xworm | 4001c4f249a156e7e9410886ddaf8ca7652689eb914a57d3bb17c1284f79dab1

Analysis

max time kernel
4s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2023, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x.exe
Size

320KB
MD5

c940e89943c98832a5738d260f16bf94
SHA1

b422d97d5d59fe0ac82bcb379e2c1d4a27f77618
SHA256

4001c4f249a156e7e9410886ddaf8ca7652689eb914a57d3bb17c1284f79dab1
SHA512

44587a723fa9d51d5dfb216181bdab33987aedd32cff30eec72363425b6de228a7bc51b84fc66214f81b4b398edc70723839d8e979f533595b140cb52bc31cbd
SSDEEP

6144:7DKW1Lgbdl0TBBvjc/RUizNnjLF00mpPGy5Bmfb1cdmhCq3t:Ph1Lk70Tnvjchnjx004uyefbcU3t

Score

10^/10

xworm zgrat rat trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1276-6-0x0000000005150000-0x00000000051B8000-memory.dmp	family_xworm
behavioral2/memory/1276-0-0x0000000004A50000-0x0000000004AB8000-memory.dmp	family_xworm

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/1276-6-0x0000000005150000-0x00000000051B8000-memory.dmp	family_zgrat_v1
behavioral2/memory/1276-0-0x0000000004A50000-0x0000000004AB8000-memory.dmp	family_zgrat_v1

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/1276-6-0x0000000005150000-0x00000000051B8000-memory.dmp	net_reactor
behavioral2/memory/1276-3-0x0000000004B90000-0x0000000004BA0000-memory.dmp	net_reactor
behavioral2/memory/1276-0-0x0000000004A50000-0x0000000004AB8000-memory.dmp	net_reactor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2116	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	x.exe

C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\x.exe'
  2⤵
  PID:3908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
  2⤵
  PID:4752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\taskscheder.exe'
  2⤵
  PID:2288
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskscheder.exe'
  2⤵
  PID:64
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskscheder" /tr "C:\Users\Admin\AppData\Roaming\taskscheder.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2116

C:\Users\Admin\AppData\Roaming\taskscheder.exe
C:\Users\Admin\AppData\Roaming\taskscheder.exe
1⤵
PID:4668

C:\Users\Admin\AppData\Roaming\taskscheder.exe
C:\Users\Admin\AppData\Roaming\taskscheder.exe
1⤵
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\taskscheder.exe.log

Filesize
418B

MD5
2f51ee33b74ab710e289b65a7b580c9b

SHA1
031f919473e89c4a463360c7a898fda986836470

SHA256
bdb480893a7d1acc95b67f49dd12a0c1f69b75d1908536d0cc1350ebfbb5cc58

SHA512
927bd82da2cc751b6b2c97efc33019b8977f2d78d467b363cf609e27a3ac8986e0b4c3b4d025be9fe87f50db51285b115b97ae7d0ae642daae2910d44ad9ec5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
705b42e5bceb6f544f74c697bd6cebe6

SHA1
442ab903b3b5d88edcb7d6214f0805a5383d7625

SHA256
9ae53d48fda1ca651efd7cf02017939f6808835e72beb2b9350bfcfdaa9235e7

SHA512
d5332b14ab08d14c5305f02ef618b1ef2f6c960310ba37bf1ec1e847dd653d08ee352fe09ad7db07d206910b8255a3c2a152e40c6e06bf3c7886c9b49e38c432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
17850920e5ba9076ea4af851c0522f43

SHA1
29e2a81444b537d25845172baef50c1f4526aa95

SHA256
f1ea8c07c4bb695773e716d65560a8dae24e03c4f6bb60768a811bd8309aac57

SHA512
c3ba8f3faa8ebb533a47a55b3af0b5d587546f32bf19d117a1ee55ed42e8a6958367774ceb336cdd2ed89d20065c311145738c7c19ede89dec88ff7ad79d5213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
9KB

MD5
96192d5e5b95ca7ba29c5be29da1e12c

SHA1
e4d4ad7306c21240471a4cc91c2bfaacf8e9cfad

SHA256
2761f15f7a187e2582da086869d4c965219dc3d1b0209ade992983a5f29dc5cd

SHA512
dec49d097a2639c96c235d628622c254302b9e3de98cb1133d6e03860b77e61ec60493db08b8a000bbe22492c7f375a88777e80df63c588a5205ed18cafff1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4tclmasy.aeq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\taskscheder.exe

Filesize
29KB

MD5
966133184fddeec8bd9971ca3a8aa4bb

SHA1
348959180d65286516cab4849dc63ce90aca8d6a

SHA256
08d67fe13f86ccf0f436a0d2e9e5e64ca4f1d5c6bb64d16ab89cce9be4b29539

SHA512
3cc97260eb0414b3c1990b76aaf2bd6a8e93e1e03f9c6238f23d354648aa631eebf63c69b0e80f5c79bec61cdf84b8fe30b93523bf81afd47078a6ad527203cc

Download Submit
C:\Users\Admin\AppData\Roaming\taskscheder.exe

Filesize
30KB

MD5
2d16979a34b26a5ec50ef3b897718f83

SHA1
250a8623bab92894e532bd11d3ccab5142d9eacc

SHA256
182dda67da473fd7cfbd329129f6c5f2275840bc7eee2b27e3417608d108702c

SHA512
8f597c51f26ed02d55859f7f5a8753abf83aa10b735fffeec9cd362fe8cfd864e87fa7abd9d5e08c884f508f9b6282240e3aea4f45c608927a5091a6e189b045

Download Submit
C:\Users\Admin\AppData\Roaming\taskscheder.exe

Filesize
17KB

MD5
f7b861fdbfb0552421c80fa501fdbb6e

SHA1
6e9513a69fb49a2769abe64e6d911393bd9c9105

SHA256
b666d36f10ed6c49c43a634969bb53912dd9b5c9d6ceac8b9ee37e5c1be19fd3

SHA512
aadb40a7b7f69c8b610af79eb6feed0b116aad880d7bf728cb10cba8b0d41a6418a4d679da467f131a39586dd9365bb7bb28a7dc3b11cc3ea1bb4b9b44825ee6

Download Submit
memory/64-121-0x000000006FB60000-0x000000006FBAC000-memory.dmp

Filesize
304KB

Download
memory/64-120-0x000000007FB60000-0x000000007FB70000-memory.dmp

Filesize
64KB

Download
memory/64-132-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/64-108-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/64-109-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/64-131-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/64-134-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/1276-54-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/1276-1-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/1276-4-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1276-6-0x0000000005150000-0x00000000051B8000-memory.dmp

Filesize
416KB

Download
memory/1276-5-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download
memory/1276-7-0x00000000051D0000-0x000000000526C000-memory.dmp

Filesize
624KB

Download
memory/1276-140-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

Filesize
40KB

Download
memory/1276-139-0x00000000068E0000-0x0000000006972000-memory.dmp

Filesize
584KB

Download
memory/1276-3-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1276-2-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1276-0-0x0000000004A50000-0x0000000004AB8000-memory.dmp

Filesize
416KB

Download
memory/1276-8-0x00000000052B0000-0x0000000005316000-memory.dmp

Filesize
408KB

Download
memory/1276-80-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2288-95-0x000000006FB60000-0x000000006FBAC000-memory.dmp

Filesize
304KB

Download
memory/2288-105-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2288-84-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/2288-107-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/3908-28-0x00000000076F0000-0x0000000007722000-memory.dmp

Filesize
200KB

Download
memory/3908-40-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3908-51-0x0000000007D70000-0x0000000007D78000-memory.dmp

Filesize
32KB

Download
memory/3908-49-0x0000000007C90000-0x0000000007CA4000-memory.dmp

Filesize
80KB

Download
memory/3908-27-0x0000000006750000-0x000000000679C000-memory.dmp

Filesize
304KB

Download
memory/3908-14-0x0000000005EA0000-0x0000000005EC2000-memory.dmp

Filesize
136KB

Download
memory/3908-11-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3908-10-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/3908-42-0x0000000007930000-0x00000000079D3000-memory.dmp

Filesize
652KB

Download
memory/3908-53-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/3908-41-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3908-50-0x0000000007D90000-0x0000000007DAA000-memory.dmp

Filesize
104KB

Download
memory/3908-48-0x0000000007C80000-0x0000000007C8E000-memory.dmp

Filesize
56KB

Download
memory/3908-44-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/3908-43-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/3908-26-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/3908-25-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/3908-29-0x000000006FB60000-0x000000006FBAC000-memory.dmp

Filesize
304KB

Download
memory/3908-47-0x0000000007C50000-0x0000000007C61000-memory.dmp

Filesize
68KB

Download
memory/3908-15-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/3908-12-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3908-13-0x0000000005870000-0x0000000005E98000-memory.dmp

Filesize
6.2MB

Download
memory/3908-46-0x0000000007CD0000-0x0000000007D66000-memory.dmp

Filesize
600KB

Download
memory/3908-9-0x0000000005180000-0x00000000051B6000-memory.dmp

Filesize
216KB

Download
memory/3908-39-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

Filesize
120KB

Download
memory/3908-45-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

Filesize
40KB

Download
memory/4076-152-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4076-150-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4076-151-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/4668-143-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4668-146-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4668-144-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/4752-70-0x000000006FB60000-0x000000006FBAC000-memory.dmp

Filesize
304KB

Download
memory/4752-65-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4752-55-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4752-66-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download
memory/4752-67-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4752-83-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4752-81-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4752-69-0x000000007F2E0000-0x000000007F2F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads