xworm | 0fbe615cf00da3b08bd0aac5c5c0f7c20a66d66f388436c6e361bfea0a0c6954

General

Target

WizClient.exe
Size

68KB
MD5

e076fab0807e1c2cbe8ae691e908cb8d
SHA1

dc6c4c935b460fa0413f4bf04c2cdf474cc3dc12
SHA256

0fbe615cf00da3b08bd0aac5c5c0f7c20a66d66f388436c6e361bfea0a0c6954
SHA512

6487a6f4f05b9ecebf336cda0a79fc55d27c73900553d2ba397242c149f8eb1c4132d2e5605452b91577ce94560c2b85a151ccd23ce3293366e5fe69da0ebda8
SSDEEP

1536:g6uON87iC5AkJYdPF2JTbjqFFdZ6a6OYKWT5k:gRON8+C+2YlYxbjIf6Oju5k

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:61510

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7064074256:AAEPKggwUFFbQfBDcAFetu5l4vMWNokFVfg/sendMessage?chat_id=6851754348

Signatures

Detect Xworm Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2860-1-0x00000000008D0000-0x00000000008E8000-memory.dmp	family_xworm
C:\ProgramData\WizClient.exe	family_xworm
behavioral1/memory/812-35-0x0000000000810000-0x0000000000828000-memory.dmp	family_xworm
behavioral1/memory/2092-39-0x0000000000FB0000-0x0000000000FC8000-memory.dmp	family_xworm
behavioral1/memory/2948-43-0x0000000001060000-0x0000000001078000-memory.dmp	family_xworm
behavioral1/memory/560-45-0x0000000001200000-0x0000000001218000-memory.dmp	family_xworm
behavioral1/memory/1236-47-0x0000000000240000-0x0000000000258000-memory.dmp	family_xworm
behavioral1/memory/2584-50-0x0000000000DC0000-0x0000000000DD8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2400 powershell.exe
2704 powershell.exe
2916 powershell.exe

pid	process
2400	powershell.exe
2704	powershell.exe
2916	powershell.exe

Drops startup file 2 IoCs

Processes:

WizClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe

Executes dropped EXE 10 IoCs

Processes:

WizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exe

pid	process
812	WizClient.exe
2092	WizClient.exe
604	WizClient.exe
2736	WizClient.exe
2948	WizClient.exe
560	WizClient.exe
1236	WizClient.exe
2312	WizClient.exe
2584	WizClient.exe
2404	WizClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WizClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WizClient = "C:\\ProgramData\\WizClient.exe"	WizClient.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2368 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2400 powershell.exe
2704 powershell.exe
2916 powershell.exe

flow	ioc
4	ip-api.com

pid	process
2368	schtasks.exe

pid	process
2400	powershell.exe
2704	powershell.exe
2916	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

WizClient.exepowershell.exepowershell.exepowershell.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exe

description	pid	process
Token: SeDebugPrivilege	2860	WizClient.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2860	WizClient.exe
Token: SeDebugPrivilege	812	WizClient.exe
Token: SeDebugPrivilege	2092	WizClient.exe
Token: SeDebugPrivilege	604	WizClient.exe
Token: SeDebugPrivilege	2736	WizClient.exe
Token: SeDebugPrivilege	2948	WizClient.exe
Token: SeDebugPrivilege	560	WizClient.exe
Token: SeDebugPrivilege	1236	WizClient.exe
Token: SeDebugPrivilege	2584	WizClient.exe
Token: SeDebugPrivilege	2404	WizClient.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

WizClient.exetaskeng.exe

description	pid	process	target process
PID 2860 wrote to memory of 2400	2860	WizClient.exe	powershell.exe
PID 2860 wrote to memory of 2400	2860	WizClient.exe	powershell.exe
PID 2860 wrote to memory of 2400	2860	WizClient.exe	powershell.exe
PID 2860 wrote to memory of 2704	2860	WizClient.exe	powershell.exe
PID 2860 wrote to memory of 2704	2860	WizClient.exe	powershell.exe
PID 2860 wrote to memory of 2704	2860	WizClient.exe	powershell.exe
PID 2860 wrote to memory of 2916	2860	WizClient.exe	powershell.exe
PID 2860 wrote to memory of 2916	2860	WizClient.exe	powershell.exe
PID 2860 wrote to memory of 2916	2860	WizClient.exe	powershell.exe
PID 2860 wrote to memory of 2368	2860	WizClient.exe	schtasks.exe
PID 2860 wrote to memory of 2368	2860	WizClient.exe	schtasks.exe
PID 2860 wrote to memory of 2368	2860	WizClient.exe	schtasks.exe
PID 356 wrote to memory of 812	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 812	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 812	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2092	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2092	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2092	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 604	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 604	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 604	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2736	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2736	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2736	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2948	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2948	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2948	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 560	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 560	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 560	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 1236	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 1236	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 1236	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2312	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2312	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2312	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2584	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2584	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2584	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2404	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2404	356	taskeng.exe	WizClient.exe
PID 356 wrote to memory of 2404	356	taskeng.exe	WizClient.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WizClient.exe
"C:\Users\Admin\AppData\Local\Temp\WizClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\ProgramData\WizClient.exe"
2⤵
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\taskeng.exe
taskeng.exe {D9A06F15-B078-4737-99E2-A8671F3DCF9C} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:356

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
2⤵
- Executes dropped EXE
PID:2312

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WizClient.exe
Filesize
68KB

MD5
e076fab0807e1c2cbe8ae691e908cb8d

SHA1
dc6c4c935b460fa0413f4bf04c2cdf474cc3dc12

SHA256
0fbe615cf00da3b08bd0aac5c5c0f7c20a66d66f388436c6e361bfea0a0c6954

SHA512
6487a6f4f05b9ecebf336cda0a79fc55d27c73900553d2ba397242c149f8eb1c4132d2e5605452b91577ce94560c2b85a151ccd23ce3293366e5fe69da0ebda8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
951f35b939aaa165bce889058c89468c

SHA1
78496387c117d53ed339e25c0f3ced626f799a2f

SHA256
84a53fd7b2aca146589355ae58a0f59808fda46862a9400227bbeb1ef2f132aa

SHA512
973ccaa4ea0bdef3f4595d611f3e442d736a8e06e4e68e0ceff1ddb114aa29617bbd4ae3b8baec378228a7abea4fa35e018c73fee9659bb8151bb872c9acb7f1

Download Submit
memory/560-45-0x0000000001200000-0x0000000001218000-memory.dmp

Filesize
96KB

Download
memory/812-35-0x0000000000810000-0x0000000000828000-memory.dmp

Filesize
96KB

Download
memory/1236-47-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download
memory/2092-39-0x0000000000FB0000-0x0000000000FC8000-memory.dmp

Filesize
96KB

Download
memory/2400-8-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2400-9-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2400-7-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2584-50-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

Filesize
96KB

Download
memory/2704-15-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2704-16-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2860-30-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2860-31-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2860-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2860-36-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/2860-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2860-1-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/2948-43-0x0000000001060000-0x0000000001078000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads