xworm | 622cc6e79e17696dc0c8a621677765cabe8b48ce5d40881bf71b463223e16364

Analysis

max time kernel
150s
max time network
149s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/03/2025, 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CHEAT NE PIZDI.exe
Size

197KB
MD5

48c8a6d100fb89f92a8080697133d77f
SHA1

19c8b82c1164575b88abea63cbff500fd5ec26b7
SHA256

622cc6e79e17696dc0c8a621677765cabe8b48ce5d40881bf71b463223e16364
SHA512

e440057421e96a2ed3043a828ffe9b0738c1c532d9bb63d214e8809a1e2d779e38e2b0cab3f539acac44216753fe7b47f8109e5ec7578873f6efc7a150630549
SSDEEP

3072:Yd9xkHFE9jnOjE8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnj:Y6E9XUhcX7elbKTuq9bfF/H9d9n

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

ohsorry-20836.portmap.host:20836

Mutex

WHNildkiUcLMmL9K

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4004-1-0x0000000000980000-0x00000000009B6000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1252571373-3012572919-3982031544-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tajanr.exe"	tajanr.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1252571373-3012572919-3982031544-1000\Control Panel\International\Geo\Nation	CHEAT NE PIZDI.exe

Executes dropped EXE 1 IoCs

pid	Process
6096	tajanr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1252571373-3012572919-3982031544-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tajanr.exe"	tajanr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tajanr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4004	CHEAT NE PIZDI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe
6096	tajanr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 6096	4004	CHEAT NE PIZDI.exe	92
PID 4004 wrote to memory of 6096	4004	CHEAT NE PIZDI.exe	92
PID 4004 wrote to memory of 6096	4004	CHEAT NE PIZDI.exe	92

C:\Users\Admin\AppData\Local\Temp\CHEAT NE PIZDI.exe
"C:\Users\Admin\AppData\Local\Temp\CHEAT NE PIZDI.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\tajanr.exe
  "C:\Users\Admin\AppData\Local\Temp\tajanr.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:6096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tajanr.exe

Filesize
436KB

MD5
a9d32c2ea6c4957e4bfef9fb0dabd8d8

SHA1
5dac99e3da8846602382c57a3fc24ccc4613ea20

SHA256
d167d7de10c0a15976d2877b5ce0bae62f1c9825e07880c58a1a3e01d2126144

SHA512
b88f6707dda39ea2c509e6ae050339c054648fa0dd5d5385b53bb75f7f3a3feacdf69f580796701d7cc45e779456da4205f466352779ab0a0616581c7615b31e

Download Submit
memory/4004-0-0x00007FF969EB3000-0x00007FF969EB5000-memory.dmp

Filesize
8KB

Download
memory/4004-1-0x0000000000980000-0x00000000009B6000-memory.dmp

Filesize
216KB

Download
memory/4004-2-0x00007FF969EB0000-0x00007FF96A972000-memory.dmp

Filesize
10.8MB

Download
memory/4004-3-0x00007FF969EB3000-0x00007FF969EB5000-memory.dmp

Filesize
8KB

Download
memory/4004-4-0x00007FF969EB0000-0x00007FF96A972000-memory.dmp

Filesize
10.8MB

Download
memory/6096-16-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/6096-18-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/6096-17-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/6096-20-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download