xworm | 3e29a57bde610ff61c422796b89fc4332f265cc50e966593fc2b00bb23a13a21

Analysis

max time kernel
899s
max time network
898s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SystemSettings.exe
Size

332KB
MD5

701a94f53d54d38a11f4e60bc4f95b18
SHA1

7413f5e4fc73eaf07d9d6cd67fc88fd40b70d9d0
SHA256

9233d5872258aa674b015b57a4f37ca43a22524a682382cd88969cef135dacdb
SHA512

4d63f155adbc5271fc82a263c4df29566ffbabb512ad2a7c73736969b29760bc0ae86e58f396907b8afa8791e8a8b042c895f94126a00da8c0b050e7ef343440
SSDEEP

6144:6qXq7egSKNNO3BLZsgd8+f0Pn95maRWFjt:6qapSKNNOpZsgdQbmamjt

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

uoqo0jDHykn623lG

Attributes

Install_directory
%Public%
install_file
SystemSettings.exe
pastebin_url
https://pastebin.com/raw/4zaiEtZS
telegram
https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendMessage?chat_id=7537927256

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2728-23-0x0000000000370000-0x000000000038E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1536	powershell.exe
1184	powershell.exe
1700	powershell.exe
2356	powershell.exe
2220	powershell.exe
2672	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	SystemSettings.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
28	pastebin.com
34	pastebin.com
92	pastebin.com
248	pastebin.com
17	pastebin.com
102	pastebin.com
250	pastebin.com
31	pastebin.com
43	pastebin.com
129	pastebin.com
144	pastebin.com
193	pastebin.com
231	pastebin.com
239	pastebin.com
24	pastebin.com
135	pastebin.com
152	pastebin.com
178	pastebin.com
125	pastebin.com
54	pastebin.com
89	pastebin.com
195	pastebin.com
267	pastebin.com
15	pastebin.com
30	pastebin.com
112	pastebin.com
32	pastebin.com
90	pastebin.com
117	pastebin.com
151	pastebin.com
154	pastebin.com
22	pastebin.com
37	pastebin.com
57	pastebin.com
84	pastebin.com
253	pastebin.com
148	pastebin.com
7	pastebin.com
13	pastebin.com
82	pastebin.com
177	pastebin.com
188	pastebin.com
191	pastebin.com
217	pastebin.com
264	pastebin.com
93	pastebin.com
142	pastebin.com
185	pastebin.com
222	pastebin.com
27	pastebin.com
180	pastebin.com
8	pastebin.com
51	pastebin.com
143	pastebin.com
166	pastebin.com
192	pastebin.com
197	pastebin.com
234	pastebin.com
240	pastebin.com
60	pastebin.com
150	pastebin.com
207	pastebin.com
266	pastebin.com
35	pastebin.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\SystemSettings.exe	SystemSettings.exe
File opened for modification	C:\Windows\System32\SystemSettings.exe	SystemSettings.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1140	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2356	powershell.exe
2220	powershell.exe
2672	powershell.exe
1536	powershell.exe
1184	powershell.exe
1700	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	SystemSettings.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2728	SystemSettings.exe
Token: SeDebugPrivilege	2728	SystemSettings.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2356	2012	SystemSettings.exe	30
PID 2012 wrote to memory of 2356	2012	SystemSettings.exe	30
PID 2012 wrote to memory of 2356	2012	SystemSettings.exe	30
PID 2012 wrote to memory of 2220	2012	SystemSettings.exe	32
PID 2012 wrote to memory of 2220	2012	SystemSettings.exe	32
PID 2012 wrote to memory of 2220	2012	SystemSettings.exe	32
PID 2744 wrote to memory of 2728	2744	taskeng.exe	35
PID 2744 wrote to memory of 2728	2744	taskeng.exe	35
PID 2744 wrote to memory of 2728	2744	taskeng.exe	35
PID 2728 wrote to memory of 2672	2728	SystemSettings.exe	37
PID 2728 wrote to memory of 2672	2728	SystemSettings.exe	37
PID 2728 wrote to memory of 2672	2728	SystemSettings.exe	37
PID 2728 wrote to memory of 1536	2728	SystemSettings.exe	39
PID 2728 wrote to memory of 1536	2728	SystemSettings.exe	39
PID 2728 wrote to memory of 1536	2728	SystemSettings.exe	39
PID 2728 wrote to memory of 1184	2728	SystemSettings.exe	41
PID 2728 wrote to memory of 1184	2728	SystemSettings.exe	41
PID 2728 wrote to memory of 1184	2728	SystemSettings.exe	41
PID 2728 wrote to memory of 1700	2728	SystemSettings.exe	43
PID 2728 wrote to memory of 1700	2728	SystemSettings.exe	43
PID 2728 wrote to memory of 1700	2728	SystemSettings.exe	43
PID 2728 wrote to memory of 1140	2728	SystemSettings.exe	45
PID 2728 wrote to memory of 1140	2728	SystemSettings.exe	45
PID 2728 wrote to memory of 1140	2728	SystemSettings.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SystemSettings.exe
"C:\Users\Admin\AppData\Local\Temp\SystemSettings.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SystemSettings.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSettings.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220

C:\Windows\system32\taskeng.exe
taskeng.exe {4DB6A4D7-29B0-4F24-901C-66EB6AF31678} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\System32\SystemSettings.exe
  C:\Windows\System32\SystemSettings.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SystemSettings.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSettings.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\SystemSettings.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSettings.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemSettings" /tr "C:\Users\Public\SystemSettings.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6e4c30030b5d33992e991fb7fd5b1d70

SHA1
c42bbd8bd2ea14c8c59753415070562ddedd4d6a

SHA256
8fbad943a92cbaf6e46a5a23e84a4ae6e58f39de6dac8cea4afa7e40b63da54c

SHA512
f36c13037aa90d75c94b9c789e853bb5bc51a457b3b9e2f2c11dac953fcf4a0da3dd73f7be503b552bf1882b9367f88b2d89b329906e32dcac7ad5436c82bbd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fda639c24502c2070577996de6336dd5

SHA1
c60fbe17115ee7bd912c879eb75b96d988300660

SHA256
656d49bbc00b5cb67d92fca91383b8d70d88c3a9795202f406b661d331b67a67

SHA512
73d1003e101369d1605b335afa13b2faacf18296539730f372571217704c0411b3017f8a40a85ff2f217dc11ebb1cd491be0ea89d8bd35fde549244393c15a25

Download Submit
C:\Windows\System32\SystemSettings.exe

Filesize
332KB

MD5
701a94f53d54d38a11f4e60bc4f95b18

SHA1
7413f5e4fc73eaf07d9d6cd67fc88fd40b70d9d0

SHA256
9233d5872258aa674b015b57a4f37ca43a22524a682382cd88969cef135dacdb

SHA512
4d63f155adbc5271fc82a263c4df29566ffbabb512ad2a7c73736969b29760bc0ae86e58f396907b8afa8791e8a8b042c895f94126a00da8c0b050e7ef343440

Download Submit
memory/2012-18-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2012-1-0x0000000001230000-0x000000000128A000-memory.dmp

Filesize
360KB

Download
memory/2012-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/2220-14-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2220-15-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2356-8-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2356-7-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2356-6-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2728-22-0x0000000000A00000-0x0000000000A5A000-memory.dmp

Filesize
360KB

Download
memory/2728-23-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download