xworm | bb6ebd1e6609ffd3ca442aa965cebdab07071715abef65b46e145ad1f700a2d6

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GXK5E_fsdjgfsdhnfgsd.bat
Size

65KB
MD5

e6ee7aca370346191e07ae542b95cb8c
SHA1

0a2376a42bd1639cab1909e22ad423a4cefab293
SHA256

bb6ebd1e6609ffd3ca442aa965cebdab07071715abef65b46e145ad1f700a2d6
SHA512

7583d3b036ed7bd23f480772fb6f2f70acca8f01be0b6a2a45eb1d7887d38060c2e49435a1e04db8a3a6f06d5200b794bd604559576b6310618607837614cf4a
SSDEEP

1536:ypDhvQgdHQgXro4uFtnqK00ZVrKt1ag2pN7Gop:yXE4uFkKLkanNSop

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

45.144.212.242:7000

Mutex

GHrcTVoc3c8G04bh

Attributes

Install_directory
%AppData%
install_file
SubDir.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cfd-4.dat	family_xworm
behavioral1/memory/2664-7-0x0000000001190000-0x00000000011A2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe
2992	powershell.exe
2936	powershell.exe
2996	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SubDir.lnk	embedded.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SubDir.lnk	embedded.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	embedded.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\SubDir = "C:\\Users\\Admin\\AppData\\Roaming\\SubDir.exe"	embedded.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2164	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1972	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2316	powershell.exe
2992	powershell.exe
2936	powershell.exe
2996	powershell.exe
2664	embedded.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	embedded.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2664	embedded.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	embedded.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2164	2116	cmd.exe	31
PID 2116 wrote to memory of 2164	2116	cmd.exe	31
PID 2116 wrote to memory of 2164	2116	cmd.exe	31
PID 2116 wrote to memory of 2664	2116	cmd.exe	32
PID 2116 wrote to memory of 2664	2116	cmd.exe	32
PID 2116 wrote to memory of 2664	2116	cmd.exe	32
PID 2664 wrote to memory of 2316	2664	embedded.exe	33
PID 2664 wrote to memory of 2316	2664	embedded.exe	33
PID 2664 wrote to memory of 2316	2664	embedded.exe	33
PID 2664 wrote to memory of 2992	2664	embedded.exe	35
PID 2664 wrote to memory of 2992	2664	embedded.exe	35
PID 2664 wrote to memory of 2992	2664	embedded.exe	35
PID 2664 wrote to memory of 2936	2664	embedded.exe	37
PID 2664 wrote to memory of 2936	2664	embedded.exe	37
PID 2664 wrote to memory of 2936	2664	embedded.exe	37
PID 2664 wrote to memory of 2996	2664	embedded.exe	39
PID 2664 wrote to memory of 2996	2664	embedded.exe	39
PID 2664 wrote to memory of 2996	2664	embedded.exe	39
PID 2664 wrote to memory of 2740	2664	embedded.exe	41
PID 2664 wrote to memory of 2740	2664	embedded.exe	41
PID 2664 wrote to memory of 2740	2664	embedded.exe	41
PID 2664 wrote to memory of 3036	2664	embedded.exe	45
PID 2664 wrote to memory of 3036	2664	embedded.exe	45
PID 2664 wrote to memory of 3036	2664	embedded.exe	45
PID 2664 wrote to memory of 292	2664	embedded.exe	47
PID 2664 wrote to memory of 292	2664	embedded.exe	47
PID 2664 wrote to memory of 292	2664	embedded.exe	47
PID 292 wrote to memory of 1972	292	cmd.exe	49
PID 292 wrote to memory of 1972	292	cmd.exe	49
PID 292 wrote to memory of 1972	292	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\GXK5E_fsdjgfsdhnfgsd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\system32\certutil.exe
  certutil -decode "C:\Users\Admin\AppData\Local\Temp\embedded.b64" "C:\Users\Admin\AppData\Local\Temp\embedded.exe"
  2⤵
  - Deobfuscate/Decode Files or Information
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\embedded.exe
  "C:\Users\Admin\AppData\Local\Temp\embedded.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\embedded.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'embedded.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SubDir.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SubDir.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SubDir" /tr "C:\Users\Admin\AppData\Roaming\SubDir.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2740
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "SubDir"
    3⤵
    PID:3036
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp68A2.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\embedded.b64

Filesize
59KB

MD5
476b3a0d11e655cba521f65a6fb7ccf5

SHA1
ac7f49b99763623d027c1304a49e1e45919d3f4b

SHA256
38d8568e0998d1d0c7e2db397e789e47b2a23ff5aad08997bfa07c467b19653e

SHA512
5d0b9ae14ffaa6adcc5be48abc42cdf02b7f46a90233f4b5993ff986bec7998b51a6ff0132b780e12a907c031a03661a59ee44649d32e79f17b3d8697e64f849

Download Submit
C:\Users\Admin\AppData\Local\Temp\embedded.exe

Filesize
43KB

MD5
f730dc4b0cebd71d388820cfa959cc25

SHA1
4a9513caec0e605309770c20e983d400e0246d51

SHA256
24472004e0e2f6bd1e9205c4d16138bb5bf8e482e91400dcb137db4099e582ea

SHA512
b5bbdc24b8c4a984b069cceaee04beb6441891ba9723ad0af5e2fd93abaa320dda385f67844d6827c186bd9594fe04b93cfa2a9aa1a4ed6ff61969875a273deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp68A2.tmp.bat

Filesize
160B

MD5
dc48e2a458e565a4f799f58a74fa8cce

SHA1
b45cdf0941f719fd378f6f4d799b3bc85155ec27

SHA256
73350c25432c80e7ce6b615bad65a3d651a822d8ede693fbd1eafaaeb3ae9d15

SHA512
59b4b66252fed3f307c3592c4d4f1e45fa595f242007b797b7c9b3926c8d2348349b12000dc43a9e406f13a2c050d725c81cc40e4406817b06bd28b650f4551a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\97VDFB2I7R7X88BVJWV1.temp

Filesize
7KB

MD5
4b875c2419fd58d69b3b280c79e992ef

SHA1
1935712d69ee59f1cbf0d28fcf28bd3a70dcaba1

SHA256
d365153b3eb9d5869ff5ce83023904efc8c019e9da3a84cf5cf402af6b63fbc0

SHA512
69d0f0ff0d11d7585d6e1455437487d9d58572186b0d46485f628832236ca78d6c62de628c86c22bd8fa17a1fb219bb44c543cda9b93412c1b40804c23ccb059

Download Submit
memory/2316-12-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2316-13-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2664-35-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-7-0x0000000001190000-0x00000000011A2000-memory.dmp

Filesize
72KB

Download
memory/2664-36-0x000007FEF4E33000-0x000007FEF4E34000-memory.dmp

Filesize
4KB

Download
memory/2664-37-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-6-0x000007FEF4E33000-0x000007FEF4E34000-memory.dmp

Filesize
4KB

Download
memory/2664-49-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-20-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2992-19-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download