xworm | 1949328e21492bd5664d52b585465a6dd2814f5a9d1268e5f0ab568841be1c72

General

Target

238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe
Size

142KB
MD5

238265888ac5a6b2f33c122d0657f4f0
SHA1

07e062b8de1716b5fbb0239956da1e3825b68f3c
SHA256

1949328e21492bd5664d52b585465a6dd2814f5a9d1268e5f0ab568841be1c72
SHA512

8201ea71ae12d6dc809eace4577c9d31a14786657439f439597169ff17b532adc57cfac5015e8df23f627d428e7aa47a72cc9ebc9040976b84e0958cf62f123f
SSDEEP

3072:BFQk3NG7xA4ViBKv4ePdmLcnLY0kOnRqsZYKFeZiOSOZpo6+fOas82:cy4YWldgcZkk5RFeZiOSapoXfs

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

region-vip.gl.at.ply.gg:52733

Attributes

Install_directory
%Temp%
install_file
explorer.exe
telegram
https://api.telegram.org/bot6976323003:AAGzNfsdTYlBPbGEbbSm--c7mAZ9PZzt9Xw/sendMessage?chat_id=5476035148

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3000-15-0x0000000000E60000-0x0000000000E82000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\explorer.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RegScanner.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

RegScanner.exeexplorer.exeexplorer.exeexplorer.exe

pid process

2252 RegScanner.exe
3000 explorer.exe
2164 explorer.exe
2756 explorer.exe
Loads dropped DLL 2 IoCs

Processes:

238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe

pid process

2208 238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe
2208 238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe

pid	process
2252	RegScanner.exe
3000	explorer.exe
2164	explorer.exe
2756	explorer.exe

pid	process
2208	238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe
2208	238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2792 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegScanner.exe

pid process

2252 RegScanner.exe

pid	process
2792	schtasks.exe

pid	process
2252	RegScanner.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3000	explorer.exe
Token: SeDebugPrivilege	3000	explorer.exe
Token: SeDebugPrivilege	2164	explorer.exe
Token: SeDebugPrivilege	2756	explorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exeexplorer.exetaskeng.exe

description	pid	process	target process
PID 2208 wrote to memory of 2252	2208	238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe	RegScanner.exe
PID 2208 wrote to memory of 2252	2208	238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe	RegScanner.exe
PID 2208 wrote to memory of 2252	2208	238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe	RegScanner.exe
PID 2208 wrote to memory of 3000	2208	238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe	explorer.exe
PID 2208 wrote to memory of 3000	2208	238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe	explorer.exe
PID 2208 wrote to memory of 3000	2208	238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe	explorer.exe
PID 3000 wrote to memory of 2792	3000	explorer.exe	schtasks.exe
PID 3000 wrote to memory of 2792	3000	explorer.exe	schtasks.exe
PID 3000 wrote to memory of 2792	3000	explorer.exe	schtasks.exe
PID 2204 wrote to memory of 2164	2204	taskeng.exe	explorer.exe
PID 2204 wrote to memory of 2164	2204	taskeng.exe	explorer.exe
PID 2204 wrote to memory of 2164	2204	taskeng.exe	explorer.exe
PID 2204 wrote to memory of 2756	2204	taskeng.exe	explorer.exe
PID 2204 wrote to memory of 2756	2204	taskeng.exe	explorer.exe
PID 2204 wrote to memory of 2756	2204	taskeng.exe	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\238265888ac5a6b2f33c122d0657f4f0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\RegScanner.exe
  "C:\Users\Admin\AppData\Local\Temp\RegScanner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2792

C:\Windows\system32\taskeng.exe
taskeng.exe {1716999B-EDE1-4D39-AD48-259B3809D4F1} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegScanner.exe

Filesize
159KB

MD5
3aab1e790e03dcd12ae192ac062907b6

SHA1
7f9b4ff6fa72d66e06cab33bf2dad14dd8bbafc4

SHA256
121e5480010adb6a81a8ecbcf91177ac2a0cc0969a65500c2db2287ddd584bc8

SHA512
938cfb2d4b15976c25a00d1b971ec0256df4aaefe7dc3900c5d8981768025d84ff60b938641b85bd6a832ef9aea44e9cf9239669aa856b463199d72eb6811b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
111KB

MD5
5b1cd0426e2c9515966e5e7d84ef4e22

SHA1
7252df1ea8faeddaf3e9a8a335764b8a28b06e58

SHA256
6a1029fa87d2b4523f8f67c7cc47047b4e2ea0038d393fae18536b0f4843ac88

SHA512
7c83ad4c1b1d52e8fd364f9f7593a4a1101324d164d51494ff1499f518513e66883f683aedacdab39b5fc05316ebe2113bcf4df1a1de99933285a33235b81de1

Download Submit
memory/2208-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x0000000000AD0000-0x0000000000AFA000-memory.dmp

Filesize
168KB

Download
memory/2208-16-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-18-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-17-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-15-0x0000000000E60000-0x0000000000E82000-memory.dmp

Filesize
136KB

Download
memory/3000-19-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-20-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads