Overview

overview

10

Static

static

10

0a36d74a14...04.exe

windows10-2004-x64

8

0b8b9525ea...96.exe

windows10-2004-x64

1

0bcbf39901...03.exe

windows10-2004-x64

10

0e5e999136...e7.exe

windows10-2004-x64

10

0fc0de254b...ce.exe

windows10-2004-x64

10

1a47c4fd5a...a8.exe

windows10-2004-x64

7

1a6ed538d9...ed.exe

windows10-2004-x64

7

1ac9b17068...d7.exe

windows10-2004-x64

8

1be6fdb2df...e9.exe

windows10-2004-x64

10

2bbbb9b0cd...b2.exe

windows10-2004-x64

10

2cda90e9e8...33.exe

windows10-2004-x64

3

2d58b1a373...aa.exe

windows10-2004-x64

5

2e966d3480...2e.exe

windows10-2004-x64

7

3a0297561d...1c.exe

windows10-2004-x64

10

3a90ad3258...8d.exe

windows10-2004-x64

6

3e76598b80...50.exe

windows10-2004-x64

10

4a5b5eb5a4...36.exe

windows10-2004-x64

10

4b482e8492...8c.exe

windows10-2004-x64

6

4bd46a2850...9c.exe

windows10-2004-x64

10

4cca8b360d...0a.exe

windows10-2004-x64

10

4e31114ffd...f7.exe

windows10-2004-x64

10

5ac2fcc4da...83.exe

windows10-2004-x64

10

5b25182d96...14.exe

windows10-2004-x64

7

5ddb366ead...46.exe

windows10-2004-x64

9

5f1364d246...bc.exe

windows10-2004-x64

10

6e0c9935ea...65.exe

windows10-2004-x64

1

6ea27426ff...08.exe

windows10-2004-x64

4

7dad12bd22...d2.exe

windows10-2004-x64

8

7db9e09e8b...71.exe

windows10-2004-x64

3

7e9af10bfe...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2025, 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7.exe

  • Size

    32KB

  • MD5

    325adebdd9f8c27cbdb7a0f8674469f4

  • SHA1

    aec054d040cf107f43b480e00c0a86ae4c7b5b76

  • SHA256

    0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7

  • SHA512

    137d81da8400a5c79d4eab0cef9e77d2403f71c4d89cbbc1cf7c880c1ca477abfc74380ecdbcd7620aa10137f201e406cd4c09ab4e5e671f999790c87b87a5d1

  • SSDEEP

    768:JpOkcFeazzw/6QIu4RJg4/F7e1gXkMGsosihCxLiNADHAgN/9VOhl:DOdFBA/6Q4RJg4/F7e1rMTXDLi6LN9VU

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

g574h9hd9.loseyourip.com:1605

Mutex

IaHsONiXUch62bUa

Attributes
  • Install_directory

    %AppData%

  • install_file

    MicrosoftEdgeUpdateCore.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7.exe
    "C:\Users\Admin\AppData\Local\Temp\0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdateCore.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4648
    • C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdateCore.exe
      "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdateCore.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdateCore.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeUpdateCore.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4164
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeUpdateCore.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3824
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeUpdateCore" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2240
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
      C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5828
  • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
    C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1736
  • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
    C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4800
  • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
    C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5108

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftEdgeUpdateCore.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    454c5c4b128d34aee2eb765f2a9c0aa9

    SHA1

    4b6e92db79d964f604fd6b261b3b19ede2aea8a5

    SHA256

    e1e65d1697b9ac59805f677cbc8eec623a899b75b1389354f0948ad3c1513772

    SHA512

    17b4e146ef4f8862d06ac975204cca9ef9b077420256df92d94409715b18efb4dc63879154c1c234317a169ac63024ed43b5cb52473882dc46c588af089f25d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    04f1d68afbed6b13399edfae1e9b1472

    SHA1

    8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

    SHA256

    f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

    SHA512

    30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    595d1023e177bbb43e5f2fed2f2751d3

    SHA1

    1379fcc841f26988764feb35f08bc5f77ccb4843

    SHA256

    e57a001a9f00051d7514df9ea1ca8724581004b14fcffc351a17bd7650718117

    SHA512

    4874f881888e0f7053321037c69ef712a76dc62a8c01f6ba114401c289236eefbba8e01a019bcfcec93fda44096acac4e10f845ddfbc2ada90bea1556e7154ea

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    62d94562013cad250e309b4091503254

    SHA1

    f658f6e53e980694f5ff5bae10455c21ee059a2e

    SHA256

    1ff2d02730e490230262e82169d667b1db011b405f53b3bb4345ed1ee3efc1d5

    SHA512

    282e6777407b759ba15e7410cefc8652ae362a5e9ae13dfb355a3044154ca018a8de2b98df0e83012ae98279480ee3b517c62d33c8122f078ea5f3732aaa2a97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdateCore.exe
    Filesize

    46KB

    MD5

    2503793e2d46fa767edc9876cc37dc40

    SHA1

    fd0cebfa85c216438eab222bc8ce5d45274d176a

    SHA256

    c20f68bf306f02f68adc562a6b33cd2b9903ac9384bdb56a666c089b436239c8

    SHA512

    23879c2b7340310c4ae9a5e234160c3d3951f087a678fbb794a3d560978fa7d8d4a78057a2830c2e49182d191072bb41ef94a87d0b1b1677d54340d40af9ebeb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjd2ndmd.krs.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1160-0-0x00007FFFF5C73000-0x00007FFFF5C75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1160-21-0x00007FFFF5C70000-0x00007FFFF6731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1160-1-0x0000000000FF0000-0x0000000000FFE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1160-34-0x00007FFFF5C70000-0x00007FFFF6731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3628-33-0x0000000000100000-0x0000000000112000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4648-12-0x00007FFFF5C70000-0x00007FFFF6731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4648-18-0x00007FFFF5C70000-0x00007FFFF6731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4648-17-0x00007FFFF5C70000-0x00007FFFF6731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4648-14-0x00007FFFF5C70000-0x00007FFFF6731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4648-13-0x00007FFFF5C70000-0x00007FFFF6731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4648-2-0x0000024B0CB40000-0x0000024B0CB62000-memory.dmp

    Filesize

    136KB

    Download