xworm | b6b4f3d76be11cba85b433e54f37181dc669422de50b3f9db049196d96e241c2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2025, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

q2e132qweertgd.exe
Size

54KB
MD5

ce936711c2d764e67a57275d6d7b309c
SHA1

df21d4952edb1d1e14153080fbe23a367e07660e
SHA256

b6b4f3d76be11cba85b433e54f37181dc669422de50b3f9db049196d96e241c2
SHA512

0f8c4e69b175df6cc9783d77741d0ceb5d578d8e738bebebcb9cad283ac933a49a90a6d4d61cd31c25193a1b4bf7d3ead83782ab8e2b30220bbeecaa8e5405d9
SSDEEP

1536:7tp3RNRjAp+2hw1iKvkb9FAB/VOm4y3kn:7tp3RsGNvkb9UNOm43n

Score

10^/10

xworm discovery ransomware rat trojan

Malware Config

Extracted

Family

xworm

Attributes

pastebin_url
https://pastebin.com/raw/64jXYT6E

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/968-1-0x0000000000CE0000-0x0000000000CF4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	pastebin.com
31	pastebin.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	q2e132qweertgd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2228	msedge.exe
2228	msedge.exe
4476	msedge.exe
4476	msedge.exe
1692	identity_helper.exe
1692	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	q2e132qweertgd.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 4476	968	q2e132qweertgd.exe	119
PID 968 wrote to memory of 4476	968	q2e132qweertgd.exe	119
PID 4476 wrote to memory of 1040	4476	msedge.exe	120
PID 4476 wrote to memory of 1040	4476	msedge.exe	120
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 1804	4476	msedge.exe	121
PID 4476 wrote to memory of 2228	4476	msedge.exe	122
PID 4476 wrote to memory of 2228	4476	msedge.exe	122
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123
PID 4476 wrote to memory of 1676	4476	msedge.exe	123

C:\Users\Admin\AppData\Local\Temp\q2e132qweertgd.exe
"C:\Users\Admin\AppData\Local\Temp\q2e132qweertgd.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d79346f8,0x7ff8d7934708,0x7ff8d7934718
    3⤵
    PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:1804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
    3⤵
    PID:1676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:1500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
    3⤵
    PID:2212
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
    3⤵
    PID:1368
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
    3⤵
    PID:3540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
    3⤵
    PID:4756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
    3⤵
    PID:1060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16359699379431508533,8249300880190762176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
    3⤵
    PID:2988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a4852fc46a00b2fbd09817fcd179715d

SHA1
b5233a493ea793f7e810e578fe415a96e8298a3c

SHA256
6cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f

SHA512
38972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d6b4373e059c5b1fc25b68e6d990827

SHA1
b924e33d05263bffdff75d218043eed370108161

SHA256
fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2

SHA512
9bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
594f8dc5acd91c364aeba6d1582f72f4

SHA1
57a2704c86d3c2bd97eda95f6c85093459be7be7

SHA256
c912bbfc44a6bef9cb5a7acdf69bb736325eefa13dea6adddd17f9293f0db588

SHA512
48dfc87706871beb184ba47f4798376b5f977c5926c5b92c50416ab6de2e9d7d320bf98536a2d985464c91b3af3d3ad4f79fc0932550c7fd0736a0f3b202081b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91c9f29ea5d7c2a16556618e52b8936f

SHA1
acfd4b7dc55090e02bd86da25f3ce8db03cd0a4e

SHA256
f5a1df1b2157ff235310598e36374846b97c8ef7b355a60fd5d887ff43b3df47

SHA512
17289ba8cb6d164e07a266f1e97a0779a70532c6fe18cf4f1d1ad1dc106ebf07762eadabbf3155f08a22f05ecad712524c37f7fddb404772732c7a3ff631ea4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c039db1457b9ecf1a536df11bc837653

SHA1
48e122809ee32e67fe44ad1cebd2477536e41661

SHA256
aef6991643b87c74112ce361430bbfca5aac87a9990ca5fb87d43d47a17317fd

SHA512
1c0618a12a5693a32ed397f7d2f16508b9a3e46e18acbb4c89248021c89d623e62b46d7b82488569b858d219c6a4e248b58d60f09835a6a18db941e918a85116

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
664B

MD5
d33bc4fe1d860aa7e0d7ae732024a57d

SHA1
9667801c9eeda0bf85d5966ed357827c758cb3bb

SHA256
70fe57e0a61a310b2ded214e22676ba9e2f1282358966fc9c814eaa030401e9c

SHA512
85c74331876f06549d96194b0c551731ee4bb04f43d7d33f0b67867f5ba23570f8406e660e5449b99cfd7d34eccea602a1555ee98fa2969c467295b7a1392ecc

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
ebc721b44eda61c7094f955c21bdb1af

SHA1
c2625d1e9793fdbb4ce47f5e4d0b254b7c277ed6

SHA256
48975e622993a12862714c7525219b820e12c67a2dbaa36fd551f54683db8a0a

SHA512
a581e1250809a9f2211c51c6f95b4a9ba2744c7ce59a33bd50eafabfb643f07964f56bd844e588dfb586ffca64140651c71a7f0c33c36a4957df6b44777fff94

Download Submit
memory/968-0-0x00007FF8DA963000-0x00007FF8DA965000-memory.dmp

Filesize
8KB

Download
memory/968-5-0x0000000001460000-0x000000000146C000-memory.dmp

Filesize
48KB

Download
memory/968-4-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

Filesize
10.8MB

Download
memory/968-3-0x00007FF8DA963000-0x00007FF8DA965000-memory.dmp

Filesize
8KB

Download
memory/968-2-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

Filesize
10.8MB

Download
memory/968-1-0x0000000000CE0000-0x0000000000CF4000-memory.dmp

Filesize
80KB

Download