xworm | ebf760dbfa32628221a5a902ffd7e98f560d181225e260ed4326aa36aa99f659

Analysis

max time kernel
34s
max time network
18s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NisSrv.exe
Size

286KB
MD5

4105f6abba105cc27f89c2ebfc0c06b9
SHA1

416adb89cdf50bc1dffd5d386a391a2c32bec3a9
SHA256

dddac27a8c4fc66d1fdbe65cddae474b50f5b21a0bdc7f02594426089d898cc8
SHA512

c73a124afa416227b7b9e297934e5f454f7fe5bab229e0e95a633517bffbd61026accaa6c0573757be5e2f60afc80bcaf70000a20d9b60190935715c8d206541
SSDEEP

6144:pu0CsWLsWwYnZqiXMhD5RL3t8os+E4sch8pP6Dv8NubGv3xcD89eL:4CWNwuZvXMB5DuGsch8QDvt8i

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

install_file
game.exe

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral7/files/0x000a000000003d5f-18.dat	family_xworm
behavioral7/memory/2340-22-0x000000013FFD0000-0x000000014002E000-memory.dmp	family_xworm
behavioral7/files/0x000a000000003d5f-28.dat	family_xworm
behavioral7/files/0x000a000000003d5f-27.dat	family_xworm
behavioral7/files/0x000a000000003d5f-26.dat	family_xworm
behavioral7/files/0x000a000000003d5f-25.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe	NisSrv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe	NisSrv.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	Wind32.exe

Loads dropped DLL 6 IoCs

pid	Process
2804	NisSrv.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2984	powershell.exe
2340	Wind32.exe
2340	Wind32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2340	Wind32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2984	2804	NisSrv.exe	29
PID 2804 wrote to memory of 2984	2804	NisSrv.exe	29
PID 2804 wrote to memory of 2984	2804	NisSrv.exe	29
PID 2804 wrote to memory of 2340	2804	NisSrv.exe	30
PID 2804 wrote to memory of 2340	2804	NisSrv.exe	30
PID 2804 wrote to memory of 2340	2804	NisSrv.exe	30
PID 2340 wrote to memory of 2720	2340	Wind32.exe	31
PID 2340 wrote to memory of 2720	2340	Wind32.exe	31
PID 2340 wrote to memory of 2720	2340	Wind32.exe	31

C:\Users\Admin\AppData\Local\Temp\NisSrv.exe
"C:\Users\Admin\AppData\Local\Temp\NisSrv.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2340 -s 520
    3⤵
    - Loads dropped DLL
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe

Filesize
355KB

MD5
55ab75d168d110fa869e0dade4510172

SHA1
30e05525914ddbdc88b95a4148c2b56cca03e0cc

SHA256
f345fc3969b1f0183b6b8738ab3633c0b840763910f3825f1a3bc2e963648589

SHA512
b565faf3ddd44ce9b25864195475b46cc7ed8bf26b61158deeb1d1f98fc3cb4a105baba97fa9546315fe6234bb3e1077800a7bbad99d33341b0f17d367409a03

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe

Filesize
128KB

MD5
52388fd8633bea5147b077235d4fa2d7

SHA1
e50ab24a2ef19e5bb3ccc2412a08e5d6c27fa196

SHA256
5d35696883f7c25fd79b120b095f41e46061f2f0b6beea4770de5d7114f9e8ee

SHA512
25094238e87c71f878af9c8817968efbf6a6e88641687c672bf69ab4d7066ad3aefa972b2184752c58ff77cc38dd2f31aca78ba7c268c1bd783ca002f911f32f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe

Filesize
39KB

MD5
5533cb4552596878d997f0be4db5705b

SHA1
b7ef3b47e3eab01c25e2dbb15e293a50d6994f4e

SHA256
ec1c02c84f9b997f41148edd7ddd7ca6f26462b1854e358210b76f80ed05a0ff

SHA512
78edddd33260eaf0bac5c185a74d643ddd63ef7dbb5c9a6d01e0ac8123ae4167f569827ba5a61f22ef8fbc368f198acc6247ddb174e1e15075956f1602d07192

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe

Filesize
21KB

MD5
574b26884c034d6242b14513881da9fb

SHA1
7c851e6d3cb739e3c90df5299381fef281aad648

SHA256
45b0060d43caf051eaa0611a793e3ba3eea1e910d78eae73d46018ed302aade5

SHA512
57a99784902c6991760036be3f290b16f4f2a8e03c0d7f284fe1e057cdf440365690b5f4d9ce3b87a5403a22c49f84dd3fc7bc6f0acdc94e35f49a0574d6394a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe

Filesize
45KB

MD5
3d7b3259fb3ed3e96588f8dca4d15310

SHA1
5aed84535938415a1baea8612099fd858813be79

SHA256
7a9398122650910c92e2b4cc46c95cb019b7f6e7634380bb29e244d283986be3

SHA512
a5cb2dbe932fd4ebcd8ca306aeaee8e166c8f46e258df3953ad0235516ee9fd632c9a48bb59a21c764f714feab5bae6ac0a5a294d908bb2263692fb4aebda9dd

Download Submit
memory/2340-30-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-24-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-22-0x000000013FFD0000-0x000000014002E000-memory.dmp

Filesize
376KB

Download
memory/2804-14-0x000000001BA70000-0x000000001BAF0000-memory.dmp

Filesize
512KB

Download
memory/2804-0-0x00000000003A0000-0x00000000003EE000-memory.dmp

Filesize
312KB

Download
memory/2804-23-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-1-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2984-13-0x000007FEF2330000-0x000007FEF2CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-11-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2984-12-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2984-10-0x000007FEF2330000-0x000007FEF2CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-7-0x0000000001CE0000-0x0000000001CE8000-memory.dmp

Filesize
32KB

Download
memory/2984-9-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2984-8-0x000007FEF2330000-0x000007FEF2CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-6-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download