Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
08/03/2025, 11:05
General
-
Target
PcncisxOpEPwd04.exe
-
Size
1.8MB
-
MD5
cc4fa8e0f981df1ae51a97bf99119152
-
SHA1
ec0eeed8c459332c51564471d3f3888bb31c37ea
-
SHA256
a17b8909af1d89e96eb19201c06ed6d8a04489b965f1456b8307f5d7a31ed43b
-
SHA512
70a9eae974ddc108ece7bd30b35a94656033052da9f3d58d5524966f27068720f17210ac57ee848820b9ef1b60e91aa8eda59a570b7d6e68a6ad2479c78f60c9
-
SSDEEP
49152:+Om3XJnTAo+00ut5gUhIcwxLJPXVN1nZvjxdFntHrpHPJJ5V79DbPJLFZHxnpHNB:+OyBAB00nWg
Malware Config
Extracted
xworm
127.0.0.1:35248
mounsir24-31804.portmap.host:35248
major-europe.gl.at.ply.gg:35248
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PcncisxOpEPwd04.exe"C:\Users\Admin\AppData\Local\Temp\PcncisxOpEPwd04.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PcncisxOpEPwd04.exe"C:\Users\Admin\AppData\Local\Temp\PcncisxOpEPwd04.exe"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PcncisxOpEPwd04.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PcncisxOpEPwd04.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c timeout /t 1 && DEL /f PcncisxOpEPwd04.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5efe096717de53d020dacb4ebf77225a0
SHA1e387a1f3c0dddc8be26f36c22a76622b6f56d6af
SHA2564ec07fd1dbbe7020942961cc94edc4c0ea12d80291cd8670c332edbe820d4b58
SHA51257834c849a11ec5c4b88a2b04fc36bdd44011e995becf201b56d92339fe05e6ffcbb34cf4bb7bca3c8aa7aabb32296bf6769f18cbe6c9f19e198e66090013c62
-
Filesize
18KB
MD56e5021b4083d3f5d39e176e8d72a2d3f
SHA100bebf555d9070a37ee3aa330dc3e61653aeead3
SHA2561f3553bca1c6331fa4346fcf3032ecab079eb25c9d2ff3d163b72f483de567cf
SHA5125093f43fe24a10eeeedd7a83e21c469bc36722ac83ddbfdab4faf3416d782b88c7deaa3c497211af41496113e312b53493b42145b3cec973b443c37784377c9f
-
Filesize
18KB
MD5e320065aed85d271ec674af28ae63937
SHA17ef66a423505c46a25e94e10c78eed4f13ed181a
SHA25689927f3406023c2f85df147eb3f1af6bdc11b747af81e62a0941e981e70fa300
SHA5124da5dd508022f4b03b8ae44d98876630566d653c7b29a57038b1af6e23efa16a766235c052265c1090130af9d3b288860462dbae1d09876522a7061cd47e9f06
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
844KB
-
Filesize
7.7MB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
1.8MB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
7.7MB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
844KB
-
Filesize
864KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
80KB
-
Filesize
652KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
96KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
304KB