xworm | 462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0

Analysis

max time kernel
96s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
Size

103KB
MD5

71e0c8f71b15046709d4e250086346a4
SHA1

9536f9bc5e10128074cdd2597e970b29d44c4bcd
SHA256

462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0
SHA512

15cd09125122f6e79bffc9112ee888c4afef515d09a9598da2b23cbc240b043e63f1d3d6538c74fc56cd65eeeb756679f1a4d54dd74e0a026ba80a7999dff2ba
SSDEEP

1536:EfDrLD7tmNEoCfjSbHb7RqWYZvZqF3c9MwsUSEJxY87d17:EHLD7Ewub70Wmy3VwQGxY87r7

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

QIUpnGyi0OFuIMGO

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2932-1350-0x0000000000180000-0x000000000018E000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2216 created 3556	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	56
PID 1088 created 3556	1088	xpokyn.exe	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs	xpokyn.exe

Executes dropped EXE 2 IoCs

pid	Process
1088	xpokyn.exe
3936	xpokyn.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 2932	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	96
PID 1088 set thread context of 3936	1088	xpokyn.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpokyn.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
1088	xpokyn.exe
1088	xpokyn.exe
1088	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe
3936	xpokyn.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
Token: SeDebugPrivilege	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
Token: SeDebugPrivilege	2932	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
Token: SeDebugPrivilege	1088	xpokyn.exe
Token: SeDebugPrivilege	1088	xpokyn.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2932	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	96
PID 2216 wrote to memory of 2932	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	96
PID 2216 wrote to memory of 2932	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	96
PID 2216 wrote to memory of 2932	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	96
PID 2216 wrote to memory of 2932	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	96
PID 2216 wrote to memory of 2932	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	96
PID 2216 wrote to memory of 2932	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	96
PID 2216 wrote to memory of 2932	2216	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	96
PID 2932 wrote to memory of 1088	2932	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	106
PID 2932 wrote to memory of 1088	2932	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	106
PID 2932 wrote to memory of 1088	2932	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe	106
PID 1088 wrote to memory of 3936	1088	xpokyn.exe	107
PID 1088 wrote to memory of 3936	1088	xpokyn.exe	107
PID 1088 wrote to memory of 3936	1088	xpokyn.exe	107
PID 1088 wrote to memory of 3936	1088	xpokyn.exe	107
PID 1088 wrote to memory of 3936	1088	xpokyn.exe	107
PID 1088 wrote to memory of 3936	1088	xpokyn.exe	107

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
  "C:\Users\Admin\AppData\Local\Temp\462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2216
- C:\Users\Admin\AppData\Local\Temp\462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe
  "C:\Users\Admin\AppData\Local\Temp\462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\xpokyn.exe
    "C:\Users\Admin\AppData\Local\Temp\xpokyn.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1088
- C:\Users\Admin\AppData\Local\Temp\xpokyn.exe
  "C:\Users\Admin\AppData\Local\Temp\xpokyn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xpokyn.exe

Filesize
117KB

MD5
cefa89adbcc7a6fde1275537a8e186ae

SHA1
cf1216c8acd4ad38292d151274683380f2af28d0

SHA256
5831b83574596f18f4cc1366390b47631c9e1d44a6b2f2479c5a5a880a8cfed3

SHA512
98486187f547ef87e8742c49a77123947c5583a0e31e205dc4f4f6aece83d988f54e5221482154f298a2f5c61a4078e63c3008ac2232efc8dddb31298356db88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Filesize
80B

MD5
f4fb9e3c46515dc09768801bab14093b

SHA1
ca65dab35b767894b151d8ddbf7cc2cda7d0ab05

SHA256
69d1c0c7d865a56cca713f9e00a60d4a7ebeff8e1f7c491e04d27d2bfd62d91f

SHA512
4642f5764ea2db8d9ad1a43611688533379581576175df59e33160d4f53091d6dc333734833ab23a00d21a50d8a497848df8a9e29e996e8bf9073614ef6b2ef6

Download Submit
\??\c:\users\admin\appdata\roaming\count.exe

Filesize
103KB

MD5
71e0c8f71b15046709d4e250086346a4

SHA1
9536f9bc5e10128074cdd2597e970b29d44c4bcd

SHA256
462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0

SHA512
15cd09125122f6e79bffc9112ee888c4afef515d09a9598da2b23cbc240b043e63f1d3d6538c74fc56cd65eeeb756679f1a4d54dd74e0a026ba80a7999dff2ba

Download Submit
memory/1088-2704-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/1088-2693-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/1088-2692-0x0000000005C50000-0x0000000005CE8000-memory.dmp

Filesize
608KB

Download
memory/1088-2691-0x0000000005B70000-0x0000000005C0C000-memory.dmp

Filesize
624KB

Download
memory/1088-1368-0x0000000005820000-0x0000000005962000-memory.dmp

Filesize
1.3MB

Download
memory/1088-1367-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/1088-1366-0x0000000000750000-0x0000000000774000-memory.dmp

Filesize
144KB

Download
memory/2216-16-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-7-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-68-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-66-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-64-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-58-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-50-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-44-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-42-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-40-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-62-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-60-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-56-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-54-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-46-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-38-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-36-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-35-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-31-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-26-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-24-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-22-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-20-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-18-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-0-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

Filesize
4KB

Download
memory/2216-12-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-10-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-8-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-14-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-70-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-1329-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2216-1330-0x0000000005A40000-0x0000000005A9C000-memory.dmp

Filesize
368KB

Download
memory/2216-1331-0x0000000005B00000-0x0000000005B58000-memory.dmp

Filesize
352KB

Download
memory/2216-1332-0x0000000005C10000-0x0000000005C5C000-memory.dmp

Filesize
304KB

Download
memory/2216-1333-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

Filesize
4KB

Download
memory/2216-1334-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2216-1335-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2216-1336-0x0000000005C60000-0x0000000005CB4000-memory.dmp

Filesize
336KB

Download
memory/2216-1342-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2216-1344-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2216-1346-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2216-1-0x0000000000410000-0x0000000000430000-memory.dmp

Filesize
128KB

Download
memory/2216-1348-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2216-1347-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2216-2-0x0000000002710000-0x0000000002716000-memory.dmp

Filesize
24KB

Download
memory/2216-3-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2216-4-0x0000000005650000-0x0000000005750000-memory.dmp

Filesize
1024KB

Download
memory/2216-5-0x0000000005D00000-0x00000000062A4000-memory.dmp

Filesize
5.6MB

Download
memory/2216-6-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/2216-52-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-48-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-28-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2216-32-0x0000000005650000-0x000000000574A000-memory.dmp

Filesize
1000KB

Download
memory/2932-1354-0x0000000005160000-0x00000000051C6000-memory.dmp

Filesize
408KB

Download
memory/2932-1353-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2932-1352-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/2932-1350-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2932-1351-0x00000000049D0000-0x0000000004A6C000-memory.dmp

Filesize
624KB

Download
memory/2932-1349-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download