xworm | 463d3278d31d58a43d7ee5716fc7040ca7f454778ff82595ae67e416a7219b0d

Analysis

max time kernel
141s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rexon-Paid_Executor.exe
Size

1.9MB
MD5

767e47b7200526d6d7b9f82d7d350523
SHA1

7c3c57726639fd44cab7a0014e5cad278386cb6f
SHA256

463d3278d31d58a43d7ee5716fc7040ca7f454778ff82595ae67e416a7219b0d
SHA512

a467c77065293aca2c6bebc3c84c6b5584bd808cf7c8fe53794f02224a401eaebac7b7255ae1ef7081bc17b57abd1116e47a51b87b0f02bc41668f702da139f4
SSDEEP

49152:ZCCiwOpZt1fyR59Z48fjQs9vlaEaBf6xxCWFWV/:gHjpAfrQw9i6xIWFc/

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

display-equivalent.gl.at.ply.gg:12744

Mutex

SkjG4THxcPjCb6Fx

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012116-5.dat	family_xworm
behavioral1/memory/2320-7-0x0000000000CB0000-0x0000000000CC2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Rexon-Paid_Executor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Rexon-Paid_Executor.exe

Executes dropped EXE 1 IoCs

pid	Process
2320	Rexon-Paid_Executor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Rexon-Paid_Executor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2340	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2340	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	Rexon-Paid_Executor.exe
Token: 33	2340	vlc.exe
Token: SeIncBasePriorityPrivilege	2340	vlc.exe
Token: SeDebugPrivilege	2320	Rexon-Paid_Executor.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe
2340	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2340	vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2320	2292	Rexon-Paid_Executor.exe	30
PID 2292 wrote to memory of 2320	2292	Rexon-Paid_Executor.exe	30
PID 2292 wrote to memory of 2320	2292	Rexon-Paid_Executor.exe	30
PID 2292 wrote to memory of 2340	2292	Rexon-Paid_Executor.exe	31
PID 2292 wrote to memory of 2340	2292	Rexon-Paid_Executor.exe	31
PID 2292 wrote to memory of 2340	2292	Rexon-Paid_Executor.exe	31

C:\Users\Admin\AppData\Local\Temp\Rexon-Paid_Executor.exe
"C:\Users\Admin\AppData\Local\Temp\Rexon-Paid_Executor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\Rexon-Paid_Executor.exe
  "C:\Users\Admin\AppData\Roaming\Rexon-Paid_Executor.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\BAZINGA.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BAZINGA.mp4

Filesize
1.8MB

MD5
08a7079e32a92cc7daf474bfdfa5fe93

SHA1
f001555edb196d52cfe8b15f8b02beb98fd85c26

SHA256
5cf8689e1f429a23c74937fefb19e64e24870d37cd9856c2207b5dc9ee574fbd

SHA512
8115c8957427c479daf7f2a6ff97512c31bc781f7dc264acb58c976945f16cb854e1540e93483c4e3512b0a61fdcaa8ee67933820f04e549fb17ec1dcd86b091

Download Submit
C:\Users\Admin\AppData\Roaming\Rexon-Paid_Executor.exe

Filesize
47KB

MD5
1142855d6cfd0deb6799a776fd04074f

SHA1
5206e413c09808dcfd996c7e1f570827f596b0d2

SHA256
e38aa74da26c6d44a18639403ebe1d5a5ccf1aa4afd165983d8ee78861abb5d4

SHA512
3640fbacdfed60e29ef21d8fea56db5dab82eafec9d0dcdcd500c77c448b4a9f46ddbc0047681d6048bd7446dd481284a922755b1251e0cf17533094b2e8cd0e

Download Submit
memory/2292-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x0000000000C70000-0x0000000000E54000-memory.dmp

Filesize
1.9MB

Download
memory/2320-7-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/2320-9-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-20-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-81-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-21-0x000000013F110000-0x000000013F208000-memory.dmp

Filesize
992KB

Download
memory/2340-22-0x000007FEFA7A0000-0x000007FEFA7D4000-memory.dmp

Filesize
208KB

Download
memory/2340-24-0x000007FEF70F0000-0x000007FEF7108000-memory.dmp

Filesize
96KB

Download
memory/2340-25-0x000007FEF70D0000-0x000007FEF70E7000-memory.dmp

Filesize
92KB

Download
memory/2340-27-0x000007FEF6480000-0x000007FEF6497000-memory.dmp

Filesize
92KB

Download
memory/2340-29-0x000007FEF2110000-0x000007FEF212D000-memory.dmp

Filesize
116KB

Download
memory/2340-30-0x000007FEF20F0000-0x000007FEF2101000-memory.dmp

Filesize
68KB

Download
memory/2340-28-0x000007FEF60D0000-0x000007FEF60E1000-memory.dmp

Filesize
68KB

Download
memory/2340-23-0x000007FEF2260000-0x000007FEF2516000-memory.dmp

Filesize
2.7MB

Download
memory/2340-26-0x000007FEF70B0000-0x000007FEF70C1000-memory.dmp

Filesize
68KB

Download
memory/2340-43-0x000007FEF1CE0000-0x000007FEF1D47000-memory.dmp

Filesize
412KB

Download
memory/2340-48-0x000007FEF1A40000-0x000007FEF1A57000-memory.dmp

Filesize
92KB

Download
memory/2340-46-0x000007FEF1BE0000-0x000007FEF1C37000-memory.dmp

Filesize
348KB

Download
memory/2340-47-0x000007FEF1A60000-0x000007FEF1BE0000-memory.dmp

Filesize
1.5MB

Download
memory/2340-45-0x000007FEF1C40000-0x000007FEF1C51000-memory.dmp

Filesize
68KB

Download
memory/2340-44-0x000007FEF1C60000-0x000007FEF1CDC000-memory.dmp

Filesize
496KB

Download
memory/2340-31-0x000007FEED6D0000-0x000007FEEE780000-memory.dmp

Filesize
16.7MB

Download
memory/2340-42-0x000007FEF1D50000-0x000007FEF1D80000-memory.dmp

Filesize
192KB

Download
memory/2340-41-0x000007FEF1D80000-0x000007FEF1D98000-memory.dmp

Filesize
96KB

Download
memory/2340-40-0x000007FEF1DA0000-0x000007FEF1DB1000-memory.dmp

Filesize
68KB

Download
memory/2340-39-0x000007FEF1DC0000-0x000007FEF1DDB000-memory.dmp

Filesize
108KB

Download
memory/2340-38-0x000007FEF1DE0000-0x000007FEF1DF1000-memory.dmp

Filesize
68KB

Download
memory/2340-37-0x000007FEF1E00000-0x000007FEF1E11000-memory.dmp

Filesize
68KB

Download
memory/2340-35-0x000007FEF1E40000-0x000007FEF1E58000-memory.dmp

Filesize
96KB

Download
memory/2340-36-0x000007FEF1E20000-0x000007FEF1E31000-memory.dmp

Filesize
68KB

Download
memory/2340-34-0x000007FEF1E60000-0x000007FEF1E81000-memory.dmp

Filesize
132KB

Download
memory/2340-33-0x000007FEF1E90000-0x000007FEF1ED1000-memory.dmp

Filesize
260KB

Download
memory/2340-32-0x000007FEF1EE0000-0x000007FEF20EB000-memory.dmp

Filesize
2.0MB

Download
memory/2340-60-0x000007FEEEFD0000-0x000007FEEF032000-memory.dmp

Filesize
392KB

Download
memory/2340-63-0x000007FEF10A0000-0x000007FEF10B4000-memory.dmp

Filesize
80KB

Download
memory/2340-64-0x000007FEEF560000-0x000007FEEF5B0000-memory.dmp

Filesize
320KB

Download
memory/2340-65-0x000007FEEEF40000-0x000007FEEEF55000-memory.dmp

Filesize
84KB

Download
memory/2340-62-0x000007FEF10C0000-0x000007FEF10D3000-memory.dmp

Filesize
76KB

Download
memory/2340-61-0x000007FEEEF60000-0x000007FEEEFCD000-memory.dmp

Filesize
436KB

Download
memory/2340-66-0x000007FEEEC90000-0x000007FEEEF40000-memory.dmp

Filesize
2.7MB

Download
memory/2340-67-0x000007FEEEC70000-0x000007FEEEC85000-memory.dmp

Filesize
84KB

Download
memory/2340-70-0x000007FEEEBE0000-0x000007FEEEBF1000-memory.dmp

Filesize
68KB

Download
memory/2340-71-0x000007FEEEBC0000-0x000007FEEEBD2000-memory.dmp

Filesize
72KB

Download
memory/2340-69-0x000007FEEEC00000-0x000007FEEEC13000-memory.dmp

Filesize
76KB

Download
memory/2340-68-0x000007FEEEC40000-0x000007FEEEC63000-memory.dmp

Filesize
140KB

Download
memory/2340-59-0x000007FEEF5B0000-0x000007FEEF5F2000-memory.dmp

Filesize
264KB

Download
memory/2340-58-0x000007FEF10E0000-0x000007FEF11A5000-memory.dmp

Filesize
788KB

Download
memory/2340-57-0x000007FEF11B0000-0x000007FEF11C6000-memory.dmp

Filesize
88KB

Download
memory/2340-56-0x000007FEF16A0000-0x000007FEF16B1000-memory.dmp

Filesize
68KB

Download
memory/2340-55-0x000007FEF16C0000-0x000007FEF16EF000-memory.dmp

Filesize
188KB

Download
memory/2340-54-0x000007FEFAF90000-0x000007FEFAFA0000-memory.dmp

Filesize
64KB

Download
memory/2340-50-0x000007FEF1810000-0x000007FEF1A16000-memory.dmp

Filesize
2.0MB

Download
memory/2340-53-0x000007FEF1750000-0x000007FEF179D000-memory.dmp

Filesize
308KB

Download
memory/2340-52-0x000007FEF17A0000-0x000007FEF17E2000-memory.dmp

Filesize
264KB

Download
memory/2340-72-0x000007FEEBCE0000-0x000007FEEBE5A000-memory.dmp

Filesize
1.5MB

Download
memory/2340-73-0x000007FEEBB10000-0x000007FEEBB21000-memory.dmp

Filesize
68KB

Download
memory/2340-74-0x000007FEEBAA0000-0x000007FEEBB01000-memory.dmp

Filesize
388KB

Download
memory/2340-75-0x000007FEEBA50000-0x000007FEEBA97000-memory.dmp

Filesize
284KB

Download
memory/2340-51-0x000007FEF17F0000-0x000007FEF1802000-memory.dmp

Filesize
72KB

Download
memory/2340-49-0x000007FEEBE60000-0x000007FEED6CF000-memory.dmp

Filesize
24.4MB

Download
memory/2340-76-0x000007FEEB9D0000-0x000007FEEBA44000-memory.dmp

Filesize
464KB

Download
memory/2340-77-0x000007FEEB860000-0x000007FEEB871000-memory.dmp

Filesize
68KB

Download
memory/2340-78-0x000007FEEB570000-0x000007FEEB5BE000-memory.dmp

Filesize
312KB

Download
memory/2340-79-0x000007FEEB510000-0x000007FEEB567000-memory.dmp

Filesize
348KB

Download
memory/2340-80-0x000007FEEB4D0000-0x000007FEEB504000-memory.dmp

Filesize
208KB

Download
memory/2340-84-0x000007FEF2260000-0x000007FEF2516000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads