xworm | 9367a5b73fe3638560cc35e6343fab1375547f608e55f02ad185c15f35421c73

Analysis

max time kernel
33s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 02:43

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

quietcc.exe
Size

66KB
MD5

8cce9d9b2604324a3fd73f16c1e57946
SHA1

611063dc8e949921502e91df4345069c0eb423b1
SHA256

9367a5b73fe3638560cc35e6343fab1375547f608e55f02ad185c15f35421c73
SHA512

e82d7d6ebf983e904b2a6aebb04d5c8b7dd5fe4329166d2f10341791172f2c461d8fafeef05d754c305c7b25fae72de7d12cf139e0116ff0b692275bca4e8652
SSDEEP

1536:va9We/cGq+OEJXdKtfbo0Ac06wLYUfO+KHL9Gs:uOEqtfbohhO+KH5Gs

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:4010

countries-allowed.gl.at.ply.gg:4010

Attributes

Install_directory
%ProgramData%
install_file
RobloxPlayerBeta.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3636-1-0x00000000003D0000-0x00000000003E6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ip-api.com

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	quietcc.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 2296	4360	msedge.exe	120
PID 4360 wrote to memory of 2296	4360	msedge.exe	120
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 2996	4360	msedge.exe	122
PID 4360 wrote to memory of 692	4360	msedge.exe	123
PID 4360 wrote to memory of 692	4360	msedge.exe	123

C:\Users\Admin\AppData\Local\Temp\quietcc.exe
"C:\Users\Admin\AppData\Local\Temp\quietcc.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\UnpublishWrite.htm
1⤵
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9538146f8,0x7ff953814708,0x7ff953814718
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1082928247069714950,16820014478044633791,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,1082928247069714950,16820014478044633791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,1082928247069714950,16820014478044633791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1082928247069714950,16820014478044633791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1082928247069714950,16820014478044633791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab283f88362e9716dd5c324319272528

SHA1
84cebc7951a84d497b2c1017095c2c572e3648c4

SHA256
61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2

SHA512
66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fffde59525dd5af902ac449748484b15

SHA1
243968c68b819f03d15b48fc92029bf11e21bedc

SHA256
26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762

SHA512
f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3ffd31f23ee5a92db14a5d6deb6c3d3

SHA1
fd990cb65c5cb7c5d19525bfd45bd3e060789fa7

SHA256
2b2c90b4551bcdd7d2e20d1659fae761b02f8348375554fe1fe11eb7c5344ea6

SHA512
2cbac93be4eefd3f267a00eed63985263b05be27ddf7b9ebf73eba363f1f815b5677bee593bbc032bab33c5f8599ce6f24ba16cd81d4211e1218deae2dd16c72

Download Submit
memory/3636-0-0x00007FF9535A3000-0x00007FF9535A5000-memory.dmp

Filesize
8KB

Download
memory/3636-1-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/3636-2-0x00007FF9535A0000-0x00007FF954061000-memory.dmp

Filesize
10.8MB

Download
memory/3636-3-0x00007FF9535A0000-0x00007FF954061000-memory.dmp

Filesize
10.8MB

Download