xworm | 32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msmng2.exe
Size

2.1MB
MD5

3b5757f632446842aac3ecd3f1c28366
SHA1

4e00b5c8670c8a184632bdd48eedb3f90fdd4f19
SHA256

32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2
SHA512

bee2b4ea1025ba5fd47ace7b3d9d72527ec6511aeb113f1d709c3df0debcb09405e20c5d746719d2bd91b7f304469c2c7dc9f8b746bec953947bbb9583601c6d
SSDEEP

49152:UqwmCCmvuorNkZQfE8UoGH3pRKl9+VvHu7fAws5Q:b8u8kainHPxVvHW3s5Q

Score

10^/10

xworm zgrat rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

5.182.87.154:7000

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4184-0-0x0000000000640000-0x0000000000860000-memory.dmp	family_xworm
behavioral2/memory/2948-278-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4184-0-0x0000000000640000-0x0000000000860000-memory.dmp	family_zgrat_v1

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msmgnr.lnk	MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msmgnr.lnk	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4184 set thread context of 2948	4184	msmng2.exe	103

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
4184	msmng2.exe
212	powershell.exe
212	powershell.exe
212	powershell.exe
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe
3792	powershell.exe
3792	powershell.exe
3792	powershell.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
2948	MSBuild.exe
2948	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	msmng2.exe
Token: SeDebugPrivilege	2948	MSBuild.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4184	msmng2.exe
4184	msmng2.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4184	msmng2.exe
4184	msmng2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2948	MSBuild.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 2948	4184	msmng2.exe	103
PID 4184 wrote to memory of 2948	4184	msmng2.exe	103
PID 4184 wrote to memory of 2948	4184	msmng2.exe	103
PID 4184 wrote to memory of 2948	4184	msmng2.exe	103
PID 4184 wrote to memory of 2948	4184	msmng2.exe	103
PID 4184 wrote to memory of 2948	4184	msmng2.exe	103
PID 4184 wrote to memory of 2948	4184	msmng2.exe	103
PID 4184 wrote to memory of 2948	4184	msmng2.exe	103
PID 2948 wrote to memory of 212	2948	MSBuild.exe	105
PID 2948 wrote to memory of 212	2948	MSBuild.exe	105
PID 2948 wrote to memory of 212	2948	MSBuild.exe	105
PID 2948 wrote to memory of 2612	2948	MSBuild.exe	107
PID 2948 wrote to memory of 2612	2948	MSBuild.exe	107
PID 2948 wrote to memory of 2612	2948	MSBuild.exe	107
PID 2948 wrote to memory of 3792	2948	MSBuild.exe	109
PID 2948 wrote to memory of 3792	2948	MSBuild.exe	109
PID 2948 wrote to memory of 3792	2948	MSBuild.exe	109
PID 2948 wrote to memory of 3864	2948	MSBuild.exe	111
PID 2948 wrote to memory of 3864	2948	MSBuild.exe	111
PID 2948 wrote to memory of 3864	2948	MSBuild.exe	111

C:\Users\Admin\AppData\Local\Temp\msmng2.exe
"C:\Users\Admin\AppData\Local\Temp\msmng2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  sad
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msmgnr.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msmgnr.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3864

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:60

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-287-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/212-331-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/212-327-0x0000000007E90000-0x0000000007EAA000-memory.dmp

Filesize
104KB

Download
memory/212-328-0x0000000007DC0000-0x0000000007DC8000-memory.dmp

Filesize
32KB

Download
memory/212-326-0x0000000007D80000-0x0000000007D94000-memory.dmp

Filesize
80KB

Download
memory/212-325-0x0000000007D70000-0x0000000007D7E000-memory.dmp

Filesize
56KB

Download
memory/212-304-0x000000007F9A0000-0x000000007F9B0000-memory.dmp

Filesize
64KB

Download
memory/212-306-0x000000006FF80000-0x000000006FFCC000-memory.dmp

Filesize
304KB

Download
memory/212-324-0x0000000007D40000-0x0000000007D51000-memory.dmp

Filesize
68KB

Download
memory/212-316-0x0000000006E00000-0x0000000006E1E000-memory.dmp

Filesize
120KB

Download
memory/212-323-0x0000000007DD0000-0x0000000007E66000-memory.dmp

Filesize
600KB

Download
memory/212-320-0x0000000008180000-0x00000000087FA000-memory.dmp

Filesize
6.5MB

Download
memory/212-322-0x0000000007BA0000-0x0000000007BAA000-memory.dmp

Filesize
40KB

Download
memory/212-321-0x0000000007B40000-0x0000000007B5A000-memory.dmp

Filesize
104KB

Download
memory/212-317-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/212-318-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/212-319-0x0000000007A10000-0x0000000007AB3000-memory.dmp

Filesize
652KB

Download
memory/212-305-0x00000000079D0000-0x0000000007A02000-memory.dmp

Filesize
200KB

Download
memory/212-284-0x0000000005280000-0x00000000052B6000-memory.dmp

Filesize
216KB

Download
memory/212-285-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/212-286-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/212-289-0x0000000005FA0000-0x0000000005FC2000-memory.dmp

Filesize
136KB

Download
memory/212-303-0x0000000006860000-0x00000000068AC000-memory.dmp

Filesize
304KB

Download
memory/212-302-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/212-291-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/212-301-0x0000000006430000-0x0000000006784000-memory.dmp

Filesize
3.3MB

Download
memory/212-290-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/212-288-0x0000000005940000-0x0000000005F68000-memory.dmp

Filesize
6.2MB

Download
memory/2612-335-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2612-358-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2612-345-0x0000000005940000-0x0000000005C94000-memory.dmp

Filesize
3.3MB

Download
memory/2612-357-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2612-360-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2612-334-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2612-333-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2612-347-0x000000006FF80000-0x000000006FFCC000-memory.dmp

Filesize
304KB

Download
memory/2948-419-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/2948-420-0x0000000006090000-0x0000000006634000-memory.dmp

Filesize
5.6MB

Download
memory/2948-371-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2948-281-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2948-280-0x0000000004EE0000-0x0000000004F7C000-memory.dmp

Filesize
624KB

Download
memory/2948-278-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3792-375-0x000000006FF80000-0x000000006FFCC000-memory.dmp

Filesize
304KB

Download
memory/3792-386-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/3792-381-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/3792-374-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/3792-372-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/3792-361-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3792-388-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3864-389-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3864-390-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/3864-412-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/3864-402-0x000000006FF80000-0x000000006FFCC000-memory.dmp

Filesize
304KB

Download
memory/3864-401-0x000000007F8F0000-0x000000007F900000-memory.dmp

Filesize
64KB

Download
memory/3864-414-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4184-279-0x00007FFB48510000-0x00007FFB48FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4184-2-0x000000001B670000-0x000000001B680000-memory.dmp

Filesize
64KB

Download
memory/4184-57-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-61-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-63-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-65-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-67-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-69-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-59-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-45-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-35-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-25-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-15-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-5-0x000000001E7B0000-0x000000001E898000-memory.dmp

Filesize
928KB

Download
memory/4184-4-0x000000001B980000-0x000000001B9A2000-memory.dmp

Filesize
136KB

Download
memory/4184-1-0x00007FFB48510000-0x00007FFB48FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4184-3-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/4184-0-0x0000000000640000-0x0000000000860000-memory.dmp

Filesize
2.1MB

Download
memory/4184-53-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-51-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-49-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-55-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-47-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-43-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-41-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-39-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-276-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4184-37-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-283-0x00007FFB48510000-0x00007FFB48FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4184-6-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-7-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-9-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-11-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-13-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-17-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-19-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-21-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-23-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-27-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-29-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-31-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download
memory/4184-33-0x000000001E7B0000-0x000000001E891000-memory.dmp

Filesize
900KB

Download