xworm | 75ec0944508969faba292ea85974baa5880f95100280851592615d1befd24513

Analysis

max time kernel
93s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fyz.exe
Size

83KB
MD5

f1f85fdacfd295faf64fb7a23973cd49
SHA1

ebdb5b3687670aa3f64fab82558f62b4190daf4f
SHA256

75ec0944508969faba292ea85974baa5880f95100280851592615d1befd24513
SHA512

3fdf6627a2758a77e6dd2f1164764491af4402a0463edf60dd7c6d436fc0484498226e2408770fbcf44fe72b1b1c0685957ab56a3083729bf5a5a9d1acb2deef
SSDEEP

1536:VgXeoVUIzfmssAhUykfv6QZslxxctjAHmSu0ADfI/e5VihgvsMnkJ:VgXFVUIzfmGULfv6ucx2E0TfoTQkJ

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

172.16.150.134:5001

:5001

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023c2d-6.dat	family_xworm
behavioral2/memory/2500-15-0x0000000000990000-0x00000000009A6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	Fyz.exe

Executes dropped EXE 1 IoCs

pid	Process
2500	Fyz.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1368	msedge.exe
1368	msedge.exe
3364	msedge.exe
3364	msedge.exe
1484	identity_helper.exe
1484	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	Fyz.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2500	4008	Fyz.exe	84
PID 4008 wrote to memory of 2500	4008	Fyz.exe	84
PID 4008 wrote to memory of 3364	4008	Fyz.exe	85
PID 4008 wrote to memory of 3364	4008	Fyz.exe	85
PID 3364 wrote to memory of 2680	3364	msedge.exe	86
PID 3364 wrote to memory of 2680	3364	msedge.exe	86
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 3216	3364	msedge.exe	87
PID 3364 wrote to memory of 1368	3364	msedge.exe	88
PID 3364 wrote to memory of 1368	3364	msedge.exe	88
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89
PID 3364 wrote to memory of 2160	3364	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\Fyz.exe
"C:\Users\Admin\AppData\Local\Temp\Fyz.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Roaming\Fyz.exe
  "C:\Users\Admin\AppData\Roaming\Fyz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffae42946f8,0x7ffae4294708,0x7ffae4294718
    3⤵
    PID:2680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:3216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
    3⤵
    PID:2160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:2140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:3840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
    3⤵
    PID:396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 /prefetch:8
    3⤵
    PID:3892
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
    3⤵
    PID:4516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
    3⤵
    PID:5012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9948273547776522722,15625024157697900365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
    3⤵
    PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f4a0b24e1ad3a25fc9435eb63195e60

SHA1
052b5a37605d7e0e27d8b47bf162a000850196cd

SHA256
7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb

SHA512
70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c9b7e612ef21ee665c70534d72524b0

SHA1
e76e22880ffa7d643933bf09544ceb23573d5add

SHA256
a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e

SHA512
e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
52764843bddd0a427e2bd440b696bc1b

SHA1
ffc513ed0d3e7e04eb49728314b51e1b5cacad7a

SHA256
74a20f929c7130db02150af25b2bd999f48f9d6eddcfd1a1d5f8b84f56e0bcf1

SHA512
5edec0f0cecdf2b4d7c62998a9276e1e1ca0ba6b8db5424506166847bfeb813e46fe434e62b12a8066c0974f617adcd1c99cb8eb3b4228702a6f79de334ab11b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69b5226f9f07357786291e8d1703b27a

SHA1
4314c767dde82bd00645bed3f83ffaf85f73495c

SHA256
650ea3dd51464b779d23b5559b19dc01abffe7cebfd241cb8c4b5dff5bc19e74

SHA512
ba306d3484a7dd59878b797f1388612b5eced28611d08dec62822794b35e10fbf4c1552a2337035fe1ce10336b9f2697a1cf04541091eb6dd39d647507e1dcad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd8c30123463a5c627ac333e82723c01

SHA1
d6af55996d8e778b9fd44545936aaef1db47872a

SHA256
a8454c440f1d94b1bc3327ef8a715341b0b56d5335fb220fa706b16a5cdc9393

SHA512
e170cf0205d20fa337f01753cb706394889a2cc9a3b8b9da1fad5fe64ef8ce85755e8a784ceaca7cd1fa735e443086630d11510d00c61c8ee45a3d5090d57402

Download Submit
C:\Users\Admin\AppData\Roaming\Fyz.exe

Filesize
65KB

MD5
27a8edebacfd79bedc942888d9da2598

SHA1
0d7237622f3ee9f46d1c3ac468eef22257c88ca3

SHA256
47cb072c103a1c0bfa3ed27dc29cc984c18abc7336af09ad08ea5b87583dca75

SHA512
52c54c7eac0eb78b0ebdb74c8cc1fdc98f31198b5b51fb2d3d2c22dda79e7904b42cb3354c48a75ae5745a638d95539df7f96b4a8540ebef773761468c8ebcb6

Download Submit
memory/2500-15-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/2500-43-0x00007FFAE42B0000-0x00007FFAE4D71000-memory.dmp

Filesize
10.8MB

Download
memory/2500-16-0x00007FFAE42B0000-0x00007FFAE4D71000-memory.dmp

Filesize
10.8MB

Download
memory/2500-65-0x00007FFAE42B0000-0x00007FFAE4D71000-memory.dmp

Filesize
10.8MB

Download
memory/4008-0-0x00007FFAE42B3000-0x00007FFAE42B5000-memory.dmp

Filesize
8KB

Download
memory/4008-1-0x0000000000160000-0x000000000017C000-memory.dmp

Filesize
112KB

Download