XWorm IOCs indicate potential adversary compromise through malicious file execution and lateral movement within the network. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and contain advanced persistent threats before they escalate.
IOC Summary
Malware Family: XWorm Total IOCs: 6 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 103[.]83[.]86[.]174:2929 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 80[.]76[.]49[.]132:7004 | botnet_cc | 2026-06-04 | 75% |
| domain | BiMQuT238p64emYwAjhVaw== | botnet_cc | 2026-06-04 | 75% |
| ip:port | 45[.]133[.]116[.]16:8823 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 104[.]239[.]66[.]86:7004 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 155[.]103[.]71[.]146:777 | botnet_cc | 2026-06-04 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XWorm
let malicious_ips = dynamic(["104.239.66.86", "80.76.49.132", "155.103.71.146", "103.83.86.174", "45.133.116.16"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.239.66.86", "80.76.49.132", "155.103.71.146", "103.83.86.174", "45.133.116.16"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XWorm
let malicious_domains = dynamic(["BiMQuT238p64emYwAjhVaw=="]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script to clean up temporary files or update software.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.name:"schtasks.exe"
Scenario: Admin using Mimikatz for credential retrieval during incident response
Description: A security team member uses Mimikatz to extract credentials from memory during a breach investigation.
Filter/Exclusion: process.user:"Domain\Administrator" or process.command_line:"mimikatz.exe"
Scenario: Automated log collection using LogParser for compliance
Description: A log collection tool runs LogParser to aggregate and analyze system logs.
Filter/Exclusion: process.name:"logparser.exe" or process.command_line:"logparser.exe"
Scenario: System update using Windows Update Standalone Installer
Description: A Windows Update Standalone Installer (wusa.exe) is used to apply critical system updates.
Filter/Exclusion: process.name:"wusa.exe" or process.command_line:"wusa.exe"
Scenario: Database backup using SQL Server Agent Job
Description: A SQL Server Agent job is configured to perform a database backup using T-SQL scripts.
Filter/Exclusion: process.name:"sqlservr.exe" or process.command_line:"sqlcmd.exe"