xworm | 2d749ee267f200f0d8baf0486fc5079d0f502d2e9c2978e58781fa88bed5fdac

Analysis

max time kernel
94s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2663738939987542452672728827262.exe
Size

108KB
MD5

38dadd03bc276632796f2d3a637c8a07
SHA1

d057d734977b77ac1879d0a4ae9c82eb86c706ff
SHA256

f5f2f8272a0c271071fcbcb6a8c50503ff8fc6d1f26ac717ddf8563ad3ffb57f
SHA512

a71805792b49b363d8e3e5bfe930c2cdf502ad8f2dbf25e8054ba4b21b21324db41d39fb4fb3585a0aa4337693bd679881d6181046c29ab7de4652cc33b0283b
SSDEEP

3072:4Zq6LHp8plAKG/el4ZneM+3M+pRW6Ql8/e:yPHgyKGhZeM+3M+y8

Score

10^/10

xworm discovery rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1620-1348-0x0000000000520000-0x0000000000548000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3952 created 3364	3952	2663738939987542452672728827262.exe	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 1620	3952	2663738939987542452672728827262.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2663738939987542452672728827262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3952	2663738939987542452672728827262.exe
3952	2663738939987542452672728827262.exe
3952	2663738939987542452672728827262.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	2663738939987542452672728827262.exe
Token: SeDebugPrivilege	3952	2663738939987542452672728827262.exe
Token: SeDebugPrivilege	1620	RegAsm.exe
Token: SeManageVolumePrivilege	1620	RegAsm.exe
Token: SeManageVolumePrivilege	1620	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 1620	3952	2663738939987542452672728827262.exe	96
PID 3952 wrote to memory of 1620	3952	2663738939987542452672728827262.exe	96
PID 3952 wrote to memory of 1620	3952	2663738939987542452672728827262.exe	96
PID 3952 wrote to memory of 1620	3952	2663738939987542452672728827262.exe	96
PID 3952 wrote to memory of 1620	3952	2663738939987542452672728827262.exe	96
PID 3952 wrote to memory of 1620	3952	2663738939987542452672728827262.exe	96
PID 3952 wrote to memory of 1620	3952	2663738939987542452672728827262.exe	96
PID 3952 wrote to memory of 1620	3952	2663738939987542452672728827262.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3364
- C:\Users\Admin\AppData\Local\Temp\2663738939987542452672728827262.exe
  "C:\Users\Admin\AppData\Local\Temp\2663738939987542452672728827262.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bnvaik.img

Filesize
158KB

MD5
f2d2c28de02ecc862144b443e067f201

SHA1
ee6ece89afa001e28f5631c287e5943dc9fedbac

SHA256
52044ddee542da9320cacfcfea095ed643fc6f305d02e5a97473a9e3746336a6

SHA512
b8efe74a1b056f01a257fdec9c284c3e09ae494175dc8ffb4c724a106b76c39541e394d73768eca4e20d90f4657e298a549cc64595c90e7cab4e7bbd85c03aea

Download Submit
memory/1620-1348-0x0000000000520000-0x0000000000548000-memory.dmp

Filesize
160KB

Download
memory/1620-1347-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/1620-1349-0x0000000004AB0000-0x0000000004B4C000-memory.dmp

Filesize
624KB

Download
memory/1620-1350-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/1620-1351-0x0000000005140000-0x00000000051A6000-memory.dmp

Filesize
408KB

Download
memory/1620-1358-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/1620-1353-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-28-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-16-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-5-0x00000000064F0000-0x0000000006A94000-memory.dmp

Filesize
5.6MB

Download
memory/3952-6-0x0000000006040000-0x00000000060D2000-memory.dmp

Filesize
584KB

Download
memory/3952-18-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-70-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-68-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-66-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-64-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-62-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-60-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-56-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-54-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-50-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-48-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-46-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-44-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-40-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-38-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-36-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-32-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-30-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-3-0x0000000005290000-0x0000000005296000-memory.dmp

Filesize
24KB

Download
memory/3952-26-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-24-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-22-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-20-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-4-0x0000000005DF0000-0x0000000005EFE000-memory.dmp

Filesize
1.1MB

Download
memory/3952-58-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-14-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-52-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-12-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-42-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-10-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-34-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-8-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-7-0x0000000005DF0000-0x0000000005EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3952-1329-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-1330-0x0000000006240000-0x00000000062A8000-memory.dmp

Filesize
416KB

Download
memory/3952-1331-0x00000000062B0000-0x0000000006316000-memory.dmp

Filesize
408KB

Download
memory/3952-1332-0x0000000006AA0000-0x0000000006AEC000-memory.dmp

Filesize
304KB

Download
memory/3952-1333-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/3952-1334-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-1335-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-1336-0x0000000006BA0000-0x0000000006BF4000-memory.dmp

Filesize
336KB

Download
memory/3952-2-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-1-0x0000000000970000-0x0000000000990000-memory.dmp

Filesize
128KB

Download
memory/3952-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/3952-1339-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-1341-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-1344-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-1343-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-1346-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download