xworm | 6857d59d1179d9e3745115f7e08cde964c3cee54bb91fd891bba282fe226eb2b

Analysis

max time kernel
112s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FFDOC-2025210 pdf.exe
Size

319KB
MD5

d8ea07f0f0072e6ae8ac3b7996941eb7
SHA1

24a6d36259ca0d0c89f46411da822a7f2683beaf
SHA256

6857d59d1179d9e3745115f7e08cde964c3cee54bb91fd891bba282fe226eb2b
SHA512

7c44f2746117f35e8bd8cf40327390edfd7a33650a42f3a8e110de3f1eac02649ec50988c9be956968627af0682e22edbfa442fbf6f206a770c086289d88bbd3
SSDEEP

6144:Lyh4ZwGcFZxO4MvaL7eS7sZXl1YoEhVJGfT/zoMWk:LaZc4MBS7s6sfXotk

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

56TvElZMbqDoRvU7

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3856-1348-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 4924 created 3404	4924	FFDOC-2025210 pdf.exe	56
PID 3788 created 3404	3788	ccbnlg.exe	56
PID 2940 created 3404	2940	vrrkxy.exe	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	FFDOC-2025210 pdf.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs	vrrkxy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs	FFDOC-2025210 pdf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs	ccbnlg.exe

Executes dropped EXE 4 IoCs

pid	Process
2940	vrrkxy.exe
3788	ccbnlg.exe
5292	ccbnlg.exe
5448	vrrkxy.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4924 set thread context of 3856	4924	FFDOC-2025210 pdf.exe	98
PID 3788 set thread context of 5292	3788	ccbnlg.exe	104
PID 2940 set thread context of 5448	2940	vrrkxy.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFDOC-2025210 pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFDOC-2025210 pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrrkxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccbnlg.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4924	FFDOC-2025210 pdf.exe
4924	FFDOC-2025210 pdf.exe
4924	FFDOC-2025210 pdf.exe
3788	ccbnlg.exe
3788	ccbnlg.exe
3788	ccbnlg.exe
2940	vrrkxy.exe
2940	vrrkxy.exe
2940	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe
5448	vrrkxy.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	FFDOC-2025210 pdf.exe
Token: SeDebugPrivilege	4924	FFDOC-2025210 pdf.exe
Token: SeDebugPrivilege	3856	FFDOC-2025210 pdf.exe
Token: SeDebugPrivilege	3788	ccbnlg.exe
Token: SeDebugPrivilege	2940	vrrkxy.exe
Token: SeDebugPrivilege	3788	ccbnlg.exe
Token: SeDebugPrivilege	2940	vrrkxy.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 3856	4924	FFDOC-2025210 pdf.exe	98
PID 4924 wrote to memory of 3856	4924	FFDOC-2025210 pdf.exe	98
PID 4924 wrote to memory of 3856	4924	FFDOC-2025210 pdf.exe	98
PID 4924 wrote to memory of 3856	4924	FFDOC-2025210 pdf.exe	98
PID 4924 wrote to memory of 3856	4924	FFDOC-2025210 pdf.exe	98
PID 4924 wrote to memory of 3856	4924	FFDOC-2025210 pdf.exe	98
PID 4924 wrote to memory of 3856	4924	FFDOC-2025210 pdf.exe	98
PID 4924 wrote to memory of 3856	4924	FFDOC-2025210 pdf.exe	98
PID 3856 wrote to memory of 2940	3856	FFDOC-2025210 pdf.exe	100
PID 3856 wrote to memory of 2940	3856	FFDOC-2025210 pdf.exe	100
PID 3856 wrote to memory of 2940	3856	FFDOC-2025210 pdf.exe	100
PID 3856 wrote to memory of 3788	3856	FFDOC-2025210 pdf.exe	101
PID 3856 wrote to memory of 3788	3856	FFDOC-2025210 pdf.exe	101
PID 3856 wrote to memory of 3788	3856	FFDOC-2025210 pdf.exe	101
PID 3788 wrote to memory of 5292	3788	ccbnlg.exe	104
PID 3788 wrote to memory of 5292	3788	ccbnlg.exe	104
PID 3788 wrote to memory of 5292	3788	ccbnlg.exe	104
PID 3788 wrote to memory of 5292	3788	ccbnlg.exe	104
PID 3788 wrote to memory of 5292	3788	ccbnlg.exe	104
PID 3788 wrote to memory of 5292	3788	ccbnlg.exe	104
PID 3788 wrote to memory of 5292	3788	ccbnlg.exe	104
PID 3788 wrote to memory of 5292	3788	ccbnlg.exe	104
PID 2940 wrote to memory of 5448	2940	vrrkxy.exe	105
PID 2940 wrote to memory of 5448	2940	vrrkxy.exe	105
PID 2940 wrote to memory of 5448	2940	vrrkxy.exe	105
PID 2940 wrote to memory of 5448	2940	vrrkxy.exe	105
PID 2940 wrote to memory of 5448	2940	vrrkxy.exe	105
PID 2940 wrote to memory of 5448	2940	vrrkxy.exe	105

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\FFDOC-2025210 pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\FFDOC-2025210 pdf.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\FFDOC-2025210 pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\FFDOC-2025210 pdf.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\vrrkxy.exe
    "C:\Users\Admin\AppData\Local\Temp\vrrkxy.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\ccbnlg.exe
    "C:\Users\Admin\AppData\Local\Temp\ccbnlg.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3788
- C:\Users\Admin\AppData\Local\Temp\ccbnlg.exe
  "C:\Users\Admin\AppData\Local\Temp\ccbnlg.exe"
  2⤵
  - Executes dropped EXE
  PID:5292
- C:\Users\Admin\AppData\Local\Temp\vrrkxy.exe
  "C:\Users\Admin\AppData\Local\Temp\vrrkxy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ccbnlg.exe

Filesize
321KB

MD5
5138a5678f8982621ea73a6335b7b38b

SHA1
8c2d602d5666b03fbc3ec1decce2b28d6bd7ca5f

SHA256
ebb556e873ef35d93c5c62404263659ac3f2604cea643015f29fee85c3a3a167

SHA512
289732f4ab4a7bae27b24e6d272832f0d43824f3dc03c1554b5c8cf1a24f0f25d18ae794c3ece142716b3e82319a3317a17f909af780ae258fc2a9d831f7ef50

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrrkxy.exe

Filesize
321KB

MD5
62e28c115b73a2b918fe4a33148f36e4

SHA1
0601aba05513fdf160a9f10a92dca288bb0cd981

SHA256
d0e058ee5585d906c9dab04a5399cedbec52a97416e201f59714d8da7d99b3b3

SHA512
17af001fe8c5411b44fe0384471ab86de58fcc4620b0205fa47d9968b861bbcd7644f0876dfe6d3559cef88b0a294d71ebf695aaeccf1d5f71b098595497fe9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Filesize
82B

MD5
89d8c2a9f15a247516fed10895467a3b

SHA1
b411d417c30da83dfbd39ecc44f0dde0529fdeaf

SHA256
7b5f7caf04bbc0eeef94c49e6bbef4b40253724c893c3055215974c730413aa5

SHA512
f6a0652703cc6f0d1329b8cdd8414246df9801390a779cf38c49e3be080e709bd6b96f7de80a8f36e918ba35a50ec0a8cf916d523961338312d8ac7937ca676d

Download Submit
\??\c:\users\admin\appdata\roaming\current.exe

Filesize
128KB

MD5
cdba12be61474c68e09a2fd250185877

SHA1
b117f3eae98e3839f1509423fae30153fda60af7

SHA256
393ed472922b2bac17bfd4e00cb952cf7debf77b194c181d22074a31e470f742

SHA512
8916e5f44d09e512ceeb1fdf5b7fb435a6453c54d6756d494abaaeb591c80ffb50a70e224ef98a33ea6e923e2ef12d8923fdf7fcf77a5a370df483b270e4171e

Download Submit
\??\c:\users\admin\appdata\roaming\current.exe

Filesize
128KB

MD5
558f2c86c36a66c32e702b06d8520ac8

SHA1
d09cd68ed3a6412840bb7ebdfcb036d4972eba31

SHA256
50b1c62ce79f597bab10db9d25feed4af1f5b93b2526b28cd110b92273c49657

SHA512
1dfbac3e4a1d900130506354c93109bfea9caebaa805b860ed0ceea513f129f85e887139181da91149aca90f0d7a9546a64b5b3a72b1a165a7dff464513b15cd

Download Submit
memory/2940-4029-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2940-1375-0x0000000000340000-0x0000000000396000-memory.dmp

Filesize
344KB

Download
memory/2940-4028-0x0000000005A80000-0x0000000005B18000-memory.dmp

Filesize
608KB

Download
memory/2940-4027-0x00000000058B0000-0x000000000594C000-memory.dmp

Filesize
624KB

Download
memory/2940-1380-0x0000000005440000-0x0000000005582000-memory.dmp

Filesize
1.3MB

Download
memory/2940-1378-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2940-4050-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3788-3973-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/3788-3731-0x0000000005970000-0x0000000005A04000-memory.dmp

Filesize
592KB

Download
memory/3788-1379-0x0000000005610000-0x000000000574A000-memory.dmp

Filesize
1.2MB

Download
memory/3788-1376-0x0000000000520000-0x0000000000576000-memory.dmp

Filesize
344KB

Download
memory/3856-1377-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3856-1347-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3856-4051-0x00000000027D0000-0x00000000027DC000-memory.dmp

Filesize
48KB

Download
memory/3856-1352-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3856-1351-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/3856-1350-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3856-1349-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/3856-1348-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4924-49-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-1345-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4924-31-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-35-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-27-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-25-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-23-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-21-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-20-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-15-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-13-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-11-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-9-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-6-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-29-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-1328-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4924-1329-0x0000000006260000-0x00000000062BC000-memory.dmp

Filesize
368KB

Download
memory/4924-1330-0x0000000006310000-0x0000000006368000-memory.dmp

Filesize
352KB

Download
memory/4924-1331-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download
memory/4924-1332-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/4924-1333-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4924-1334-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4924-1335-0x0000000006560000-0x00000000065B4000-memory.dmp

Filesize
336KB

Download
memory/4924-1341-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4924-1343-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4924-45-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-1346-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4924-33-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-38-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-39-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-41-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-43-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-47-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/4924-51-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-53-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-55-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-57-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-59-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-63-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-65-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-67-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-69-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-61-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-17-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-7-0x0000000005F90000-0x000000000608B000-memory.dmp

Filesize
1004KB

Download
memory/4924-5-0x0000000006170000-0x0000000006202000-memory.dmp

Filesize
584KB

Download
memory/4924-4-0x0000000006640000-0x0000000006BE4000-memory.dmp

Filesize
5.6MB

Download
memory/4924-3-0x0000000005F90000-0x0000000006090000-memory.dmp

Filesize
1024KB

Download
memory/4924-2-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4924-1-0x0000000000D30000-0x0000000000D86000-memory.dmp

Filesize
344KB

Download