xworm | a83d9be8a4466699a75dde9699fa632ee75704596f501b1da6f095717dff9541

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
Size

8.6MB
MD5

0dcadb6b3bc2d3a109891af0e2d44c70
SHA1

a24bbf9768220afe7066b6d9567523e97a124458
SHA256

a83d9be8a4466699a75dde9699fa632ee75704596f501b1da6f095717dff9541
SHA512

2f15e998ce6a4bd7f743c85b371d427e2572ac805db9207772f8772d97aad868ae88fdc28836970e6a1cc4a9ceb20b1766497957d0ef6939e37a544427db2c82
SSDEEP

196608:yMvz1YfOi2xki3ZSzMQcI11G5ChE3WjcpPP1sw2UMj1fAOyTZbdMvDlY9meYaRXI:yMvz1YfOi2xki3ZSzMQcI11G5ChE3WjT

Score

10^/10

xworm zgrat persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

91.92.253.87:1291

Mutex

aliSaYgMg2ZAwhna

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2120-4905-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2232-3-0x0000000007070000-0x000000000728E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-4-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-25-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-5-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-45-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-51-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-53-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-57-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-7-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-23-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-61-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-67-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-65-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-63-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-59-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-55-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-49-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-47-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-43-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-41-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-39-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-37-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-35-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-33-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-31-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-29-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-27-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-21-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-19-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-17-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-15-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-13-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-11-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1
behavioral1/memory/2232-9-0x0000000007070000-0x0000000007289000-memory.dmp	family_zgrat_v1

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Egeqkykwaiz = "C:\\Users\\Admin\\AppData\\Roaming\\Egeqkykwaiz.exe"	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 2120	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2120	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
Token: SeDebugPrivilege	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
Token: SeDebugPrivilege	2120	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
Token: SeDebugPrivilege	2120	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2120	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2120	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2120	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2120	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2120	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2120	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2120	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2120	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2120	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2120	2232	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2120-4904-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-4907-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-4906-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-4905-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2232-37-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-2-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-5-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-33-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-51-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-53-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-57-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-7-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-23-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-61-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-67-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-65-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-63-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-59-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-55-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-49-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-47-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-29-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-41-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-39-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-0-0x00000000741AE000-0x00000000741AF000-memory.dmp

Filesize
4KB

Download
memory/2232-35-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-45-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-25-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-43-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-27-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-21-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-19-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-17-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-15-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-13-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-11-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-9-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-4884-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-4886-0x0000000000E10000-0x0000000000E5C000-memory.dmp

Filesize
304KB

Download
memory/2232-4885-0x0000000000B70000-0x0000000000BCC000-memory.dmp

Filesize
368KB

Download
memory/2232-4887-0x00000000741AE000-0x00000000741AF000-memory.dmp

Filesize
4KB

Download
memory/2232-4888-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-4889-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-4890-0x00000000011C0000-0x0000000001214000-memory.dmp

Filesize
336KB

Download
memory/2232-4903-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-4-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-3-0x0000000007070000-0x000000000728E000-memory.dmp

Filesize
2.1MB

Download
memory/2232-31-0x0000000007070000-0x0000000007289000-memory.dmp

Filesize
2.1MB

Download
memory/2232-1-0x00000000012D0000-0x0000000001B6E000-memory.dmp

Filesize
8.6MB

Download