rhadamanthys | hxxps://github[.]com/koyaxZ/XWorm-v5-Remote-Access-Tool

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5332-372-0x0000000002360000-0x0000000002760000-memory.dmp	family_rhadamanthys
behavioral1/memory/5332-373-0x0000000002360000-0x0000000002760000-memory.dmp	family_rhadamanthys
behavioral1/memory/2940-376-0x00000000021B0000-0x00000000025B0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4360-383-0x0000000002160000-0x0000000002560000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

34 camo.githubusercontent.com
35 camo.githubusercontent.com
36 camo.githubusercontent.com
37 camo.githubusercontent.com
38 camo.githubusercontent.com

flow	ioc
34	camo.githubusercontent.com
35	camo.githubusercontent.com
36	camo.githubusercontent.com
37	camo.githubusercontent.com
38	camo.githubusercontent.com

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

XWorm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	XWorm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

OpenWith.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

5612 vlc.exe

pid	process
5612	vlc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeXWorm.exeXWorm.exemsedge.exeXWorm.exe

pid	process
4872	msedge.exe
4872	msedge.exe
4304	msedge.exe
4304	msedge.exe
264	identity_helper.exe
264	identity_helper.exe
2096	msedge.exe
2096	msedge.exe
5532	msedge.exe
5532	msedge.exe
5332	XWorm.exe
5332	XWorm.exe
2940	XWorm.exe
2940	XWorm.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
4360	XWorm.exe
4360	XWorm.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exevlc.exe

pid process

5532 OpenWith.exe
5612 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

4304 msedge.exe
4304 msedge.exe
4304 msedge.exe
4304 msedge.exe
4304 msedge.exe
4304 msedge.exe
4304 msedge.exe
4304 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

XWorm.exe

description pid process

Token: SeShutdownPrivilege 5332 XWorm.exe
Token: SeCreatePagefilePrivilege 5332 XWorm.exe

pid	process
5532	OpenWith.exe
5612	vlc.exe

description	pid	process
Token: SeShutdownPrivilege	5332	XWorm.exe
Token: SeCreatePagefilePrivilege	5332	XWorm.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

msedge.exevlc.exe

pid	process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
5612	vlc.exe
5612	vlc.exe
5612	vlc.exe
5612	vlc.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

msedge.exevlc.exe

pid	process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
5612	vlc.exe
5612	vlc.exe
5612	vlc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

OpenWith.exevlc.exe

pid process

5532 OpenWith.exe
5532 OpenWith.exe
5532 OpenWith.exe
5532 OpenWith.exe
5532 OpenWith.exe
5532 OpenWith.exe
5532 OpenWith.exe
5532 OpenWith.exe
5532 OpenWith.exe
5612 vlc.exe

pid	process
5532	OpenWith.exe
5532	OpenWith.exe
5532	OpenWith.exe
5532	OpenWith.exe
5532	OpenWith.exe
5532	OpenWith.exe
5532	OpenWith.exe
5532	OpenWith.exe
5532	OpenWith.exe
5612	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4304 wrote to memory of 3440	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 3440	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 2868	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4872	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4872	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 4264	4304	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2a3546f8,0x7ffb2a354708,0x7ffb2a354718
2⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
2⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
2⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
2⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
2⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5520 /prefetch:8
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
2⤵
PID:912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
2⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
2⤵
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
2⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4820 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5344

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5532

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\XWorm.rar"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5612

C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm.exe
"C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5332

C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm.exe
"C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm-v5-Remote-Access-Tool-main\XWorm.exe
"C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
cccd53886faa78596e7b8fdbe5283974

SHA1
1192250dd9cdc7b06fb34787fc4500d1267af2de

SHA256
6371e9c067b292de77f03eec83865a17ce7322c40c57224493dd3b96f114a7c8

SHA512
b4fb5de0795175f5b4958153b938986f781c8a36d387b50046ca69401848f62bbc0de94e9b4d32a7a69d6902c6305ab41cf1e8742b08602a65fc5e2faa077a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
e0fcfc9d1152c1bafdc21a31b976562f

SHA1
95bc4b25096e4ff1fee5674c6c6407890c2c0624

SHA256
e724aefdb45b7b1a2e37135173ceebcb0cbe2c1a2abc218fb6aaeefad07d28b4

SHA512
feded74a0d0b7c79d9decb5e2b26ec083830a8478d360c6966905bee49e2db3dffde375dd9ccb4f8e4cc57396293aba60450966afd371831ae3eec42b1b6aacd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
657B

MD5
4197a2d5f6a6c803589889474c63fa2c

SHA1
64eb7eb0ef18ea58f81f732da4f4923308ca25b3

SHA256
6bf67c613ff8f27b56bd910e9226efb3fa242ceb75afaf182d7ff39db4680558

SHA512
5d7b19d3df259519f917853b98d4a3c1bab62f982ba4b5baf11ee710fed2aa36d7adb9fffd155a9afe9dfa6cc5144f94945d833d9ca3cd84d49b00ee5699ea2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f7131c1ae201583641d95def4a3ac100

SHA1
68c7936894d17b0850fef9f8533d08edd28be7a9

SHA256
0b24f09d4f068c4a035f83b6a69946cc8c483ce9670ba45725cc82da9a47837f

SHA512
b1cdeeacd036b7d1d100d9a4be086c5194c9ff9f0d0b253cf357cd8ef1c7f6df464c7ee2403bf7c7ac6c8104c70f49ca419762f50b0925d1c3901af173f96b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
38499dda31d7a8bb7fc12f406b90ee23

SHA1
a0908e3a88f06d79bddb947c4a03f56cb7f676c9

SHA256
872db9c866d041311f8fa2e237d29717e368a0bfcce56cf42580970ee9f66d2d

SHA512
d17db6540682549c89fa8e5dee5dd77777edc4ebfa7de94345c0ea6047641c514ebb1626fcddeed7522b5d3efa14868b5faa38adc5203381ce146ecaacbb82f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5e18f151a5de138557448a153dbda43d

SHA1
ad67af96bc88aab97474b2e4e07a45a381eb6a5d

SHA256
5da09432c67c684f9b2e29782ad807e0ecc1634e3380fa10448fde2e0ab1661e

SHA512
cc5a21f97bdf45e7c1520e3622a795b7424d2deb4f5d52b6087f23457d73cc971c895ba809e943be34e0d906004273c13cd7bcb65141687ea9974df173286dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
df1a69cd4de75491b736d88db3fb6b53

SHA1
bc702e814bf0092cd1370815d88caf8e60316caa

SHA256
50f895cd3ef975d806f1ee63992c2e8f60a6a4bd684ac0d53eaeda23ad261d78

SHA512
37fe8d63b890287fe84980b264bbdb064cfe95976f1ab8f7fee74bb795b4759827b9ff4cb197bbe863a5d55bdb261ac26fb285e83d809e40ce8f86f1772b76cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
2130ea743fd9d6e674fb587a167fe7ff

SHA1
84fd1e97e9b478a75ea610c1b6dec9d937fda07d

SHA256
7535d753c6a0612722969460f9c3a357598fe63668343b3cd8ef27a06294581a

SHA512
bcc8936a1376cb1b73318078dae756d8e7d36d4049e4b6e1ee9d0a05c887cbcd28e22a3aa22bf6b16072ccbe71f3814ff95f20702d425f99eb60b5d0999e123e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
77952cbf4a6a39ad0bb586aefbcd3991

SHA1
aa174356bf5c8e4a7797a1a574c6811098ace920

SHA256
172453bd996efd1d9f639ee86a09eb4fc8aee3b2002dd53c78e501f59c555d66

SHA512
27a94afe9a842eed5c8853018560bdc6f78307390e9c8067e924df3d06f079f08cc161e3c90dade8db2cbc961f40fc4290583bdd635991ca560881d793e94c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
56700ad87d190da4c3d454b6a0b8ab64

SHA1
e0a41a7bdea6eab153ac8a98cc125794f7219355

SHA256
b04cb4e47935e4fb3a711360d5b25eadc6cd809073eeaa3f680357d3afe9da09

SHA512
acbed02fa593c43fab4b7e7239ca0b1fd1a1f5467f07b608c18343e3eac5c84da7ede9b294655a53b1af32e0d00c5c5443f4665744c6c5263069fb4ea11cf822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578889.TMP
Filesize
1KB

MD5
db05638a7a3ad8769e724edfca6c191a

SHA1
c5ab5f388ca0bc59a48d172a0e92427fffb7c2e6

SHA256
06714b3244f5d30e07c53f2655cd864187196d2838b92e554ba83c8e6ae8af2e

SHA512
456b093e43ad192d2a97bad0b8b155c7a66cd9e2530d5cc0f05beec8e4a3c8f157cfd6c766bf0501b844fb80acf7af851a5066002af9546a4f1cf61a1618dd1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4fbaa25b04c904ce5048831d5fdcfa67

SHA1
1084de4a666f4fd1ff737093497a6b46a0c4ea77

SHA256
bf56b93670ab7f3b657d993dd8d687fb84c952002191600002e42a7b928263b9

SHA512
bd3ee1d057284db989406411ab851d408ce3cc096b2ad3182095a7e6c7f976b1e5beba9137b352e7400e76cb6a38bf8022383ebb568a8cd6d4ed1debd3d6c1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
38dba75f8077103c55781e38feabd0b3

SHA1
f7bc490858421509c9a837840c5986505d01bfcd

SHA256
6fa58f02cb6095fd11cd6a86f1d1c53ef7aae02548289c3deb8e1038de904ec2

SHA512
74a6053696e49761d00b8a440e4359963007426937ec23d7d3c753749838edf8e1811dd2ab9c2c4a2b844652e28df96e4a65c71c969a66918c90dd12392a60d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4ee3530c0ec41794703186b416758b5c

SHA1
a5b125efb77b98b99fde6e07cace730292cf8de7

SHA256
cb9968db5321edb74f3b1b5f01d7674cecba9db3ad09affe203a5a41b6d0ad3f

SHA512
68537abdfa04c92fbb45b24bae480e7155bcf3cc3f3929ea1d103b539201a167cb170bfe0c44501f5aaa3d80c1b7531f69339bf0300bdc6c414a84e0acdc4035

Download Submit
C:\Users\Admin\Downloads\XWorm-v5-Remote-Access-Tool-main.zip
Filesize
5.0MB

MD5
4009932a7e44d607b529598df00ff375

SHA1
ff8bff1c6f707101215aee8d7ff315cba991001d

SHA256
50505aa9a36faa076b8a6894297bc8fed02269938e6592b7b7be7c9c809897dd

SHA512
b77816e1aaaf9a09155f91aa91070a099fcd09acec92c28ac6afa4bdf2abcec3d4e1eaa028efc4ff9b0999fc6b90ceaa71146d9023aaecc074a49945364c38de

Download Submit
C:\Users\Admin\Downloads\XWorm.rar
Filesize
3.8MB

MD5
8845f7149b64a79343f12ee97b8d90ad

SHA1
d48a4d2b00859e6e7e362e38a34190da60ff8550

SHA256
17c103b0cd832139aded6213496300760f83abc7922d3829d10f09d422b2b348

SHA512
132c47c287aad520e29c42debff6c2a847487323a57824e7b43f48fa5562d9b008c28b297fd3a260b108aebfd99246ed2fff5d38cc9fd52b3406a047aedd5bd9

Download Submit
\??\pipe\LOCAL\crashpad_4304_XAOEJKPILMNEDVNE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2940-376-0x00000000021B0000-0x00000000025B0000-memory.dmp

Filesize
4.0MB

Download
memory/4360-383-0x0000000002160000-0x0000000002560000-memory.dmp

Filesize
4.0MB

Download
memory/5332-371-0x00000000020A0000-0x00000000020A7000-memory.dmp

Filesize
28KB

Download
memory/5332-372-0x0000000002360000-0x0000000002760000-memory.dmp

Filesize
4.0MB

Download
memory/5332-373-0x0000000002360000-0x0000000002760000-memory.dmp

Filesize
4.0MB

Download
memory/5612-241-0x000002C27EC50000-0x000002C27FD00000-memory.dmp

Filesize
16.7MB

Download
memory/5612-240-0x00007FFB163A0000-0x00007FFB16656000-memory.dmp

Filesize
2.7MB

Download
memory/5612-239-0x00007FFB18C80000-0x00007FFB18CB4000-memory.dmp

Filesize
208KB

Download
memory/5612-238-0x00007FF7D0E10000-0x00007FF7D0F08000-memory.dmp

Filesize
992KB

Download