xworm | 7a92a055b629f17ccddca003721e049e225c6dd3af2612b747759ecfea768c4c

General

Target

1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe
Size

42KB
MD5

1bb2bacdb755855e8a2128cedc6d7250
SHA1

de349e4d0eefee92c156f56d68d4b6e58e514b79
SHA256

7a92a055b629f17ccddca003721e049e225c6dd3af2612b747759ecfea768c4c
SHA512

b081f23385fd61bc1750292ca8b9423734753ec675050a8e9ec549c7a644da0f951e36d47026299ecf410a078dc131ee5f715ad3e39f054b1a9a54a2cc054888
SSDEEP

768:wzB/kjjhA5IdqAzOetP5krjpOF5PG9yCyOwhI3EicF:wt/4S5I06OEkIFI9yTOwaFcF

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

related-bc.gl.at.ply.gg:57814

Mutex

ozjnmdl7QQRysNhZ

Attributes

Install_directory
%AppData%
install_file
Chrome.exe
telegram
https://api.telegram.org/bot7032462376:AAGAWT6TSWWn2-0FHv2b72CVFdIJ778FU8I/sendMessage?chat_id=797230345

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1736-1-0x0000000000E30000-0x0000000000E40000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\Chrome.exe	family_xworm
behavioral1/memory/1272-13-0x0000000000EE0000-0x0000000000EF0000-memory.dmp	family_xworm
behavioral1/memory/1852-15-0x00000000001C0000-0x00000000001D0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

Chrome.exeChrome.exe

pid process

1272 Chrome.exe
1852 Chrome.exe

pid	process
1272	Chrome.exe
1852	Chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe"	1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2924 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe

pid process

1736 1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe

flow	ioc
4	ip-api.com

pid	process
2924	schtasks.exe

pid	process
1736	1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exeChrome.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	1736	1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe
Token: SeDebugPrivilege	1736	1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe
Token: SeDebugPrivilege	1272	Chrome.exe
Token: SeDebugPrivilege	1852	Chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe

pid process

1736 1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe

pid	process
1736	1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exetaskeng.exe

description	pid	process	target process
PID 1736 wrote to memory of 2924	1736	1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe	schtasks.exe
PID 1736 wrote to memory of 2924	1736	1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe	schtasks.exe
PID 1736 wrote to memory of 2924	1736	1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe	schtasks.exe
PID 2160 wrote to memory of 1272	2160	taskeng.exe	Chrome.exe
PID 2160 wrote to memory of 1272	2160	taskeng.exe	Chrome.exe
PID 2160 wrote to memory of 1272	2160	taskeng.exe	Chrome.exe
PID 2160 wrote to memory of 1852	2160	taskeng.exe	Chrome.exe
PID 2160 wrote to memory of 1852	2160	taskeng.exe	Chrome.exe
PID 2160 wrote to memory of 1852	2160	taskeng.exe	Chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1bb2bacdb755855e8a2128cedc6d7250_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\Admin\AppData\Roaming\Chrome.exe"
2⤵
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\taskeng.exe
taskeng.exe {531414A2-B96C-4DE0-AEDD-8FA31A318D53} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Roaming\Chrome.exe
C:\Users\Admin\AppData\Roaming\Chrome.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Users\Admin\AppData\Roaming\Chrome.exe
C:\Users\Admin\AppData\Roaming\Chrome.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Chrome.exe
Filesize
42KB

MD5
1bb2bacdb755855e8a2128cedc6d7250

SHA1
de349e4d0eefee92c156f56d68d4b6e58e514b79

SHA256
7a92a055b629f17ccddca003721e049e225c6dd3af2612b747759ecfea768c4c

SHA512
b081f23385fd61bc1750292ca8b9423734753ec675050a8e9ec549c7a644da0f951e36d47026299ecf410a078dc131ee5f715ad3e39f054b1a9a54a2cc054888

Download Submit
memory/1272-13-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/1736-0-0x000007FEF5953000-0x000007FEF5954000-memory.dmp

Filesize
4KB

Download
memory/1736-1-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/1736-2-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/1736-7-0x000007FEF5953000-0x000007FEF5954000-memory.dmp

Filesize
4KB

Download
memory/1736-8-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/1852-15-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads