xworm | d788edd667e47b2e6e47bb063097136e62ea0ab352cd467768c45b5228d026a9

General

Target

WizWorm v4.5.rar
Size

35.5MB
MD5

39ea0b58b88f1e712e08fc8488a79e1d
SHA1

ae09f7f5a69d820bfd5d541f9c22a789871fb21b
SHA256

d788edd667e47b2e6e47bb063097136e62ea0ab352cd467768c45b5228d026a9
SHA512

8bf3f71f88c86b944ff0c538c326e597109c35ce1f7429cdc0e46aeaaaf3997c630827d5c5a2ac47699f9d446bd491e5aaa3dc5444ecf0081262765761b60417
SSDEEP

786432:qsMW88vhtCTZjRQGmiT9lbBHyQLlLXrGKGe8y9ZzBanYpbwBbC1PPpyQGsfmF:UWXGRTfbBH1xqI9NBan2bwBm1npHGs+F

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

redslide-36078.portmap.host:36078

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\win64x.exe	family_xworm
behavioral1/memory/2868-51-0x00000000001D0000-0x00000000001E4000-memory.dmp	family_xworm
behavioral1/memory/1120-110-0x00000000011F0000-0x0000000001204000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

win64x.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win64x.lnk	win64x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win64x.lnk	win64x.exe

Executes dropped EXE 5 IoCs

Processes:

WizWorm.exesvchost.exewin64x.exewin64x.exewin64x.exe

pid process

2428 WizWorm.exe
2420 svchost.exe
2868 win64x.exe
1120 win64x.exe
1856 win64x.exe
Loads dropped DLL 2 IoCs

Processes:

WizWorm.exe

pid process

2428 WizWorm.exe
2428 WizWorm.exe

pid	process
2428	WizWorm.exe
2420	svchost.exe
2868	win64x.exe
1120	win64x.exe
1856	win64x.exe

pid	process
2428	WizWorm.exe
2428	WizWorm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

win64x.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\win64x = "C:\\Users\\Admin\\AppData\\Roaming\\win64x.exe"	win64x.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2284 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

7zFM.exepowershell.exepowershell.exepowershell.exewin64x.exe

pid process

2672 7zFM.exe
1652 powershell.exe
940 powershell.exe
1512 powershell.exe
2868 win64x.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2672 7zFM.exe

flow	ioc
4	ip-api.com

pid	process
2284	schtasks.exe

pid	process
2672	7zFM.exe
1652	powershell.exe
940	powershell.exe
1512	powershell.exe
2868	win64x.exe

pid	process
2672	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

7zFM.exewin64x.exepowershell.exepowershell.exepowershell.exewin64x.exewin64x.exe

description	pid	process
Token: SeRestorePrivilege	2672	7zFM.exe
Token: 35	2672	7zFM.exe
Token: SeSecurityPrivilege	2672	7zFM.exe
Token: SeDebugPrivilege	2868	win64x.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2868	win64x.exe
Token: SeDebugPrivilege	1120	win64x.exe
Token: SeDebugPrivilege	1856	win64x.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid process

2672 7zFM.exe
2672 7zFM.exe
2672 7zFM.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

win64x.exe

pid process

2868 win64x.exe

pid	process
2672	7zFM.exe
2672	7zFM.exe
2672	7zFM.exe

pid	process
2868	win64x.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

cmd.exe7zFM.exeWizWorm.exesvchost.exewin64x.exetaskeng.exe

description	pid	process	target process
PID 2020 wrote to memory of 2672	2020	cmd.exe	7zFM.exe
PID 2020 wrote to memory of 2672	2020	cmd.exe	7zFM.exe
PID 2020 wrote to memory of 2672	2020	cmd.exe	7zFM.exe
PID 2672 wrote to memory of 2428	2672	7zFM.exe	WizWorm.exe
PID 2672 wrote to memory of 2428	2672	7zFM.exe	WizWorm.exe
PID 2672 wrote to memory of 2428	2672	7zFM.exe	WizWorm.exe
PID 2672 wrote to memory of 2428	2672	7zFM.exe	WizWorm.exe
PID 2428 wrote to memory of 2420	2428	WizWorm.exe	svchost.exe
PID 2428 wrote to memory of 2420	2428	WizWorm.exe	svchost.exe
PID 2428 wrote to memory of 2420	2428	WizWorm.exe	svchost.exe
PID 2428 wrote to memory of 2420	2428	WizWorm.exe	svchost.exe
PID 2428 wrote to memory of 2868	2428	WizWorm.exe	win64x.exe
PID 2428 wrote to memory of 2868	2428	WizWorm.exe	win64x.exe
PID 2428 wrote to memory of 2868	2428	WizWorm.exe	win64x.exe
PID 2428 wrote to memory of 2868	2428	WizWorm.exe	win64x.exe
PID 2420 wrote to memory of 2752	2420	svchost.exe	WerFault.exe
PID 2420 wrote to memory of 2752	2420	svchost.exe	WerFault.exe
PID 2420 wrote to memory of 2752	2420	svchost.exe	WerFault.exe
PID 2868 wrote to memory of 1652	2868	win64x.exe	powershell.exe
PID 2868 wrote to memory of 1652	2868	win64x.exe	powershell.exe
PID 2868 wrote to memory of 1652	2868	win64x.exe	powershell.exe
PID 2868 wrote to memory of 940	2868	win64x.exe	powershell.exe
PID 2868 wrote to memory of 940	2868	win64x.exe	powershell.exe
PID 2868 wrote to memory of 940	2868	win64x.exe	powershell.exe
PID 2868 wrote to memory of 1512	2868	win64x.exe	powershell.exe
PID 2868 wrote to memory of 1512	2868	win64x.exe	powershell.exe
PID 2868 wrote to memory of 1512	2868	win64x.exe	powershell.exe
PID 2868 wrote to memory of 2284	2868	win64x.exe	schtasks.exe
PID 2868 wrote to memory of 2284	2868	win64x.exe	schtasks.exe
PID 2868 wrote to memory of 2284	2868	win64x.exe	schtasks.exe
PID 1716 wrote to memory of 1120	1716	taskeng.exe	win64x.exe
PID 1716 wrote to memory of 1120	1716	taskeng.exe	win64x.exe
PID 1716 wrote to memory of 1120	1716	taskeng.exe	win64x.exe
PID 1716 wrote to memory of 1856	1716	taskeng.exe	win64x.exe
PID 1716 wrote to memory of 1856	1716	taskeng.exe	win64x.exe
PID 1716 wrote to memory of 1856	1716	taskeng.exe	win64x.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\WizWorm v4.5.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WizWorm v4.5.rar"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\7zO07A4DA96\WizWorm.exe
"C:\Users\Admin\AppData\Local\Temp\7zO07A4DA96\WizWorm.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2420 -s 624
5⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\win64x.exe
"C:\Users\Admin\AppData\Local\Temp\win64x.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\win64x.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'win64x.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\win64x.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "win64x" /tr "C:\Users\Admin\AppData\Roaming\win64x.exe"
5⤵
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\taskeng.exe
taskeng.exe {8DBB37A9-3416-4F95-B79E-306F18C11213} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Roaming\win64x.exe
C:\Users\Admin\AppData\Roaming\win64x.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Users\Admin\AppData\Roaming\win64x.exe
C:\Users\Admin\AppData\Roaming\win64x.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO07A4DA96\WizWorm.exe
Filesize
14.4MB

MD5
2ed1de02f7228b7f006a33f43bf4361c

SHA1
f39151b9d6781d07616f2768a144415c255f8c6c

SHA256
96b75af18e90cadfec84c1bf72a1e402dc7bdef02ffbe6e35f25446d2f96c1f1

SHA512
4167af4c9af174635019d07227c4851d638b82726dda0a93aafe8f115fcc1b76012ee3eaa23bae0f9c8f9126eb469e0e10a246932ea94ff3d7b32f6dac658a2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
73b537ab7b128f6fd800a53f8ea443e0

SHA1
fcf50fd38fe6016080ba7b1e550a2cf4431ac643

SHA256
d1904b373e96df1b5828e832e931f55078f7ec230a99901be67680a77f70f5fb

SHA512
21e9b32b5b410519c60ad73349fc0b3e83ef03d4fb5027c26f64b679cbaa13582133580d5c24a33d70c30ebb68f201a9c3cf8a301bbbaa8b0cb089f59b6ec330

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
14.3MB

MD5
ee37a918d746512afa8e35109f6d8b85

SHA1
f98359a420af803fb7ba9941ea719dad39bea2a7

SHA256
02f104af2be304ea240158bfb8200ed782884a3eeadcaee50e706849651ee08f

SHA512
db80db4bf2094d33824078e876b23a3374929663cfe83eed507f2029910a2ae5d32b8f38aaca3b54a15c1148ae8e2b7ed706bdadfdf4a6dfc7f8a94f97ab1160

Download Submit
\Users\Admin\AppData\Local\Temp\win64x.exe
Filesize
56KB

MD5
d630076a81a54f9be10b445948be037a

SHA1
b1dc7ff1fe7dbf7e0e6666a86cfa40fde5e39906

SHA256
5c95cee65a2fbf29f3ae2cefbff0500f3f96f935b69d56377aa7d9af618e32d1

SHA512
6a8ee1536c45812259851440dda661db07d4c64cadf36bd56635016621e81f46ed33be50f559247300885e3011018ef7ebcf5e4bea10f6b41c4a1c1a7e06597f

Download Submit
memory/940-81-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/940-83-0x000007FEECC00000-0x000007FEED59D000-memory.dmp

Filesize
9.6MB

Download
memory/940-80-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/940-79-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/940-78-0x000007FEECC00000-0x000007FEED59D000-memory.dmp

Filesize
9.6MB

Download
memory/940-75-0x000007FEECC00000-0x000007FEED59D000-memory.dmp

Filesize
9.6MB

Download
memory/940-76-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/940-77-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/940-74-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/1120-110-0x00000000011F0000-0x0000000001204000-memory.dmp

Filesize
80KB

Download
memory/1120-111-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1120-112-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1512-92-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1512-96-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-95-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1512-91-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-90-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1512-89-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1652-66-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1652-68-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1652-65-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1652-67-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1652-64-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1652-63-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1652-62-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1652-61-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1856-116-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1856-115-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-56-0x000000001C360000-0x000000001D552000-memory.dmp

Filesize
17.9MB

Download
memory/2420-82-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-53-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-54-0x000000001BD90000-0x000000001BE10000-memory.dmp

Filesize
512KB

Download
memory/2420-94-0x000000001BD90000-0x000000001BE10000-memory.dmp

Filesize
512KB

Download
memory/2420-52-0x00000000002E0000-0x0000000001134000-memory.dmp

Filesize
14.3MB

Download
memory/2428-50-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-37-0x0000000000F90000-0x0000000001DF8000-memory.dmp

Filesize
14.4MB

Download
memory/2428-36-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-99-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2868-55-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-93-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-51-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads