xworm | c72be52442b2f6bf8bcbc0b75729e4dd8d06a0753bc7d2e184757053f86f1578

Analysis

max time kernel
149s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-02-2025 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xworm/Xworm V5.6 (2).exe
Size

8.7MB
MD5

9530dd473ed704de0b1fb9005d0b1596
SHA1

d745fcb740939681c166a9a06744ecb118d86aa4
SHA256

7afa79c97a3585ef9280e4a5157f45dcc5f8908322f7c7fce33825114a9c5dff
SHA512

4a2a6101372a46dc01f57b6304f4a0e28b606509f2dad05ea211707755d3648407b1126e91bf49c2bd4a3b27cf98117fcef23fbe4039ae5ebec73f6bb07dfcef
SSDEEP

196608:11gDSqGHoQtAq9xXsfE5mxqEfduHDFEyBWqpwWEEQoyHo54:11eSqGVXsfe0qEfdYnpwWEloyk

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

193.123.88.61:4444

Mutex

1cAjmT6r87cbZXRe

Attributes

Install_directory
%AppData%
install_file
host.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/1640-76-0x0000000001770000-0x0000000001780000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3980	powershell.exe
3816	powershell.exe
220	powershell.exe
4744	powershell.exe
1464	powershell.exe
2728	powershell.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	unsecapp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	unsecapp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rolexspoofer.exe	Uhid.exe

Executes dropped EXE 4 IoCs

pid	Process
5976	Uhid.exe
5480	rolexspoofer.exe
1488	Xworm V5.6.exe
1640	unsecapp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\host = "C:\\Users\\Admin\\AppData\\Roaming\\host.exe"	unsecapp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
1	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3816	powershell.exe
3816	powershell.exe
220	powershell.exe
220	powershell.exe
4744	powershell.exe
4744	powershell.exe
1464	powershell.exe
1464	powershell.exe
2728	powershell.exe
2728	powershell.exe
3980	powershell.exe
3980	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	5480	rolexspoofer.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	1640	unsecapp.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	1640	unsecapp.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 5976	4400	Xworm V5.6 (2).exe	77
PID 4400 wrote to memory of 5976	4400	Xworm V5.6 (2).exe	77
PID 5976 wrote to memory of 5480	5976	Uhid.exe	79
PID 5976 wrote to memory of 5480	5976	Uhid.exe	79
PID 4400 wrote to memory of 1488	4400	Xworm V5.6 (2).exe	78
PID 4400 wrote to memory of 1488	4400	Xworm V5.6 (2).exe	78
PID 5480 wrote to memory of 3816	5480	rolexspoofer.exe	81
PID 5480 wrote to memory of 3816	5480	rolexspoofer.exe	81
PID 5480 wrote to memory of 220	5480	rolexspoofer.exe	83
PID 5480 wrote to memory of 220	5480	rolexspoofer.exe	83
PID 1640 wrote to memory of 4744	1640	unsecapp.exe	86
PID 1640 wrote to memory of 4744	1640	unsecapp.exe	86
PID 1640 wrote to memory of 1464	1640	unsecapp.exe	88
PID 1640 wrote to memory of 1464	1640	unsecapp.exe	88
PID 1640 wrote to memory of 2728	1640	unsecapp.exe	90
PID 1640 wrote to memory of 2728	1640	unsecapp.exe	90
PID 1640 wrote to memory of 3980	1640	unsecapp.exe	92
PID 1640 wrote to memory of 3980	1640	unsecapp.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\xworm\Xworm V5.6 (2).exe
"C:\Users\Admin\AppData\Local\Temp\xworm\Xworm V5.6 (2).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\xworm\Uhid.exe
  "C:\Users\Admin\AppData\Local\Temp\xworm\Uhid.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5976
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rolexspoofer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rolexspoofer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\unsecapp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'unsecapp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:220
- C:\Users\Admin\AppData\Local\Temp\xworm\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\xworm\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:1488

C:\Users\Admin\AppData\Roaming\unsecapp.exe
C:\Users\Admin\AppData\Roaming\unsecapp.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\host.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'host.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4093e5ab3812960039eba1a814c2ffb0

SHA1
b5e4a98a80be72fccd3cc910e93113d2febef298

SHA256
c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c

SHA512
f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c0fe86517be16d2b0a671148c0274d2

SHA1
bd7a487a037395e9ede9e76b4a455fdf386ba8db

SHA256
5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302

SHA512
642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80b42fe4c6cf64624e6c31e5d7f2d3b3

SHA1
1f93e7dd83b86cb900810b7e3e43797868bf7d93

SHA256
ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d

SHA512
83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_32hwgn5p.ojo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xworm\Uhid.exe

Filesize
2.1MB

MD5
7b8dd3335c25460fe7170005fd24ca6e

SHA1
1a6be7c3d12b8cc1a4e18fcca860be3ec0d0bdab

SHA256
203ccbd5bea87e28cc74053a24c0e08027ab0ae531f1274cbc804800afa4fe4f

SHA512
ae043f68c037882829ba873afe7162882bc620c91e740c7ca5ca7067bd4172cfc29cf18554622b38d3dfb6c7e63974c71020c6736703f70f6bee287616019418

Download Submit
C:\Users\Admin\AppData\Local\Temp\xworm\Xworm V5.6.exe

Filesize
14.9MB

MD5
714f51eb76e1d01b1b646962224910a8

SHA1
affe3aba05cdb0ab78fea81be9bae2ffb7dc7a8f

SHA256
6be79ff4d5c370639bfb4c3dbd4f2bc3332a009ccfbda08ed0a88524e3ee5b31

SHA512
a9faa8043b2d9498e78d921e05e3e299ea121af1a95682a70fb76b67df78c8101a6f55fbc1939a2858f282346e35bef9a2ae106bb4a5ae32e84e26107f33c905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rolexspoofer.exe

Filesize
230KB

MD5
7b717949121ea9b9d1dc54f2bc7202f9

SHA1
631524acfd80c2ab405c2af566969ec48bb99595

SHA256
7007221dc3d3019a0471deeafff20183530d7f54bf8aad71e137653f13e5d98d

SHA512
f582b34d097c12547e33da58a4377043c5608605c8bacabb13937fb33af023cdd4eb49d0b29dc7af781ff86dd1fecafa64bf77dbc8347f824b52bfab53dc9e7d

Download Submit
memory/1488-48-0x0000020076D80000-0x0000020076F74000-memory.dmp

Filesize
2.0MB

Download
memory/1488-46-0x000002005B4C0000-0x000002005C3AA000-memory.dmp

Filesize
14.9MB

Download
memory/1640-76-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/3816-57-0x0000016C76930000-0x0000016C76952000-memory.dmp

Filesize
136KB

Download
memory/4400-47-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/4400-0-0x00007FF994253000-0x00007FF994255000-memory.dmp

Filesize
8KB

Download
memory/4400-4-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/4400-1-0x0000000000D40000-0x0000000001606000-memory.dmp

Filesize
8.8MB

Download
memory/5480-40-0x0000000000EF0000-0x0000000000F30000-memory.dmp

Filesize
256KB

Download
memory/5976-41-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/5976-20-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/5976-17-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/5976-16-0x000000001BCF0000-0x000000001BDBC000-memory.dmp

Filesize
816KB

Download
memory/5976-15-0x0000000000F00000-0x0000000001114000-memory.dmp

Filesize
2.1MB

Download