xworm | a50ef8bbeb3468b1eb76246551b98f0500e597c0a1d1cd552e9951cea572f6e0

Analysis

max time kernel
111s
max time network
113s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/03/2025, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XHorionUPDATED.rar
Size

1.2MB
MD5

31a315cc0c9ed0848b0a6a6bbc719259
SHA1

01759a522fb18f9e3303ea686fb2e6b1ccfd2587
SHA256

a50ef8bbeb3468b1eb76246551b98f0500e597c0a1d1cd552e9951cea572f6e0
SHA512

8457255e11862f150b876647074e9aaf460bc82ba11809395a11ba5a77b2474c7b499f359f83b490b0f69727df10fafda511b3df08b59c0e527f3436965c684d
SSDEEP

24576:S+Ivn2D8Fkj52SQvEYDni0jairFnTGGPc8/4yIHN1a8s5npKzcmTgDFQRkAWSXxk:S+I5kj52Zv7Di7iRBE8/4JHXa8mKzHgt

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

supersigma9-32916.portmap.host:32916

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000027f56-60.dat	family_xworm
behavioral1/memory/848-87-0x00000000000F0000-0x000000000011C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
50	376	HorionInjector.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	XHorion.exe

Executes dropped EXE 5 IoCs

pid	Process
1552	XHorion.exe
848	NovalUPD.exe
376	HorionInjector.exe
2336	XHorionClient.exe
2392	XHorionClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XHorionClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XHorionClient.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2308	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe
376	HorionInjector.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
548	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	548	7zFM.exe
Token: 35	548	7zFM.exe
Token: SeSecurityPrivilege	548	7zFM.exe
Token: SeSecurityPrivilege	548	7zFM.exe
Token: SeDebugPrivilege	848	NovalUPD.exe
Token: SeDebugPrivilege	376	HorionInjector.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
548	7zFM.exe
548	7zFM.exe
548	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2308	explorer.exe
2308	explorer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 848	1552	XHorion.exe	101
PID 1552 wrote to memory of 848	1552	XHorion.exe	101
PID 1552 wrote to memory of 376	1552	XHorion.exe	102
PID 1552 wrote to memory of 376	1552	XHorion.exe	102
PID 376 wrote to memory of 2512	376	HorionInjector.exe	106
PID 376 wrote to memory of 2512	376	HorionInjector.exe	106
PID 2336 wrote to memory of 2520	2336	XHorionClient.exe	112
PID 2336 wrote to memory of 2520	2336	XHorionClient.exe	112
PID 2392 wrote to memory of 1196	2392	XHorionClient.exe	115
PID 2392 wrote to memory of 1196	2392	XHorionClient.exe	115

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XHorionUPDATED.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3124

C:\Users\Admin\Pictures\XHorionUPDATED\XHorionUPDATED\XHorion\XHorion.exe
"C:\Users\Admin\Pictures\XHorionUPDATED\XHorionUPDATED\XHorion\XHorion.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Roaming\NovalUPD.exe
  "C:\Users\Admin\AppData\Roaming\NovalUPD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Users\Admin\AppData\Roaming\HorionInjector.exe
  "C:\Users\Admin\AppData\Roaming\HorionInjector.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\explorer.exe
    explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
    3⤵
    PID:2512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Users\Admin\Pictures\XHorionUPDATED\XHorionUPDATED\XHorion\XHorionClient.exe
"C:\Users\Admin\Pictures\XHorionUPDATED\XHorionUPDATED\XHorion\XHorionClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\55F6.tmp\55F7.tmp\55F8.bat C:\Users\Admin\Pictures\XHorionUPDATED\XHorionUPDATED\XHorion\XHorionClient.exe"
  2⤵
  PID:2520

C:\Users\Admin\Pictures\XHorionUPDATED\XHorionUPDATED\XHorion\XHorionClient.exe
"C:\Users\Admin\Pictures\XHorionUPDATED\XHorionUPDATED\XHorion\XHorionClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6102.tmp\6103.tmp\6114.bat C:\Users\Admin\Pictures\XHorionUPDATED\XHorionUPDATED\XHorion\XHorionClient.exe"
  2⤵
  PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\55F6.tmp\55F7.tmp\55F8.bat

Filesize
22B

MD5
deafc0c01bad3e97f1edbd3d1e1b1872

SHA1
3fd54162bc00f745dfbd033d5830dd1a8a8ab662

SHA256
2a7024692b56de7f7b1b3b6588704e033e1b9eefc79d75730ebc87142fc67e63

SHA512
8c14349e6a18fa6b59a0aedc96f8008f89c3ec93552af196ed78db2d9e66e18108a15704777fdb32cdcad33f4194b65c297d6988014b8aad0b3775a49182c782

Download Submit
C:\Users\Admin\AppData\Roaming\HorionInjector.exe

Filesize
147KB

MD5
6b5b6e625de774e5c285712b7c4a0da7

SHA1
317099aef530afbe3a0c5d6a2743d51e04805267

SHA256
2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

SHA512
104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08

Download Submit
C:\Users\Admin\AppData\Roaming\NovalUPD.exe

Filesize
153KB

MD5
88595aec6cbe608a5d4536d091a6a091

SHA1
83ff553779fc12c8d2ef8df22acd6bc1e9a35e47

SHA256
697f48b11456f5823959906c062384f70f9c8de6521f74feea7ed54912e0874e

SHA512
6efd34a018c46dc2c83611379c480db23f3e76243f3fd16fa4b6876337b2470dccee35ef68017eb688a3be042e246d8169dd7c7c52506396cae0ce07ec95f56a

Download Submit
C:\Users\Admin\Pictures\XHorionUPDATED\XHorionUPDATED\XHorion\XHorion.exe

Filesize
381KB

MD5
c32d172e5c95cf1aa5b4c613d80ed560

SHA1
1c035ac306f5f8f4456d3ecc1d3c8df94880d9db

SHA256
dfee0ccb7bec6a99d768fa48b0f604d8fc489a91622a51bcf892aca5a28e3459

SHA512
dc3687096cd0dbb095fadf2db0bf56e64bc7ce9c6cce9f52f5d40ec64e76a9a4f5ffc079acac29b1edc18c5d8cf82b63dbc7046c97f4240ca57772d5ae014ba8

Download Submit
C:\Users\Admin\Pictures\XHorionUPDATED\XHorionUPDATED\XHorion\XHorionClient.exe

Filesize
89KB

MD5
193cf6ebb53410e9d283c7fa249cbc27

SHA1
de4ce04aaf927f35df0c049c0c7c759aa89de8ea

SHA256
efa4393fd460946721a1cfe9e6d65b29248836af9e1eeabef2d3a90fd02f3368

SHA512
4a775b43e7a8ba5c6642ccbcf34f68ce1456e8f50e2c8a8e812f825bc6822e70735b4de895f6bdd4ab06bd6b78c797560521f0e7b4551337e1042e8d402bc7ea

Download Submit
memory/376-88-0x0000023A271E0000-0x0000023A27208000-memory.dmp

Filesize
160KB

Download
memory/376-89-0x0000023A42240000-0x0000023A422FA000-memory.dmp

Filesize
744KB

Download
memory/376-90-0x0000023A45EA0000-0x0000023A45EA8000-memory.dmp

Filesize
32KB

Download
memory/376-92-0x0000023A45EC0000-0x0000023A45ECE000-memory.dmp

Filesize
56KB

Download
memory/376-91-0x0000023A463E0000-0x0000023A46418000-memory.dmp

Filesize
224KB

Download
memory/848-87-0x00000000000F0000-0x000000000011C000-memory.dmp

Filesize
176KB

Download
memory/1552-55-0x0000000000D10000-0x0000000000D76000-memory.dmp

Filesize
408KB

Download
memory/1552-54-0x00007FFBF9513000-0x00007FFBF9515000-memory.dmp

Filesize
8KB

Download