xworm | a83d9be8a4466699a75dde9699fa632ee75704596f501b1da6f095717dff9541

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
Size

8.6MB
MD5

0dcadb6b3bc2d3a109891af0e2d44c70
SHA1

a24bbf9768220afe7066b6d9567523e97a124458
SHA256

a83d9be8a4466699a75dde9699fa632ee75704596f501b1da6f095717dff9541
SHA512

2f15e998ce6a4bd7f743c85b371d427e2572ac805db9207772f8772d97aad868ae88fdc28836970e6a1cc4a9ceb20b1766497957d0ef6939e37a544427db2c82
SSDEEP

196608:yMvz1YfOi2xki3ZSzMQcI11G5ChE3WjcpPP1sw2UMj1fAOyTZbdMvDlY9meYaRXI:yMvz1YfOi2xki3ZSzMQcI11G5ChE3WjT

Score

10^/10

xworm zgrat persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

91.92.253.87:1291

Mutex

aliSaYgMg2ZAwhna

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/832-4898-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/3172-4-0x0000000007E40000-0x000000000805E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-9-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-13-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-23-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-53-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-31-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-29-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-43-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-27-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-25-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-21-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-19-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-15-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-11-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-17-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-7-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-6-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-67-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-69-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-65-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-61-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-59-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-57-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-55-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-63-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-51-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-49-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-47-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-45-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-41-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-39-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-37-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-35-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1
behavioral2/memory/3172-33-0x0000000007E40000-0x0000000008059000-memory.dmp	family_zgrat_v1

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Egeqkykwaiz = "C:\\Users\\Admin\\AppData\\Roaming\\Egeqkykwaiz.exe"	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3172 set thread context of 832	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	98

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
832	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
Token: SeDebugPrivilege	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
Token: SeDebugPrivilege	832	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
Token: SeDebugPrivilege	832	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
832	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 832	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	98
PID 3172 wrote to memory of 832	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	98
PID 3172 wrote to memory of 832	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	98
PID 3172 wrote to memory of 832	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	98
PID 3172 wrote to memory of 832	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	98
PID 3172 wrote to memory of 832	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	98
PID 3172 wrote to memory of 832	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	98
PID 3172 wrote to memory of 832	3172	0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe	98

C:\Users\Admin\AppData\Local\Temp\0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0dcadb6b3bc2d3a109891af0e2d44c70_NeikiAnalytics.exe.log

Filesize
805B

MD5
331a3cbc97fa6b9461c916f672f9a997

SHA1
93c71c0e2737f69f468fd7b7c4fce10113407154

SHA256
d09d80a3f08f8201292d117d706b204127cb9eb6a65bc6505bae3eef0d173aaf

SHA512
1e9a6375a6b2eb2035f9aed49e108abd0861fb3630bf1510379503b0e39bee69f6fdd1e7ed74c11220e3fd036d019976f1d11d13e344245d1d44ef6e8bf928d1

Download Submit
memory/832-4899-0x00000000060C0000-0x000000000615C000-memory.dmp

Filesize
624KB

Download
memory/832-4898-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/832-4897-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/832-4900-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/832-4902-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/832-4901-0x0000000006730000-0x000000000673A000-memory.dmp

Filesize
40KB

Download
memory/3172-6-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-61-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-4-0x0000000007E40000-0x000000000805E000-memory.dmp

Filesize
2.1MB

Download
memory/3172-5-0x0000000008610000-0x0000000008BB4000-memory.dmp

Filesize
5.6MB

Download
memory/3172-9-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-13-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-23-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-53-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-31-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-29-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-43-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-27-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-25-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-21-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-19-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-15-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-11-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-17-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-7-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-2-0x0000000006050000-0x00000000060E2000-memory.dmp

Filesize
584KB

Download
memory/3172-67-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-69-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-65-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-3-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3172-59-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-57-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-55-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-63-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-51-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-49-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-47-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-45-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-41-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-39-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-37-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-35-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-33-0x0000000007E40000-0x0000000008059000-memory.dmp

Filesize
2.1MB

Download
memory/3172-4886-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3172-4887-0x00000000063C0000-0x000000000641C000-memory.dmp

Filesize
368KB

Download
memory/3172-4888-0x0000000006420000-0x000000000646C000-memory.dmp

Filesize
304KB

Download
memory/3172-4889-0x000000007507E000-0x000000007507F000-memory.dmp

Filesize
4KB

Download
memory/3172-4890-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3172-4891-0x0000000006510000-0x0000000006564000-memory.dmp

Filesize
336KB

Download
memory/3172-1-0x0000000000E20000-0x00000000016BE000-memory.dmp

Filesize
8.6MB

Download
memory/3172-0-0x000000007507E000-0x000000007507F000-memory.dmp

Filesize
4KB

Download
memory/3172-4896-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download