xworm | c0361ce0281736d7c36d465ba67683cc16d70335186bd179cedc8f0383760ae4

Analysis

max time kernel
32s
max time network
35s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/03/2025, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperNeww.exe
Size

2.9MB
MD5

1b1b8584e5ef883aaa5be59076087d6b
SHA1

e2067cedc5a022487fdcd4f7407b75202d6b0eb1
SHA256

c0361ce0281736d7c36d465ba67683cc16d70335186bd179cedc8f0383760ae4
SHA512

73a951370df807595ddb61ab81aa7e5d7407fca5dba08f40e209d48e1bc2e4e4960439fa61bdf8a2967cde1865460c1df025fff6124607f6eb0752f35e382d45
SSDEEP

49152:IlcyXfHnaBTof9ePCjkIAm1skqXfd+/9A9ByClY1v/a/ehH7pNLLn2tM:CZXfHaFoCIvqkqXf0FglY1XOe97vLnh

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

casino-offline.gl.at.ply.gg:34999

Attributes

Install_directory
%AppData%
install_file
NVIDIA app.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000027d66-15.dat	family_xworm
behavioral1/memory/3704-31-0x0000000000150000-0x0000000000168000-memory.dmp	family_xworm
behavioral1/memory/3368-30-0x0000000000400000-0x00000000006F8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1192	powershell.exe
2456	powershell.exe
1100	powershell.exe
2552	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-80166876-2127584002-2233670790-1000\Control Panel\International\Geo\Nation	BootstrapperNeww.exe
Key value queried	\REGISTRY\USER\S-1-5-21-80166876-2127584002-2233670790-1000\Control Panel\International\Geo\Nation	loader.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NVIDIA app.lnk	loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NVIDIA app.lnk	loader.exe

Executes dropped EXE 2 IoCs

pid	Process
1612	BootstrapperNew.exe
3704	loader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-80166876-2127584002-2233670790-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA app = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA app.exe"	loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNeww.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1192	powershell.exe
1192	powershell.exe
2456	powershell.exe
2456	powershell.exe
1100	powershell.exe
1100	powershell.exe
2552	powershell.exe
2552	powershell.exe
3704	loader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	loader.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeIncreaseQuotaPrivilege	1192	powershell.exe
Token: SeSecurityPrivilege	1192	powershell.exe
Token: SeTakeOwnershipPrivilege	1192	powershell.exe
Token: SeLoadDriverPrivilege	1192	powershell.exe
Token: SeSystemProfilePrivilege	1192	powershell.exe
Token: SeSystemtimePrivilege	1192	powershell.exe
Token: SeProfSingleProcessPrivilege	1192	powershell.exe
Token: SeIncBasePriorityPrivilege	1192	powershell.exe
Token: SeCreatePagefilePrivilege	1192	powershell.exe
Token: SeBackupPrivilege	1192	powershell.exe
Token: SeRestorePrivilege	1192	powershell.exe
Token: SeShutdownPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeSystemEnvironmentPrivilege	1192	powershell.exe
Token: SeRemoteShutdownPrivilege	1192	powershell.exe
Token: SeUndockPrivilege	1192	powershell.exe
Token: SeManageVolumePrivilege	1192	powershell.exe
Token: 33	1192	powershell.exe
Token: 34	1192	powershell.exe
Token: 35	1192	powershell.exe
Token: 36	1192	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeIncreaseQuotaPrivilege	2456	powershell.exe
Token: SeSecurityPrivilege	2456	powershell.exe
Token: SeTakeOwnershipPrivilege	2456	powershell.exe
Token: SeLoadDriverPrivilege	2456	powershell.exe
Token: SeSystemProfilePrivilege	2456	powershell.exe
Token: SeSystemtimePrivilege	2456	powershell.exe
Token: SeProfSingleProcessPrivilege	2456	powershell.exe
Token: SeIncBasePriorityPrivilege	2456	powershell.exe
Token: SeCreatePagefilePrivilege	2456	powershell.exe
Token: SeBackupPrivilege	2456	powershell.exe
Token: SeRestorePrivilege	2456	powershell.exe
Token: SeShutdownPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeSystemEnvironmentPrivilege	2456	powershell.exe
Token: SeRemoteShutdownPrivilege	2456	powershell.exe
Token: SeUndockPrivilege	2456	powershell.exe
Token: SeManageVolumePrivilege	2456	powershell.exe
Token: 33	2456	powershell.exe
Token: 34	2456	powershell.exe
Token: 35	2456	powershell.exe
Token: 36	2456	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeIncreaseQuotaPrivilege	1100	powershell.exe
Token: SeSecurityPrivilege	1100	powershell.exe
Token: SeTakeOwnershipPrivilege	1100	powershell.exe
Token: SeLoadDriverPrivilege	1100	powershell.exe
Token: SeSystemProfilePrivilege	1100	powershell.exe
Token: SeSystemtimePrivilege	1100	powershell.exe
Token: SeProfSingleProcessPrivilege	1100	powershell.exe
Token: SeIncBasePriorityPrivilege	1100	powershell.exe
Token: SeCreatePagefilePrivilege	1100	powershell.exe
Token: SeBackupPrivilege	1100	powershell.exe
Token: SeRestorePrivilege	1100	powershell.exe
Token: SeShutdownPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeSystemEnvironmentPrivilege	1100	powershell.exe
Token: SeRemoteShutdownPrivilege	1100	powershell.exe
Token: SeUndockPrivilege	1100	powershell.exe
Token: SeManageVolumePrivilege	1100	powershell.exe
Token: 33	1100	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3704	loader.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 1612	3368	BootstrapperNeww.exe	84
PID 3368 wrote to memory of 1612	3368	BootstrapperNeww.exe	84
PID 3368 wrote to memory of 3704	3368	BootstrapperNeww.exe	85
PID 3368 wrote to memory of 3704	3368	BootstrapperNeww.exe	85
PID 3704 wrote to memory of 1192	3704	loader.exe	88
PID 3704 wrote to memory of 1192	3704	loader.exe	88
PID 3704 wrote to memory of 2456	3704	loader.exe	93
PID 3704 wrote to memory of 2456	3704	loader.exe	93
PID 3704 wrote to memory of 1100	3704	loader.exe	95
PID 3704 wrote to memory of 1100	3704	loader.exe	95
PID 3704 wrote to memory of 2552	3704	loader.exe	97
PID 3704 wrote to memory of 2552	3704	loader.exe	97
PID 3704 wrote to memory of 1144	3704	loader.exe	100
PID 3704 wrote to memory of 1144	3704	loader.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BootstrapperNeww.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNeww.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NVIDIA app.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NVIDIA app.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2552
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NVIDIA app" /tr "C:\Users\Admin\AppData\Roaming\NVIDIA app.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
020d1cbef5aeb22088c0faff8d76af4e

SHA1
93e7f27b8fb57cfea4ae330bedcace1a8ce7c014

SHA256
cb283829df7f7ca2f7f8072ed014bebb7d424581e8672a9fa5683f3674726bb0

SHA512
1046228ed9d08e5296c02409b5aa460e8280a633f7f2022ec7dc7c1e750522260006844bd5114ec713593bce1d10b8932963a8630e6707e76b45a0cb8c8ff53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
714c05aecb94594ffcbd61b1eea79d83

SHA1
966442eb5cbf00d3d94dff78b67df228e49e1b9f

SHA256
07c4ee5409cd3d2f979809ec3eb3b7f245dd5c32d733fa8c683984ba5dfe4c4c

SHA512
9777034067dc146ec21c91f357a62fb6841744b1b258b1c642173285636a5e13e6ef6e536fb99331caa1de155071f5e7dd3f3d619992e5e78e319db2862c4b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
41b8b3dc843bb68cece421e263fcaf31

SHA1
576998931b3e982a9d0cc30a46973c4d6d934a53

SHA256
d8f3108fad9f28dc5b6efae92b55004f57019d862cc0548f9b5f9b84fde1ba52

SHA512
7ac0f22425feb43c0a0cd23256bac03b1143a4299ce469cf6bcb86a78377896149552d4c378b1955578084bfc334935c0daca621bf42904cfaeba45699083493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
273760112f1f2e60426631713dc50319

SHA1
3c1e9b5b5a7934720ae53ef6e844387860dd1e51

SHA256
057dc9b8f7c35b6fb55f8a2618fb75057ada88a95629c4414ed67e9fc2542247

SHA512
17d5f6244bf7e892b9b22c3ed72d44cc794e630e075038ea51c3e680298fb7110937416c741bd114431386eafa4fa41d8cec6b66515ca43b9ddf4d57cf0c5317

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgx25ths.nmh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
67KB

MD5
de7e058ade5e6ebe2cce6b2fd10d4bae

SHA1
0196abbe9f3fc7db4ad524d29119f7ee9beb37db

SHA256
271c6a42cc3f42923496857ea6adf8407f73fda81faa2586fb0fe5f6901e6d5a

SHA512
3fb799fca20dfb6a2871b507bec70587c555882ab7b3af6bbca855f90b66f5172a22d5dda0f2baa9e67781b9277d30e04d9dccfddc8dea095ab75b4898d921cd

Download Submit
memory/1192-56-0x000001AFEEB30000-0x000001AFEEB52000-memory.dmp

Filesize
136KB

Download
memory/1612-33-0x00000276AB730000-0x00000276AB740000-memory.dmp

Filesize
64KB

Download
memory/1612-45-0x00000276CB7B0000-0x00000276CB7B8000-memory.dmp

Filesize
32KB

Download
memory/1612-36-0x00000276CB700000-0x00000276CB738000-memory.dmp

Filesize
224KB

Download
memory/1612-37-0x00000276C5940000-0x00000276C594E000-memory.dmp

Filesize
56KB

Download
memory/1612-38-0x00000276CBE00000-0x00000276CBF00000-memory.dmp

Filesize
1024KB

Download
memory/1612-39-0x00000276C5950000-0x00000276C595A000-memory.dmp

Filesize
40KB

Download
memory/1612-42-0x00000276CB780000-0x00000276CB796000-memory.dmp

Filesize
88KB

Download
memory/1612-41-0x00000276CB770000-0x00000276CB778000-memory.dmp

Filesize
32KB

Download
memory/1612-40-0x00000276CB740000-0x00000276CB766000-memory.dmp

Filesize
152KB

Download
memory/1612-43-0x00000276C5970000-0x00000276C597A000-memory.dmp

Filesize
40KB

Download
memory/1612-44-0x00000276C5960000-0x00000276C596A000-memory.dmp

Filesize
40KB

Download
memory/1612-35-0x00007FF9D2EF0000-0x00007FF9D39B2000-memory.dmp

Filesize
10.8MB

Download
memory/1612-34-0x00000276C58F0000-0x00000276C58F8000-memory.dmp

Filesize
32KB

Download
memory/1612-99-0x00007FF9D2EF0000-0x00007FF9D39B2000-memory.dmp

Filesize
10.8MB

Download
memory/1612-97-0x00007FF9D2EF3000-0x00007FF9D2EF5000-memory.dmp

Filesize
8KB

Download
memory/1612-20-0x00007FF9D2EF3000-0x00007FF9D2EF5000-memory.dmp

Filesize
8KB

Download
memory/1612-29-0x00000276AB090000-0x00000276AB372000-memory.dmp

Filesize
2.9MB

Download
memory/3368-30-0x0000000000400000-0x00000000006F8000-memory.dmp

Filesize
3.0MB

Download
memory/3704-31-0x0000000000150000-0x0000000000168000-memory.dmp

Filesize
96KB

Download
memory/3704-98-0x00007FF9D2EF0000-0x00007FF9D39B2000-memory.dmp

Filesize
10.8MB

Download
memory/3704-32-0x00007FF9D2EF0000-0x00007FF9D39B2000-memory.dmp

Filesize
10.8MB

Download
memory/3704-100-0x000000001B730000-0x000000001B73C000-memory.dmp

Filesize
48KB

Download
memory/3704-101-0x00007FF9D2EF0000-0x00007FF9D39B2000-memory.dmp

Filesize
10.8MB

Download