xworm | 9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rasauq Launcher.exe
Size

84KB
MD5

569a09ebfa64b8f5ec39a17c2b3bc4dd
SHA1

1d2b2b9c024f2e204ab0b4bbba9a6c305038d487
SHA256

9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f
SHA512

960af03f64621beda154dc986cb80d3370f11cb1fe846bc91ec8ba6782dd71dba229926ef2fea0fec208713e6b5af07912ca1045c40fe5c246dd6377529ee01b
SSDEEP

1536:l5e2sHTvN2b4p98BcYCXSg0qMl3nRgt5P7ZJUqAA/WkywGKwkvOWkDDiun:q2W0n4lEl3RE5veV2Wniun

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

looking-brings.gl.at.ply.gg:65381

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot8074871433:AAGd-vCZQOlCC_n2SUFT-qQ6fFThcBVDd1Y

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0012000000016d3f-5.dat	family_xworm
behavioral1/memory/2060-20-0x0000000000BD0000-0x0000000000BEA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2756	powershell.exe
2988	powershell.exe
2376	powershell.exe
2384	powershell.exe
2572	powershell.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2016	attrib.exe
1708	attrib.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe

Executes dropped EXE 3 IoCs

pid	Process
2060	Rasauq SoftWorks.exe
2204	sRasauq SoftWorks.exe
1712	$77RealtekAudioDriverHost.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	Rasauq Launcher.exe
580	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Realtek Audio Driver Host\\$77RealtekAudioDriverHost.exe\""	sRasauq SoftWorks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr"	Rasauq SoftWorks.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2724	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2124	schtasks.exe
2840	schtasks.exe
2788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2756	powershell.exe
2988	powershell.exe
2376	powershell.exe
2384	powershell.exe
2204	sRasauq SoftWorks.exe
2204	sRasauq SoftWorks.exe
2204	sRasauq SoftWorks.exe
2572	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeBackupPrivilege	2996	vssvc.exe
Token: SeRestorePrivilege	2996	vssvc.exe
Token: SeAuditPrivilege	2996	vssvc.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2060	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	2204	sRasauq SoftWorks.exe
Token: SeDebugPrivilege	1712	$77RealtekAudioDriverHost.exe
Token: SeDebugPrivilege	2572	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2060	2868	Rasauq Launcher.exe	30
PID 2868 wrote to memory of 2060	2868	Rasauq Launcher.exe	30
PID 2868 wrote to memory of 2060	2868	Rasauq Launcher.exe	30
PID 2868 wrote to memory of 2204	2868	Rasauq Launcher.exe	31
PID 2868 wrote to memory of 2204	2868	Rasauq Launcher.exe	31
PID 2868 wrote to memory of 2204	2868	Rasauq Launcher.exe	31
PID 2868 wrote to memory of 2952	2868	Rasauq Launcher.exe	32
PID 2868 wrote to memory of 2952	2868	Rasauq Launcher.exe	32
PID 2868 wrote to memory of 2952	2868	Rasauq Launcher.exe	32
PID 2060 wrote to memory of 2756	2060	Rasauq SoftWorks.exe	34
PID 2060 wrote to memory of 2756	2060	Rasauq SoftWorks.exe	34
PID 2060 wrote to memory of 2756	2060	Rasauq SoftWorks.exe	34
PID 2060 wrote to memory of 2988	2060	Rasauq SoftWorks.exe	40
PID 2060 wrote to memory of 2988	2060	Rasauq SoftWorks.exe	40
PID 2060 wrote to memory of 2988	2060	Rasauq SoftWorks.exe	40
PID 2060 wrote to memory of 2376	2060	Rasauq SoftWorks.exe	42
PID 2060 wrote to memory of 2376	2060	Rasauq SoftWorks.exe	42
PID 2060 wrote to memory of 2376	2060	Rasauq SoftWorks.exe	42
PID 2060 wrote to memory of 2384	2060	Rasauq SoftWorks.exe	44
PID 2060 wrote to memory of 2384	2060	Rasauq SoftWorks.exe	44
PID 2060 wrote to memory of 2384	2060	Rasauq SoftWorks.exe	44
PID 2060 wrote to memory of 2124	2060	Rasauq SoftWorks.exe	46
PID 2060 wrote to memory of 2124	2060	Rasauq SoftWorks.exe	46
PID 2060 wrote to memory of 2124	2060	Rasauq SoftWorks.exe	46
PID 2204 wrote to memory of 1708	2204	sRasauq SoftWorks.exe	48
PID 2204 wrote to memory of 1708	2204	sRasauq SoftWorks.exe	48
PID 2204 wrote to memory of 1708	2204	sRasauq SoftWorks.exe	48
PID 2204 wrote to memory of 2016	2204	sRasauq SoftWorks.exe	50
PID 2204 wrote to memory of 2016	2204	sRasauq SoftWorks.exe	50
PID 2204 wrote to memory of 2016	2204	sRasauq SoftWorks.exe	50
PID 2204 wrote to memory of 580	2204	sRasauq SoftWorks.exe	52
PID 2204 wrote to memory of 580	2204	sRasauq SoftWorks.exe	52
PID 2204 wrote to memory of 580	2204	sRasauq SoftWorks.exe	52
PID 580 wrote to memory of 2724	580	cmd.exe	54
PID 580 wrote to memory of 2724	580	cmd.exe	54
PID 580 wrote to memory of 2724	580	cmd.exe	54
PID 580 wrote to memory of 1712	580	cmd.exe	55
PID 580 wrote to memory of 1712	580	cmd.exe	55
PID 580 wrote to memory of 1712	580	cmd.exe	55
PID 1712 wrote to memory of 3032	1712	$77RealtekAudioDriverHost.exe	57
PID 1712 wrote to memory of 3032	1712	$77RealtekAudioDriverHost.exe	57
PID 1712 wrote to memory of 3032	1712	$77RealtekAudioDriverHost.exe	57
PID 1712 wrote to memory of 2840	1712	$77RealtekAudioDriverHost.exe	59
PID 1712 wrote to memory of 2840	1712	$77RealtekAudioDriverHost.exe	59
PID 1712 wrote to memory of 2840	1712	$77RealtekAudioDriverHost.exe	59
PID 1712 wrote to memory of 3020	1712	$77RealtekAudioDriverHost.exe	61
PID 1712 wrote to memory of 3020	1712	$77RealtekAudioDriverHost.exe	61
PID 1712 wrote to memory of 3020	1712	$77RealtekAudioDriverHost.exe	61
PID 1712 wrote to memory of 2572	1712	$77RealtekAudioDriverHost.exe	63
PID 1712 wrote to memory of 2572	1712	$77RealtekAudioDriverHost.exe	63
PID 1712 wrote to memory of 2572	1712	$77RealtekAudioDriverHost.exe	63
PID 1712 wrote to memory of 2788	1712	$77RealtekAudioDriverHost.exe	65
PID 1712 wrote to memory of 2788	1712	$77RealtekAudioDriverHost.exe	65
PID 1712 wrote to memory of 2788	1712	$77RealtekAudioDriverHost.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1708	attrib.exe
2016	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2124
- C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1708
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2016
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4C5.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2724
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:3032
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77RealtekAudioDriverHost.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe \"\$77RealtekAudioDriverHost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2840
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "RealtekAudioDriverHost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2788
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Launch.bat" "
  2⤵
  PID:2952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\taskeng.exe
taskeng.exe {CAE06032-FC22-4ED6-80A7-81342CA70EB4} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Launch.bat

Filesize
398B

MD5
41bded52aa489cdea31a174f89bca818

SHA1
da072fb11e72d2762f96d0f901d7ef7bca17218d

SHA256
2172bb0729d91bcf777bbdd0c42dae9c71de0f1251d165655f551673bf622d59

SHA512
d0fa53492e783e627186d96dcf3ffcecc10f8895bd42a16f4946c34de6e4ec2bc156bab0e070ec0ebf9492f394d11d4c7929df1b57ca59cb6e11a566de3a6dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe

Filesize
81KB

MD5
12a225de8199d2a31f049a6f300d8cfa

SHA1
24819a452cf1db15167a52b12f258d27baacbd6e

SHA256
1399d955881d9db34cbe261c117818a7933a1cc7c8cdabcff8fc22c880053801

SHA512
3e321ac6e35b83e0645611721354a03358da7dde8bc42f761e258f87fa2ae8a33c3778aa48b10e0ead87331eded7240b7134f9c05333a823a53258f7a52cac32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe

Filesize
41KB

MD5
7091469b8f2213255ba3c2870a60c7eb

SHA1
17e501e4900bf5dacc5cb0424db87d2ce7a89880

SHA256
d63b09f1a44ed10ff2e6aa558ab494ad561066fff13de330eae87e6749a0e3d7

SHA512
f67a4244cf2f4c6fdc728441d85e4e3d6cea3fd28fcc2b21aefc385257d3ad4eb177ff58acb07621b6fb6d4c331b7df80f5a9bd7a53c5d54bb91f000138223b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4C5.tmp.bat

Filesize
223B

MD5
458e649b3b89a944fea622defdc5b421

SHA1
a953579dc1a96e82e9226715f4df44495916e20d

SHA256
dbe59a4cdaab22206b48ec77a5694c2aec8bb61608a5131fd530b0990d7e9bf4

SHA512
9b7207530ab99f53b1303706d15573c445f493e1fb66720ea663a237fa4a5ec88e60c513db5764f122dbc23a2034069f787ecf40bc97ee66dc041517c30ff14f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
23f38ac0f2cdb8126c995b081a3b3918

SHA1
614d4328dcf6206c9ee9a0b33887fadf8f7a594d

SHA256
381083c072e1be62f9facb85c4c9f018dfb44a5c279f60c2bcd62c6cc149feaa

SHA512
4d607de53850331f31b27344999b6d8fe9d9c6072171ec1a10d7e0ee141e5e1aa0de4d1cbc609af95f223e6bdb40ed7c4016c540674096e4503d9524fb2edcf4

Download Submit
memory/1712-66-0x000000013F0C0000-0x000000013F0CE000-memory.dmp

Filesize
56KB

Download
memory/2060-25-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-51-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-20-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

Filesize
104KB

Download
memory/2204-22-0x000000013FBF0000-0x000000013FBFE000-memory.dmp

Filesize
56KB

Download
memory/2756-30-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2756-31-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2868-24-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

Filesize
4KB

Download
memory/2868-1-0x000000013F7B0000-0x000000013F7C8000-memory.dmp

Filesize
96KB

Download
memory/2988-37-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2988-38-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download