Overview

overview

10

Static

static

3

PcncisxOpEPwd04.exe

windows7-x64

10

PcncisxOpEPwd04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2025, 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PcncisxOpEPwd04.exe

  • Size

    1.8MB

  • MD5

    cc4fa8e0f981df1ae51a97bf99119152

  • SHA1

    ec0eeed8c459332c51564471d3f3888bb31c37ea

  • SHA256

    a17b8909af1d89e96eb19201c06ed6d8a04489b965f1456b8307f5d7a31ed43b

  • SHA512

    70a9eae974ddc108ece7bd30b35a94656033052da9f3d58d5524966f27068720f17210ac57ee848820b9ef1b60e91aa8eda59a570b7d6e68a6ad2479c78f60c9

  • SSDEEP

    49152:+Om3XJnTAo+00ut5gUhIcwxLJPXVN1nZvjxdFntHrpHPJJ5V79DbPJLFZHxnpHNB:+OyBAB00nWg

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:35248

mounsir24-31804.portmap.host:35248

major-europe.gl.at.ply.gg:35248
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PcncisxOpEPwd04.exe
    "C:\Users\Admin\AppData\Local\Temp\PcncisxOpEPwd04.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Users\Admin\AppData\Local\Temp\PcncisxOpEPwd04.exe
      "C:\Users\Admin\AppData\Local\Temp\PcncisxOpEPwd04.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PcncisxOpEPwd04.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3868
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PcncisxOpEPwd04.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1988
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1280
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4892
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c timeout /t 1 && DEL /f PcncisxOpEPwd04.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PcncisxOpEPwd04.exe.log
    Filesize

    425B

    MD5

    4eaca4566b22b01cd3bc115b9b0b2196

    SHA1

    e743e0792c19f71740416e7b3c061d9f1336bf94

    SHA256

    34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

    SHA512

    bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    e212a36f82afefd14d92e88b6784421a

    SHA1

    0904660c6d023905d798f0dfdd0d6920d4c0080b

    SHA256

    c24d3868de9b08464ddc1fc738ff14ac525120944b5d9823c4b443e0583f7eba

    SHA512

    2c851ca0ec9f35d4812ef78d31eec3987a965081290e2f05dbde1040120860b42e1cccd9ecf1a7e5773e409e85648cb2cd3f7a623364ba87faeffafb80242373

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    e1ecb3f7b048c95c678c0aef9aa8b3ed

    SHA1

    d6b11879ee00acc8b39a3dc4e5cd02c92d68eba5

    SHA256

    32e6013c26864fbc22ebab3fd63807245624f185fc70b9250c9f294df1f54de9

    SHA512

    73b9ab95da601a4ce93c1bfc9c12d1f2180450914386ace90c30895769377559fdcdd0907dd9b9b85a14fe3b1958fe331449bea419805bf051ef0f93db9dcb0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    cff1c1e3084d1074d95a33fe3e054a15

    SHA1

    2ec2e404f575bd1d762e61fdd2662bb4b7011bfe

    SHA256

    0be39abc50725666f7f43e3e8d84533c1d3fcfe8b18ce5b4b74d62e30927e919

    SHA512

    d89cc00403907ddfb4ae439b54cb690ff286459c2b87aae64aa8a14c2db6b9ca1af46f5092b5bc3e7aad237494e7fcaf31a34aca3c49fa2310f2a99575de2cc4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywendbnz.t2d.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1280-16078-0x000000006FF80000-0x000000006FFCC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1988-16057-0x000000006FF80000-0x000000006FFCC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1988-16051-0x0000000005650000-0x00000000059A4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3868-16036-0x0000000007080000-0x000000000708A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3868-16021-0x0000000006CA0000-0x0000000006CD2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3868-16039-0x0000000007240000-0x000000000724E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3868-16038-0x0000000007210000-0x0000000007221000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3868-16037-0x0000000007290000-0x0000000007326000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3868-16041-0x0000000007350000-0x000000000736A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3868-16035-0x0000000007010000-0x000000000702A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3868-16034-0x0000000007650000-0x0000000007CCA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3868-16033-0x0000000006EE0000-0x0000000006F83000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3868-16022-0x000000006FF80000-0x000000006FFCC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3868-16032-0x00000000062A0000-0x00000000062BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3868-16040-0x0000000007250000-0x0000000007264000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3868-16020-0x0000000005D20000-0x0000000005D6C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3868-16019-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3868-16018-0x00000000056C0000-0x0000000005A14000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3868-16042-0x0000000007330000-0x0000000007338000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3868-16008-0x0000000005600000-0x0000000005666000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3868-16007-0x0000000005550000-0x00000000055B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3868-16006-0x0000000004D40000-0x0000000004D62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3868-16005-0x0000000004DB0000-0x00000000053D8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3868-16004-0x0000000004740000-0x0000000004776000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4260-16000-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4260-16002-0x00000000005A0000-0x00000000005B8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4260-16120-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4260-16119-0x0000000005CC0000-0x0000000005CCA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4260-16118-0x00000000062D0000-0x0000000006362000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4260-16117-0x0000000005D20000-0x00000000062C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4260-16116-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4260-16088-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4260-16003-0x0000000004B10000-0x0000000004BAC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4468-39-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-50-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-0-0x000000007493E000-0x000000007493F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4468-16001-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4468-5794-0x000000007493E000-0x000000007493F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4468-5864-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4468-37-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-19-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-21-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-24-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-25-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-27-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-29-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-31-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-33-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-35-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-13-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-41-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-44-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-45-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-47-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-15-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-66-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-52-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-54-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-56-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-58-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-60-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-62-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-64-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-68-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-49-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4468-17-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-2-0x0000000005040000-0x0000000005118000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4468-3-0x0000000074930000-0x00000000750E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4468-11-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-1-0x00000000003A0000-0x000000000056E000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4468-9-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-4-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-5-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4468-7-0x0000000005040000-0x0000000005113000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4892-16101-0x000000006FF80000-0x000000006FFCC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4892-16099-0x00000000063A0000-0x00000000066F4000-memory.dmp

    Filesize

    3.3MB

    Download