Overview

overview

10

Static

static

3

SystemSettings.exe

windows7-x64

10

SystemSettings.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2025, 15:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SystemSettings.exe

  • Size

    332KB

  • MD5

    701a94f53d54d38a11f4e60bc4f95b18

  • SHA1

    7413f5e4fc73eaf07d9d6cd67fc88fd40b70d9d0

  • SHA256

    9233d5872258aa674b015b57a4f37ca43a22524a682382cd88969cef135dacdb

  • SHA512

    4d63f155adbc5271fc82a263c4df29566ffbabb512ad2a7c73736969b29760bc0ae86e58f396907b8afa8791e8a8b042c895f94126a00da8c0b050e7ef343440

  • SSDEEP

    6144:6qXq7egSKNNO3BLZsgd8+f0Pn95maRWFjt:6qapSKNNOpZsgdQbmamjt

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

uoqo0jDHykn623lG

Attributes
  • Install_directory

    %Public%

  • install_file

    SystemSettings.exe

  • pastebin_url

    https://pastebin.com/raw/4zaiEtZS

  • telegram

    https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendMessage?chat_id=7537927256

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 42 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SystemSettings.exe
    "C:\Users\Admin\AppData\Local\Temp\SystemSettings.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SystemSettings.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSettings.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:728
  • C:\Windows\System32\SystemSettings.exe
    C:\Windows\System32\SystemSettings.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SystemSettings.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSettings.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\SystemSettings.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSettings.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemSettings" /tr "C:\Users\Public\SystemSettings.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4996
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SystemSettings.exe.log
    Filesize

    1KB

    MD5

    889003c57a6b1561bc8562a18553c377

    SHA1

    b4436b28e7e4ff1d97ab8f718be9e6e6d88c2302

    SHA256

    034c25639af57aab1574a654b6a247c07522968c16ab7f01452bbe679b4bebb8

    SHA512

    bbe40edc739d33af62a7016d2a9fdcf68ed604eae0c617958e561db601625b923b8d931d997fefddc117a1de6b7a2235843713f8d5aac74e8e2dcb8b5fc4d17b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d28a889fd956d5cb3accfbaf1143eb6f

    SHA1

    157ba54b365341f8ff06707d996b3635da8446f7

    SHA256

    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

    SHA512

    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    eb1ad317bd25b55b2bbdce8a28a74a94

    SHA1

    98a3978be4d10d62e7411946474579ee5bdc5ea6

    SHA256

    9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

    SHA512

    d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    3f038ac2e2ceadad0f78317ea7de6881

    SHA1

    f2ee66d1ab22d5594426a26e9d2628ce29b037a7

    SHA256

    475591875182108710538a2ea21a89e0ffa1df43f776689288e0fa96da46efb7

    SHA512

    f751f1f06b79550af211a9bf39d59712bb60f4e2c79a24d850970b1d40e871c2e53ce84ed4f5d974dad53cdbfb95d38a8eff9f871f22ae2d3e772deb731715f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    a2c8179aaa149c0b9791b73ce44c04d1

    SHA1

    703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

    SHA256

    c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

    SHA512

    2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    22310ad6749d8cc38284aa616efcd100

    SHA1

    440ef4a0a53bfa7c83fe84326a1dff4326dcb515

    SHA256

    55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

    SHA512

    2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jw2lzded.ygy.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\System32\SystemSettings.exe
    Filesize

    332KB

    MD5

    701a94f53d54d38a11f4e60bc4f95b18

    SHA1

    7413f5e4fc73eaf07d9d6cd67fc88fd40b70d9d0

    SHA256

    9233d5872258aa674b015b57a4f37ca43a22524a682382cd88969cef135dacdb

    SHA512

    4d63f155adbc5271fc82a263c4df29566ffbabb512ad2a7c73736969b29760bc0ae86e58f396907b8afa8791e8a8b042c895f94126a00da8c0b050e7ef343440

    Download Submit

  • memory/1460-17-0x00007FFC36E60000-0x00007FFC37921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1460-18-0x00007FFC36E60000-0x00007FFC37921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1460-2-0x000001D977740000-0x000001D977762000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1460-12-0x00007FFC36E60000-0x00007FFC37921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1460-13-0x00007FFC36E60000-0x00007FFC37921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1460-14-0x00007FFC36E60000-0x00007FFC37921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2676-46-0x000001F87F840000-0x000001F87F841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-49-0x000001F87F840000-0x000001F87F841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-41-0x000001F87F840000-0x000001F87F841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-42-0x000001F87F840000-0x000001F87F841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-52-0x000001F87F840000-0x000001F87F841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-51-0x000001F87F840000-0x000001F87F841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-50-0x000001F87F840000-0x000001F87F841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-40-0x000001F87F840000-0x000001F87F841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-48-0x000001F87F840000-0x000001F87F841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-47-0x000001F87F840000-0x000001F87F841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-39-0x0000000002E00000-0x0000000002E1E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3492-0-0x00007FFC36E63000-0x00007FFC36E65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3492-35-0x00007FFC36E60000-0x00007FFC37921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3492-33-0x00007FFC36E60000-0x00007FFC37921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3492-1-0x0000000000890000-0x00000000008EA000-memory.dmp

    Filesize

    360KB

    Download