xworm | 1446224da9810c06e7336730dab3811c39c8d1d4b200c4e7d568b1440b432f61

Analysis

max time kernel
138s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/03/2025, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VelocitySupportTool1.exe
Size

250KB
MD5

1904b43012a89c4ec5b3c82c7f7e313e
SHA1

3b0eedb1ba0bff205b9d099dd355091229007d04
SHA256

1446224da9810c06e7336730dab3811c39c8d1d4b200c4e7d568b1440b432f61
SHA512

c37e6bba9776516201c28367dcb541ac108a1def13d72eaf311800710c854a794835b7b92075e3b5d61ff3c500e1446004479065e418e3cb0dfb41963123a06e
SSDEEP

3072:0AgVT/y+i3B0ELNv4TW+gLdLY/rxlfP3JIxlR6d0HoG1Bz65/M6If+3Js+3JFkKf:MT/cCTOLoP3JClR6CIG1xBt25

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/k7RJ4RZQ

Extracted

Family

xworm

Version

5.0

Mutex

0PPzuWGEdxzyPz40

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/0AT3JnEx

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fd-5.dat	family_xworm
behavioral1/memory/2260-9-0x0000000000A60000-0x0000000000A80000-memory.dmp	family_xworm
behavioral1/files/0x00070000000193f7-11.dat	family_xworm
behavioral1/memory/2696-13-0x00000000009A0000-0x00000000009B0000-memory.dmp	family_xworm
behavioral1/memory/1892-48-0x0000000001270000-0x0000000001280000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
408	powershell.exe
1940	powershell.exe
1068	powershell.exe
1340	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	VelocityFix.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	VelocityFix.exe

Executes dropped EXE 5 IoCs

pid	Process
2260	VelocitySupportTools.exe
2696	VelocityFix.exe
1892	svchost.exe
1616	svchost.exe
1524	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	VelocityFix.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
7	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
408	powershell.exe
1940	powershell.exe
1068	powershell.exe
1340	powershell.exe
2696	VelocityFix.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	VelocitySupportTools.exe
Token: SeDebugPrivilege	2696	VelocityFix.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2696	VelocityFix.exe
Token: SeDebugPrivilege	1892	svchost.exe
Token: SeDebugPrivilege	1616	svchost.exe
Token: SeDebugPrivilege	1524	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2696	VelocityFix.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2260	2528	VelocitySupportTool1.exe	29
PID 2528 wrote to memory of 2260	2528	VelocitySupportTool1.exe	29
PID 2528 wrote to memory of 2260	2528	VelocitySupportTool1.exe	29
PID 2528 wrote to memory of 2696	2528	VelocitySupportTool1.exe	30
PID 2528 wrote to memory of 2696	2528	VelocitySupportTool1.exe	30
PID 2528 wrote to memory of 2696	2528	VelocitySupportTool1.exe	30
PID 2696 wrote to memory of 408	2696	VelocityFix.exe	32
PID 2696 wrote to memory of 408	2696	VelocityFix.exe	32
PID 2696 wrote to memory of 408	2696	VelocityFix.exe	32
PID 2696 wrote to memory of 1940	2696	VelocityFix.exe	34
PID 2696 wrote to memory of 1940	2696	VelocityFix.exe	34
PID 2696 wrote to memory of 1940	2696	VelocityFix.exe	34
PID 2696 wrote to memory of 1068	2696	VelocityFix.exe	36
PID 2696 wrote to memory of 1068	2696	VelocityFix.exe	36
PID 2696 wrote to memory of 1068	2696	VelocityFix.exe	36
PID 2696 wrote to memory of 1340	2696	VelocityFix.exe	38
PID 2696 wrote to memory of 1340	2696	VelocityFix.exe	38
PID 2696 wrote to memory of 1340	2696	VelocityFix.exe	38
PID 2696 wrote to memory of 2940	2696	VelocityFix.exe	40
PID 2696 wrote to memory of 2940	2696	VelocityFix.exe	40
PID 2696 wrote to memory of 2940	2696	VelocityFix.exe	40
PID 2072 wrote to memory of 1892	2072	taskeng.exe	43
PID 2072 wrote to memory of 1892	2072	taskeng.exe	43
PID 2072 wrote to memory of 1892	2072	taskeng.exe	43
PID 2072 wrote to memory of 1616	2072	taskeng.exe	44
PID 2072 wrote to memory of 1616	2072	taskeng.exe	44
PID 2072 wrote to memory of 1616	2072	taskeng.exe	44
PID 2072 wrote to memory of 1524	2072	taskeng.exe	45
PID 2072 wrote to memory of 1524	2072	taskeng.exe	45
PID 2072 wrote to memory of 1524	2072	taskeng.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VelocitySupportTool1.exe
"C:\Users\Admin\AppData\Local\Temp\VelocitySupportTool1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe
  "C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Users\Admin\AppData\Roaming\VelocityFix.exe
  "C:\Users\Admin\AppData\Roaming\VelocityFix.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VelocityFix.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VelocityFix.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2940

C:\Windows\system32\taskeng.exe
taskeng.exe {1B6C16DF-8BB6-4BA8-8194-0C1646FB372E} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d7e5fdd2fd549cf77e35bb7492b4c32e

SHA1
1f73fbdfefdcf42b69fd352d42a8bf01a3d76b47

SHA256
7b62a2c3c4f8f2f34300847c26068b45db24869b8d3b34de4abfed511ceb1ec7

SHA512
fba6e602cfdec5f15d22cd928f697266f96a3c2269a08a793127348a4e1172e39b09f48e9bd856efea38c199846f4aff2b4e7adfe4f87d6d5df38e8a3d4e5005

Download Submit
C:\Users\Admin\AppData\Roaming\VelocityFix.exe

Filesize
39KB

MD5
53bfc0f8986b70724e4823f47241f6aa

SHA1
62e79122cea2f27e6f093fa484e5aa7795088ccc

SHA256
9286f18acfd1a8277f23da9a1079b571587c9bd5f28dbcff51845b933595426c

SHA512
5abbfbcc2e5cff491f4d213f4b83047f50e1de77d67631d510c7b540965c5f03a7611a0f1e79479d3a05a1e2f05fee6180b47ececc96c78f2e38ee5fa06430f2

Download Submit
C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe

Filesize
103KB

MD5
3d47fe184f91ceb1bd0d4c213da5ebfa

SHA1
05ca3411a2b89f0c7884024f48b51e7574862992

SHA256
f0879c8017351b9cebbb546ea14f323ddb777cd97e435bb2de904ac28aa8525f

SHA512
1975ed404e30d674806a8209982cf5c81ec7b057178e5597195ca89d79406ddc1edcd25a3e6098e74ac5ce220e9a9975cb2bcbff4d2de8abfa7952c1902ff256

Download Submit
memory/408-20-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/408-21-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1892-48-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/1940-27-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1940-28-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2260-14-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-15-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-9-0x0000000000A60000-0x0000000000A80000-memory.dmp

Filesize
128KB

Download
memory/2260-44-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/2528-1-0x0000000000A80000-0x0000000000AC4000-memory.dmp

Filesize
272KB

Download
memory/2696-13-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download