfab53dc9e7d

Download Submit
memory/804-54-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/1308-87-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1916-63-0x0000013CF0AD0000-0x0000013CF0AF2000-memory.dmp

Filesize
136KB

Download
memory/3224-56-0x0000022D7C790000-0x0000022D7C984000-memory.dmp

Filesize
2.0MB

Download
memory/3224-40-0x0000022D60540000-0x0000022D6142A000-memory.dmp

Filesize
14.9MB

Download
memory/4524-0-0x00007FFFF8DC3000-0x00007FFFF8DC5000-memory.dmp

Filesize
8KB

Download
memory/4524-1-0x0000000000700000-0x0000000000FC6000-memory.dmp

Filesize
8.8MB

Download
memory/4524-39-0x00007FFFF8DC0000-0x00007FFFF9882000-memory.dmp

Filesize
10.8MB

Download
memory/4524-4-0x00007FFFF8DC0000-0x00007FFFF9882000-memory.dmp

Filesize
10.8MB

Download
memory/4988-34-0x00007FFFF8DC0000-0x00007FFFF9882000-memory.dmp

Filesize
10.8MB

Download
memory/4988-19-0x000000001BDA0000-0x000000001BE6C000-memory.dmp

Filesize
816KB

Download
memory/4988-18-0x0000000000FC0000-0x00000000011D4000-memory.dmp

Filesize
2.1MB

Download
memory/4988-20-0x00007FFFF8DC0000-0x00007FFFF9882000-memory.dmp

Filesize
10.8MB

Download
memory/4988-57-0x00007FFFF8DC0000-0x00007FFFF9882000-memory.dmp

Filesize
10.8MB

Download