xworm | 8dc951e63096ed828b6ca4dceca2be6b640ed9d22be9cd1cce0f3c9a3a6ac899

Analysis

max time kernel
377s
max time network
377s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 01:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

45274.exe
Size

55KB
MD5

076f9e877b6b14ac5c2b1b6ac29811f1
SHA1

efe0a06e24c13a17d96a07c17de476698518b9fc
SHA256

8dc951e63096ed828b6ca4dceca2be6b640ed9d22be9cd1cce0f3c9a3a6ac899
SHA512

55bb7cf094464ee9de854620eb47615c09019a0ad001cc38a0a9de88e0e8701e31db9824a1fd1659c4f0702e5f9e3aa8c525100663876ae3d0c2a7104c8949da
SSDEEP

768:Uz2AQ7vDyb7YoBBlschSX9CioNIdxbyCdG5g9VrV/WthgOUhZZ5xBy:bLO7uchS8io2xbyCd2uQDgOU1By

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

orders-ic.gl.at.ply.gg:45999

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1336-1-0x0000000001190000-0x00000000011A4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1728	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	45274.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1728	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1748	2268	control.exe	36
PID 2268 wrote to memory of 1748	2268	control.exe	36
PID 2268 wrote to memory of 1748	2268	control.exe	36
PID 2964 wrote to memory of 1728	2964	control.exe	38
PID 2964 wrote to memory of 1728	2964	control.exe	38
PID 2964 wrote to memory of 1728	2964	control.exe	38

C:\Users\Admin\AppData\Local\Temp\45274.exe
"C:\Users\Admin\AppData\Local\Temp\45274.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1888

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" /name Microsoft.Sound /page 2
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\mmsys.cpl ,2
  2⤵
  PID:1748

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1856

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" mmsys.cpl,,sounds
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL mmsys.cpl,,sounds
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1728

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:2212

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:2612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2500

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\CompleteConvertTo.mpp

Filesize
537KB

MD5
a9eda81bfc5035a8c6906adb72f29ed2

SHA1
d112a831b2afbc9c22eab49023ba060fff82e4a4

SHA256
80aa179e264e2b2f4dde7363eacbec74c783f840659d6e0ffc3b8dc6e032bdba

SHA512
0647dca8b0de704693411f2f544945b53af1d7c881d579b9989abea8f29e7e131c5a76e778a57b5c19b58bfb94db94f349a10dfd039b34d597e16ad012318441

Download Submit
C:\Users\Admin\Desktop\CompressCompare.xps

Filesize
711KB

MD5
b59b537e276564b227b069c39f02f1c1

SHA1
d1da308afafcf60397eb00172ecde314ea2963d7

SHA256
0303c667de76949ad2fa7e365994d1953e0559578cff6d06665930cc58141fba

SHA512
84ecdb9102012630e9214178d066ce338bbb5d096d4069187831aaa86abd5e7f72525c51e0d4fd63732958779f3477de24c4462c6354c416be8e17afae168006

Download Submit
C:\Users\Admin\Desktop\ConnectInvoke.pcx

Filesize
682KB

MD5
4eedcd8b31a27ec8045b9ae00a011248

SHA1
ea4b9c3a5d1ab3cd075b9a63ce58f5b927f51479

SHA256
334388d1df8ac76a0082516946e5a7e94afbed205811001cd92b9464c1b7534e

SHA512
79ade0f18c15ff5dc35b3a07759bce80dda7f7baf3df33e5d30f03ebe2a796199c4e52e4b73f950cf28c5a678083eadce45907aa11a40a5c52137da89f1a4121

Download Submit
C:\Users\Admin\Desktop\ConvertFromWait.dwg

Filesize
885KB

MD5
b6078550556cb3045d87893850869d64

SHA1
58f0294f35c75395fba7f8f26db50538213abf40

SHA256
97cbb7ba768b83b14e51624422720c4cb0f190e18af92437f80af4411eb2d64d

SHA512
0e5db49ce6ddf9d4687fffde14973edb221a57df54717a6a895143ee9bd31d8ecb67fd0bf8658e3ac899a87fcb6f3d4d184f56b076faf167bed09b4330986198

Download Submit
C:\Users\Admin\Desktop\ConvertJoin.dot

Filesize
943KB

MD5
0393de20cfc2d658644c618af4e6d806

SHA1
a0e3e089e819ad30c09fe8c42055e6a9941e329c

SHA256
34d4dd27958520a500efe8f204021537d5183a08225ffcd41a31a805fe86c37d

SHA512
a9a1019a63493354e456c97f6a74836abaebd4967c3dabae90d27848b797f6b36b43b4cc54ed1d11d427dbd5374bb37891359417fd7489d6191e0cce6e282ff5

Download Submit
C:\Users\Admin\Desktop\DebugAdd.xlsb

Filesize
333KB

MD5
ef0c05b98c7da7152c44f012ad72ecf5

SHA1
35cc6d5f9ed84adc04b0baca4eee72205d6e3dbf

SHA256
35c300621c07200fa28def109b74dbde021584cf78ffb3a5b31bf73766f94621

SHA512
84781d371a19e95bedd666680eac2c8ceb61f1fc3e99927df31b5eee1213fe0fa7501dc44e9703bd4444376e8742a02913331bfb981aa88a56f3f50a4c9b7755

Download Submit
C:\Users\Admin\Desktop\DismountUnregister.hta

Filesize
421KB

MD5
8fe795266609345db534bc69bab70f60

SHA1
85aee86fac19a966219c14f4fd944bbac2581808

SHA256
1c8437126bea54c2c4ec9f9052748e24cc5717e74ff132753eff1609b7dc2319

SHA512
338abde01d6ddd66361aca369e1a97bffaf04e1438bbced700ec1e34ec030f75f58da5913c1d621ff9dc286b56f13c00afc256cd1552a6af8e0bdc7654afe9d5

Download Submit
C:\Users\Admin\Desktop\ExitCopy.tiff

Filesize
653KB

MD5
24a75781551d13de8674eaf9a06278bb

SHA1
a5e2273e7c752f21643453b7396ce7d3be85fa2d

SHA256
03bc38c24f62239bb7f596115244ae2d369c224a1003b24c0ef604427d9f385a

SHA512
a4a42d4827e8cb859ac73f9fcb1ddedd519cbe14b1696559dcf415c4f7f9b7d373731a9a8d2da871934b8e560b1b3e853cb02087e9e144e2b362088180d2f9c5

Download Submit
C:\Users\Admin\Desktop\GrantDebug.png

Filesize
769KB

MD5
8d8f107d751de4813af27ef1021de841

SHA1
5075ba1c9fa4aabfdd96dc16654736ce9b2c2856

SHA256
c78c52af8876d7203dbf7353aabe133d82937d8f0856cdba1e5176c8fba1ef74

SHA512
7d20ba5b87b090258a47c193f1ff20004eebe1e470a4ae06824d78da3c47ce0961f8a5116d0f1b2dc5e786bd425c9125a7fdeeb3b4720ed5dbfb4c302a59cd0e

Download Submit
C:\Users\Admin\Desktop\GroupClear.mpa

Filesize
624KB

MD5
b90270ec3f4e589ed981d93b2c450df8

SHA1
522e1e726658ed975304aa9bcaf48b96bb7c52da

SHA256
64a8a3605fd08d12f6fe5abb9e5e1d7d006645eeb9b819dbcfa4d538956e3bab

SHA512
95eceea19d4da88a7c32358e45170286c6bf1c5722263daf26ca01b2807e19a5fe9aafd37e6248789fdc44d41d1bcb740f5deb4a8ad41699142c1766d9b0d098

Download Submit
C:\Users\Admin\Desktop\HideUndo.xlsx

Filesize
11KB

MD5
4a406146ad7b6304cff55f1828ed550f

SHA1
990d5f1a486731b03c9d17644edfc80bada4944f

SHA256
813bf3df5cc8977cdffd89b551391532bb1e279964c471b6fcd537c442e95de6

SHA512
bad1e7a12be85410c3f49c41d815630dec3606b0e450ec97a0b18bd0fac27185f001a84f2620c9cce73e85536a04e47e09a426313ffad6cff4c94b0129e99847

Download Submit
C:\Users\Admin\Desktop\InstallPop.ppsx

Filesize
508KB

MD5
012fae776ec55b55fdad631d4be76373

SHA1
df917b5aaa3c7c16c5f682db0a4c9d2e76087e8f

SHA256
1c4d31ed37dba725b45826bb9d3c997f66a3539b684ee6a0a58f6bfa69e1a9ab

SHA512
5a03e7eb73112d76fa4ce0dc24842f6c50c0aff4c13e5f9b5413a5ff54811344451bfd3e56b623b9f63844a9626dce96c3d4a05b37e7b683394781c35d6fda15

Download Submit
C:\Users\Admin\Desktop\MergePush.fon

Filesize
479KB

MD5
8e061d8f2bb3c4abfcdac561ffd0b7c2

SHA1
45403dbb66a07ab4df607b9d45be0b0b227dffc8

SHA256
460197b4d29ca00a213aa7b91ab2f579831be1adf8359f61c1a5e991dbfae50c

SHA512
b401e974c47117742910324fece97bc9519f03ae82dd6193638da4e726e0d6e6abbb20b19ecfabe11cb0d01434a8fce159855aef99c3ad512aabd03eab2b253f

Download Submit
C:\Users\Admin\Desktop\MountRead.inf

Filesize
798KB

MD5
0e9445349865a24a90cbffe5c7032d51

SHA1
31a79351bfe779d7f431c83fcacc1d2465fb2463

SHA256
b90a2766e067eade2661583cba332d8e2beaaad7276ea70eec7e234c74c12a0a

SHA512
e97fe97955c4955c0812cb17a0993e60ea31e887577328544ee7d02948cf9a7b3e33ae942f10d2fb8bb7fbbef351bb1f7f373b33d652ff423c2f7b2fa1bf0fb9

Download Submit
C:\Users\Admin\Desktop\RepairPing.MTS

Filesize
740KB

MD5
e1bf484ba1e29f1c91d6a7a1252b72b1

SHA1
0ed3ed032f7d2bef261d998ced3ce8c7930c3e22

SHA256
88a6f7ddd3633c3c88fc6f6db07c4b387cc0ba35d4bf011722f1a1771653e4f6

SHA512
5c1a5730bb1c5eab31638008f07641c044883cc4ab26c132c0596233094bbb4030987a5f3a48b3822f49f658a25f6ea8ef294d79bdccc9b0d1e98ac8b5efb369

Download Submit
C:\Users\Admin\Desktop\ResolveDisconnect.xlsx

Filesize
11KB

MD5
e6d73ad2a200813df39a7e24b503e336

SHA1
f882222745c5c234a63faed69bf72b476f0a39f0

SHA256
08a44a1c6232fd8b790915b07c37db4d21c1d8069eba3d45729bb62d52683ffa

SHA512
15c005c3158cede0bacdbe27d0df4a2b9d635f99cd1fec50a078504e1cf0041adcc4c39b190350fccb6ef4da3bbd6b9148e6165d24b81eb69bfdcfd1c229bbed

Download Submit
C:\Users\Admin\Desktop\RestoreSync.scf

Filesize
914KB

MD5
787f1cd8edb2e7e7a8b9eadc5709d4f8

SHA1
7c17595dfe1e06d1c58b8122f51b583533cd141e

SHA256
634a36ee0193bce2e49a439ad79cbb9f830eaa3cb44a3622858f53e0e661c901

SHA512
f032f677ba0b9746e754565b78322a7d9e64bb799f56f3cdd7d4eaa646c3dfc94f13f0bbae3bccb5db0c2fbe75c90a5d0d9f73ff588a6150df71350f4b9a4201

Download Submit
C:\Users\Admin\Desktop\SearchBackup.js

Filesize
595KB

MD5
840628b6e9ebf69ee379053453a20135

SHA1
d01bab72dc4f9ed913e6408e6e41f2277075dc90

SHA256
ae3b0d850b9f08ba3a95bddb4655d0804fc3175f8de6ba5d0a205ab8fa16a3fe

SHA512
b12eb8312e3e8ec34e7afea54474cd224f23dcd17ebd7129399cff715c93044969ed6e7e2c42d18557b114107d3e1d73d4221eac99299a8030f1f8cb1f150802

Download Submit
C:\Users\Admin\Desktop\SendComplete.TS

Filesize
450KB

MD5
462e3f4664867e695ca167472e66b851

SHA1
1e8cc359c1f3cd300b07f4e48dd286c37c6f2e45

SHA256
9a24b5907a5098d25beb5b3aa0f271ce48e5e3c8f8bf6b1eee32560aeac050a7

SHA512
068997ce0403309be6607602d93a284b77f117928df7acb23713765418c6e540be48c8d16242d32678af504b648ae8ee953f4f8cae2df6a4941e7a868ec3f94e

Download Submit
C:\Users\Admin\Desktop\ShowFind.bmp

Filesize
856KB

MD5
3849c0820881f28a14e1cc3cd8447721

SHA1
df0bca3ed383b96db3a27136713d7513a13b87c5

SHA256
230eac274fc7aaa3d08f7b878f0ae8c4f25d3cb07a32095ff9ccf455bdc118e3

SHA512
0888daf29561522ea0631e90e02efbd9183e9d436c11e408a6f51d5db4457993340a2d2189ebab96e03c32eb95a230fbf69a6dd38daa728b70b11d3ca6868b40

Download Submit
C:\Users\Admin\Desktop\ShowPush.docx

Filesize
18KB

MD5
84a3b57393eeecaaf6f360027c28dca8

SHA1
70d311a2636d5a13b06f61afdeaec6a220f74983

SHA256
b685ff4416fd02532a0d185da2ee4e31462aa0bbed94dfacf599e388c4b9580b

SHA512
d1bd73b19d084d61fb1846e5d68600d7254997a6603311736be51974f051d2438884b247c1621b827eaf642954518293a413ce43546da5bba9f0924bc9b2d525

Download Submit
C:\Users\Admin\Desktop\ShowSet.reg

Filesize
827KB

MD5
4af3947e6a582139ea0c66a7bafde676

SHA1
1833e0d32c7830e218bf849eb240e76a7ea40c4b

SHA256
fdf00f267dcefacd856ef2dcd4cef519e22a22bc8af1b8f5275dce20b256dc8f

SHA512
6c450afa21c81ab729318b1bc3424c73f8ecea9e01ece1b875d1b109b3002739a8174cbebda1e26616d4ba77056997ea6860f8b3025014a4772669f4f13438a5

Download Submit
C:\Users\Admin\Desktop\SplitDeny.ico

Filesize
566KB

MD5
4746bddbff8b5f3f492e492b796d2b66

SHA1
742742155057e4194d35d54d5b0e42fcd6a9cb65

SHA256
f7561cb8e2b80d465e74f7cf7af351e6a36d9d1144f01c8220ee2a6b3d453238

SHA512
3cd8345ce85990afd0357981705e9f3a6d1e5fdac853f7de0529b713cdff57d72fc34c7f8e52e16ecdb50a44cd6ee431535acf4af64a77b39f5d63d3561f1c61

Download Submit
C:\Users\Admin\Desktop\StartInstall.pps

Filesize
362KB

MD5
441aa15585504aff154696b83174e520

SHA1
30c0808e723ee717f79ebeed218dd60b2e36e6b1

SHA256
8b6d065734b4c29aa233fe7dd242fb3fa3b6abd123a5aa468a19fd56465f0381

SHA512
19cd129264110696b691a4275534c7df333d8bf898e52201d4eb658ced968a614bb7a97711b9f18c7c72d8bd318604e7fa0531607e53011ab2bd911d04adccca

Download Submit
C:\Users\Admin\Desktop\SuspendClear.vdw

Filesize
1.3MB

MD5
707611e6e6c1d3c33837826c29cc7613

SHA1
d73b3caed1a8d1cb697b9550e18d05b1d5a82eac

SHA256
6bc2dda9c3ad32c1afa1df48d9af678ab1277ed2140e57d3b428b560d25ed01f

SHA512
f96b8ee9bcfa5119fcdea88e3554d097a3c5a151224ca8632a46db85f1fb96c6d00c3cd087d29b71b18db3b83d1c108be31bd0be2e19bae891ee34ac21b64345

Download Submit
C:\Users\Admin\Desktop\WriteCompress.png

Filesize
391KB

MD5
f9ec7b6c189a76f41475cc58fc965902

SHA1
c4d42706cead040d0b113135653d796adea7e8e3

SHA256
34d4b1c22ba8493aa4fe5c3296234b699f06a983f87faa8ba74361b9bfbe21a7

SHA512
398d61eb76308935b83e700ac383464fe10e13f01fb6e63fdf174f1e0e39c27841ba6134be8f6d63c91baeac8151d9fc464fe0a8f76bc291952ab36d0fa33de0

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk

Filesize
1KB

MD5
c31f0e2e10597b1a44ade8180d354800

SHA1
3a668ecea652c74f9c29bc457c27bd44936d7876

SHA256
b3c0edf7f75dba249e3af635066f399d433000b04f7e29f9ef8c28f08ce5b85a

SHA512
eb76e05311653f5eaec53e4c7af06e8f04c0a9e2b5fc078f74398d4f5b71fe7fa2f1add64aecaf3f838ed6bd4888acf7a7901eedf904834a5234388dcb001fd1

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
931B

MD5
52bd6ecfeea83ac390f85496b4dc8312

SHA1
d69b8535575d9a211177c04ce7f5b75f4e4c8372

SHA256
6db265c8b83c44d6d97510ef6beb1cdd5b79d4b35a06ac4d8a5ae8a2cc155362

SHA512
cf10a4a2f5c83aa11c2f4ebb7da4bc8e4bba2ca63ab35336bdf744f0b0ac84e65a524bd329b18723fcb1485e25901bc58e1c40adbcda55246355af597b03e4c3

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
7c8fe4a2c5753c2fe81d22db31ccd9ee

SHA1
cacb1f79f0900eabd1ae61cce4305f8526f4f95f

SHA256
157061719919df1fe406bdaf279ce9904ace7e788af552930e38011722360718

SHA512
265738028ed14047745242e5cf39410e0fb2f960ffc83536ba06b73813f1d635f7cfcdf591325f649a1e3fd023cc447b76c45757677024a10000c8269c89013e

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
878B

MD5
4ff4da973eed5efc69796d55cd835594

SHA1
287d866b670019ce5e1cab26046c2ef7ca75e2bc

SHA256
e8f8a49ad7761856f7b72f43ab23418858008ad219c823b020414853f32aa320

SHA512
3e9acccdd1997ec6489418fe6a6300481f4a1c82c5f02361769689da1ba16cb00e14eed65f82825b376861f3754e34cf347e11fca1c600a2b4f31dbd66b0b3f7

Download Submit
memory/1336-0-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

Filesize
4KB

Download
memory/1336-5-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1336-4-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/1336-3-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

Filesize
4KB

Download
memory/1336-2-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1336-1-0x0000000001190000-0x00000000011A4000-memory.dmp

Filesize
80KB

Download
memory/1336-36-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download