xworm | 9ec072826b39d6a5bc2b0d30f4b5130719006318114af5c374b3ef01f2d845e8

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
20/04/2025, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

2.0MB
MD5

b9459d549b1b8457c7c1d5b9bce02af8
SHA1

4cf9d5a422d3947186ea816d759738a2385847fd
SHA256

9ec072826b39d6a5bc2b0d30f4b5130719006318114af5c374b3ef01f2d845e8
SHA512

a74a98846f054c710b1e371bb0287f8887eda4a9cb568e30af89a5f6ed6e6014734452f4429ca1896d68a59b1973f6804db119279c4c8523056d232a93a5b42a
SSDEEP

3072:IaJfX7TOQucdr/rdwepzCxeUdo9clZpZ7Tk0YN3r1tM4NpVq8BxFRzaqF+o2GQJ2:D7C4r/TFCxeUdo9cJxk04rsgVqwlL

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/qS2AxbFH

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001900000002b118-29.dat	family_xworm
behavioral2/memory/2812-32-0x0000000000B90000-0x0000000000BA8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5640	powershell.exe
5052	powershell.exe
4320	powershell.exe
5100	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 5 IoCs

pid	Process
1516	Bootstrapper.exe
2812	XClient.exe
5292	XClient.exe
1544	XClient.exe
5448	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4880	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 10 IoCs

defense_evasion

pid	Process
3412	timeout.exe
1268	timeout.exe
4984	timeout.exe
6036	timeout.exe
1712	timeout.exe
3116	timeout.exe
4800	timeout.exe
4776	timeout.exe
4768	timeout.exe
4860	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5640	powershell.exe
5640	powershell.exe
5052	powershell.exe
5052	powershell.exe
4320	powershell.exe
4320	powershell.exe
5100	powershell.exe
5100	powershell.exe
2812	XClient.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	XClient.exe
Token: SeDebugPrivilege	4880	tasklist.exe
Token: SeDebugPrivilege	5640	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	5292	XClient.exe
Token: SeDebugPrivilege	2812	XClient.exe
Token: SeDebugPrivilege	1544	XClient.exe
Token: SeDebugPrivilege	5448	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2812	XClient.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1516	4052	Bootstrapper.exe	78
PID 4052 wrote to memory of 1516	4052	Bootstrapper.exe	78
PID 4052 wrote to memory of 5316	4052	Bootstrapper.exe	79
PID 4052 wrote to memory of 5316	4052	Bootstrapper.exe	79
PID 1516 wrote to memory of 2812	1516	Bootstrapper.exe	81
PID 1516 wrote to memory of 2812	1516	Bootstrapper.exe	81
PID 5316 wrote to memory of 3412	5316	cmd.exe	82
PID 5316 wrote to memory of 3412	5316	cmd.exe	82
PID 5316 wrote to memory of 6036	5316	cmd.exe	83
PID 5316 wrote to memory of 6036	5316	cmd.exe	83
PID 5316 wrote to memory of 1268	5316	cmd.exe	84
PID 5316 wrote to memory of 1268	5316	cmd.exe	84
PID 5316 wrote to memory of 1712	5316	cmd.exe	85
PID 5316 wrote to memory of 1712	5316	cmd.exe	85
PID 5316 wrote to memory of 3116	5316	cmd.exe	86
PID 5316 wrote to memory of 3116	5316	cmd.exe	86
PID 5316 wrote to memory of 4984	5316	cmd.exe	87
PID 5316 wrote to memory of 4984	5316	cmd.exe	87
PID 5316 wrote to memory of 4800	5316	cmd.exe	88
PID 5316 wrote to memory of 4800	5316	cmd.exe	88
PID 5316 wrote to memory of 4776	5316	cmd.exe	89
PID 5316 wrote to memory of 4776	5316	cmd.exe	89
PID 5316 wrote to memory of 4768	5316	cmd.exe	90
PID 5316 wrote to memory of 4768	5316	cmd.exe	90
PID 5316 wrote to memory of 4860	5316	cmd.exe	91
PID 5316 wrote to memory of 4860	5316	cmd.exe	91
PID 5316 wrote to memory of 4880	5316	cmd.exe	92
PID 5316 wrote to memory of 4880	5316	cmd.exe	92
PID 5316 wrote to memory of 4928	5316	cmd.exe	93
PID 5316 wrote to memory of 4928	5316	cmd.exe	93
PID 2812 wrote to memory of 5640	2812	XClient.exe	95
PID 2812 wrote to memory of 5640	2812	XClient.exe	95
PID 2812 wrote to memory of 5052	2812	XClient.exe	97
PID 2812 wrote to memory of 5052	2812	XClient.exe	97
PID 2812 wrote to memory of 4320	2812	XClient.exe	99
PID 2812 wrote to memory of 4320	2812	XClient.exe	99
PID 2812 wrote to memory of 5100	2812	XClient.exe	101
PID 2812 wrote to memory of 5100	2812	XClient.exe	101
PID 2812 wrote to memory of 5508	2812	XClient.exe	103
PID 2812 wrote to memory of 5508	2812	XClient.exe	103
PID 2028 wrote to memory of 5292	2028	cmd.exe	107
PID 2028 wrote to memory of 5292	2028	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Roaming\Bootstrapper.exe
  "C:\Users\Admin\AppData\Roaming\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Roaming\XClient.exe
    "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5100
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\HorizonLoader.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5316
- - C:\Windows\system32\timeout.exe
    timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3412
- - C:\Windows\system32\timeout.exe
    timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6036
- - C:\Windows\system32\timeout.exe
    timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1268
- - C:\Windows\system32\timeout.exe
    timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1712
- - C:\Windows\system32\timeout.exe
    timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3116
- - C:\Windows\system32\timeout.exe
    timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4984
- - C:\Windows\system32\timeout.exe
    timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4800
- - C:\Windows\system32\timeout.exe
    timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4776
- - C:\Windows\system32\timeout.exe
    timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4768
- - C:\Windows\system32\timeout.exe
    timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4860
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Windows\system32\find.exe
    find /i "RobloxPlayerBeta.exe"
    3⤵
    PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5292

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5448

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bootstrapper.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
71f4a66633cb3e35aaadcf82e339092a

SHA1
626fdf4c61cd42ef514d768e6a02d64cf4afa536

SHA256
0b050421b8536cc98a1e5916845929b78623533d95167a1c5b24abfedfbb2bb9

SHA512
89645044cec4d3afe5cea4e684fc0bf3ba2877c80b6d9b9ab52a491459a79d3a70d6b9c5a651eb2b503a439e534a3ff14f5a03542180cbf8b1d1f23a34e92964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
255f3232dc3b3dde40504b8c89960097

SHA1
c1c13dc575a820b202bb765c8930a4d47812b690

SHA256
163f46c6d616f3439b6880465fb7e229a021c0180c5ca049fa64f65c763ca926

SHA512
8af57296283ea5edb9e4366a74213bd16680eb7c6f5f571cb49526687a2fd9163fd4fa1764db4d6f68a05db33384cc0fe7f75f570072212f01f9e138a4eda265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4093e5ab3812960039eba1a814c2ffb0

SHA1
b5e4a98a80be72fccd3cc910e93113d2febef298

SHA256
c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c

SHA512
f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgabkjlm.fww.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Bootstrapper.exe

Filesize
193KB

MD5
e9b9f5423efacb26fbc0c90de018ce13

SHA1
cdab884e2706aa3d9e91a69000b365b4f9bbb192

SHA256
34493aad4caa6dcf50b917914bbf5c14c4dbc9b59feab80dc193701c1277c18c

SHA512
52bec52aed0d43c35fcf33c5072b0bd87727c00346f284e152e6cedb1a35e35dc63986cb84cc810f756349f94e741bce753ba069f1f01cc3a352cac624c44181

Download Submit
C:\Users\Admin\AppData\Roaming\HorizonLoader.bat

Filesize
3KB

MD5
ee7d95d8b7bc4c2b2762e74b0415fdc6

SHA1
b5844b77a79130cc33d17d98cc3227a95c7d6c4e

SHA256
c3bda6453630e619a898918a7d8e4288749f445208c92c1aff947d884f4bdcdc

SHA512
51cb11646f0dceab48836762034dda0928f5362abee8f6d3caded6fa7706c0bef45c023a5fc7a98605dd1a47ab3172cd4c3f2e2d7fdb4fa7b92923bb996332f9

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
67KB

MD5
adbdd2cfde1cf6f35f70bc18b4516094

SHA1
dd8495606d9abd033373141f2f176efdc61e9622

SHA256
bf825b23f35c5246335fe9d277d338cf46d303a6788b64410740159d731dbd5f

SHA512
26a40a4d7099313ac1d55561c9b32a47a82c40f972c6596df14dc9fc95324177359963d2bd02bea80d9faa79a8c7dc0a67f2ed51fe3b7aeabc2072627f24258e

Download Submit
memory/1516-33-0x00007FFB67330000-0x00007FFB67DF2000-memory.dmp

Filesize
10.8MB

Download
memory/1516-17-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/1516-19-0x00007FFB67330000-0x00007FFB67DF2000-memory.dmp

Filesize
10.8MB

Download
memory/2812-32-0x0000000000B90000-0x0000000000BA8000-memory.dmp

Filesize
96KB

Download
memory/2812-83-0x000000001B770000-0x000000001B77A000-memory.dmp

Filesize
40KB

Download
memory/4052-0-0x00007FFB67333000-0x00007FFB67335000-memory.dmp

Filesize
8KB

Download
memory/4052-1-0x0000000000160000-0x00000000001B8000-memory.dmp

Filesize
352KB

Download
memory/5640-42-0x000001C97C820000-0x000001C97C842000-memory.dmp

Filesize
136KB

Download