xworm | a3ec5b6f6fa4b9aa52045c78d2796ece4824284c356b32d3214ce8a1226c9267

Analysis

max time kernel
147s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
03/03/2025, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rc7fork.exe
Size

155KB
MD5

89cdea23fcf69912e06646f51cfdc2a5
SHA1

a3236b8ef58ea89cd98c01d0e3f1ac4bc350c5bb
SHA256

a3ec5b6f6fa4b9aa52045c78d2796ece4824284c356b32d3214ce8a1226c9267
SHA512

1bc40fc961fbe4909ab2eff3165529228d39e8c9f89699509bf2b5b60380daf8361103bd7967a8bb9843178e05ba6ee68a3a82adf5520e2cb9403125230b94f9
SSDEEP

3072:/uoFqLtXnpZ9v87jzEfo4rswbj/yjgf6yFOBvqsfzOIFc:1FspT87jz7D6qm6ysBvqsrj

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
Antivirus.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3404-4-0x0000000003F40000-0x0000000003F54000-memory.dmp	family_xworm
behavioral1/memory/3404-8-0x0000000004280000-0x0000000004292000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
1128	Explorer.EXE
4536	Explorer.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyApplication = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Rc7fork.exe"	Rc7fork.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer.EXE"	Explorer.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
4	raw.githubusercontent.com

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE

Modifies registry class 37 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings	Explorer.EXE
Key created	\Registry\User\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\NotificationData	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4196	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
6088	Rc7fork.exe
6088	Rc7fork.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3404	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeDebugPrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
324	MiniSearchHost.exe
3404	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 6088 wrote to memory of 3404	6088	Rc7fork.exe	52
PID 3404 wrote to memory of 4196	3404	Explorer.EXE	84
PID 3404 wrote to memory of 4196	3404	Explorer.EXE	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\Rc7fork.exe
  "C:\Users\Admin\AppData\Local\Temp\Rc7fork.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:6088
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Explorer" /tr "C:\Users\Admin\AppData\Roaming\Explorer.EXE"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4196

C:\Users\Admin\AppData\Roaming\Explorer.EXE
C:\Users\Admin\AppData\Roaming\Explorer.EXE
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1128

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:324

C:\Users\Admin\AppData\Roaming\Explorer.EXE
C:\Users\Admin\AppData\Roaming\Explorer.EXE
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Explorer.EXE

Filesize
4.8MB

MD5
4f543bf58bbf481126a556fc8d642415

SHA1
53fa292e148d65227910bac9be1ad498d17fabf9

SHA256
49af13fcadea3f3b5807f11df9d2636da4033f6a4ec294940fef671336c88ce7

SHA512
c273e54478c3a85c4aab3498af6b5abed9001bd87062ee3a83349e731be11af31482dd541d44af8275d96d45017ab67bfe48d2fcfd57583f493c0477d04a3627

Download Submit
memory/3404-10-0x00007FFE3DDF0000-0x00007FFE3E8B2000-memory.dmp

Filesize
10.8MB

Download
memory/3404-2-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/3404-3-0x00007FFE3DDF3000-0x00007FFE3DDF5000-memory.dmp

Filesize
8KB

Download
memory/3404-4-0x0000000003F40000-0x0000000003F54000-memory.dmp

Filesize
80KB

Download
memory/3404-5-0x00007FFE3DDF0000-0x00007FFE3E8B2000-memory.dmp

Filesize
10.8MB

Download
memory/3404-8-0x0000000004280000-0x0000000004292000-memory.dmp

Filesize
72KB

Download
memory/3404-9-0x00007FFE3DDF3000-0x00007FFE3DDF5000-memory.dmp

Filesize
8KB

Download
memory/3404-11-0x00007FFE3DDF0000-0x00007FFE3E8B2000-memory.dmp

Filesize
10.8MB

Download
memory/3404-12-0x00007FFE3DDF0000-0x00007FFE3E8B2000-memory.dmp

Filesize
10.8MB

Download
memory/6088-7-0x00007FFE3DDF3000-0x00007FFE3DDF5000-memory.dmp

Filesize
8KB

Download
memory/6088-0-0x00007FFE3DDF3000-0x00007FFE3DDF5000-memory.dmp

Filesize
8KB

Download
memory/6088-1-0x00000000001E0000-0x000000000020C000-memory.dmp

Filesize
176KB

Download