xworm | a5c0d4c059432a9c8a129c8f6bd0d27f587cbafb568e866cc8f360d9bd315865

Analysis

max time kernel
98s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.7MB
MD5

d1cc7d267d5f9a288aebe21433875a09
SHA1

9cdfbf1a009a65e5c1e1aa0e4cf1e06302cae735
SHA256

a5c0d4c059432a9c8a129c8f6bd0d27f587cbafb568e866cc8f360d9bd315865
SHA512

5027d404d97f7f154ac15bfe73df06f0bd9bb6ff8aec3c1ac2292c07e621cfd646f27ddd28aaf94149f517e5f10256e1041ec6ba961544572255d86d67de78f0
SSDEEP

49152:cBS+smeLEt8D7vFHA8vEGvm4g+CSkeQ6sUrvWTCrTkVNi0H:cymFM8GvXzhQpVDNi4

Score

10^/10

xworm zgrat persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

2.2

147.185.221.19:28863

Mutex

2gdTpVaPpaAWkNts

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2696-4895-0x00000000066A0000-0x00000000066B0000-memory.dmp	family_xworm

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/2696-2-0x0000000005510000-0x000000000573C000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-5-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-6-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-8-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-10-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-14-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-12-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-16-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-18-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-20-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-22-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-24-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-26-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-28-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-30-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-32-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-34-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-36-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-40-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-42-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-38-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-44-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-48-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-46-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-50-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-52-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-54-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-56-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-58-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-60-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-62-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-64-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-66-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1
behavioral2/memory/2696-68-0x0000000005510000-0x0000000005735000-memory.dmp	family_zgrat_v1

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe	tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe	tmp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\settings = "C:\\Users\\Admin\\AppData\\Roaming\\settings.exe"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp = "C:\\Users\\Admin\\AppData\\Roaming\\tmp.exe"	tmp.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	ip-api.com

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2696	tmp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	tmp.exe
Token: SeDebugPrivilege	2696	tmp.exe
Token: SeDebugPrivilege	2696	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2696-0-0x0000000000860000-0x0000000000B14000-memory.dmp

Filesize
2.7MB

Download
memory/2696-1-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/2696-2-0x0000000005510000-0x000000000573C000-memory.dmp

Filesize
2.2MB

Download
memory/2696-3-0x0000000005CF0000-0x0000000006294000-memory.dmp

Filesize
5.6MB

Download
memory/2696-4-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/2696-5-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-6-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-8-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-10-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-14-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-12-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-16-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-18-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-20-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-22-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-24-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-26-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-28-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-30-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-32-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-34-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-36-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-40-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-42-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-38-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-44-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-48-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-46-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-50-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-52-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-54-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-56-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-58-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-60-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-62-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-64-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-66-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-68-0x0000000005510000-0x0000000005735000-memory.dmp

Filesize
2.1MB

Download
memory/2696-3577-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/2696-4886-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/2696-4887-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/2696-4888-0x00000000062A0000-0x0000000006308000-memory.dmp

Filesize
416KB

Download
memory/2696-4889-0x0000000006410000-0x000000000645C000-memory.dmp

Filesize
304KB

Download
memory/2696-4890-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/2696-4891-0x0000000000F10000-0x0000000000F64000-memory.dmp

Filesize
336KB

Download
memory/2696-4895-0x00000000066A0000-0x00000000066B0000-memory.dmp

Filesize
64KB

Download
memory/2696-4896-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/2696-4897-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/2696-4898-0x00000000067C0000-0x000000000685C000-memory.dmp

Filesize
624KB

Download
memory/2696-4899-0x0000000006860000-0x00000000068C6000-memory.dmp

Filesize
408KB

Download
memory/2696-4903-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/2696-4904-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/2696-4905-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/2696-4906-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download