Analysis
-
max time kernel
598s -
max time network
598s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 07:01
Behavioral task
behavioral1
Sample
WizClient.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
WizClient.exe
Resource
win10v2004-20240426-en
General
-
Target
WizClient.exe
-
Size
68KB
-
MD5
e076fab0807e1c2cbe8ae691e908cb8d
-
SHA1
dc6c4c935b460fa0413f4bf04c2cdf474cc3dc12
-
SHA256
0fbe615cf00da3b08bd0aac5c5c0f7c20a66d66f388436c6e361bfea0a0c6954
-
SHA512
6487a6f4f05b9ecebf336cda0a79fc55d27c73900553d2ba397242c149f8eb1c4132d2e5605452b91577ce94560c2b85a151ccd23ce3293366e5fe69da0ebda8
-
SSDEEP
1536:g6uON87iC5AkJYdPF2JTbjqFFdZ6a6OYKWT5k:gRON8+C+2YlYxbjIf6Oju5k
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:61510
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7064074256:AAEPKggwUFFbQfBDcAFetu5l4vMWNokFVfg/sendMessage?chat_id=6851754348
Signatures
-
Detect Xworm Payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2860-1-0x00000000008D0000-0x00000000008E8000-memory.dmp family_xworm C:\ProgramData\WizClient.exe family_xworm behavioral1/memory/812-35-0x0000000000810000-0x0000000000828000-memory.dmp family_xworm behavioral1/memory/2092-39-0x0000000000FB0000-0x0000000000FC8000-memory.dmp family_xworm behavioral1/memory/2948-43-0x0000000001060000-0x0000000001078000-memory.dmp family_xworm behavioral1/memory/560-45-0x0000000001200000-0x0000000001218000-memory.dmp family_xworm behavioral1/memory/1236-47-0x0000000000240000-0x0000000000258000-memory.dmp family_xworm behavioral1/memory/2584-50-0x0000000000DC0000-0x0000000000DD8000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 2400 powershell.exe 2704 powershell.exe 2916 powershell.exe -
Drops startup file 2 IoCs
Processes:
WizClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk WizClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk WizClient.exe -
Executes dropped EXE 10 IoCs
Processes:
WizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exepid process 812 WizClient.exe 2092 WizClient.exe 604 WizClient.exe 2736 WizClient.exe 2948 WizClient.exe 560 WizClient.exe 1236 WizClient.exe 2312 WizClient.exe 2584 WizClient.exe 2404 WizClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WizClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WizClient = "C:\\ProgramData\\WizClient.exe" WizClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2400 powershell.exe 2704 powershell.exe 2916 powershell.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
WizClient.exepowershell.exepowershell.exepowershell.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exedescription pid process Token: SeDebugPrivilege 2860 WizClient.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 2860 WizClient.exe Token: SeDebugPrivilege 812 WizClient.exe Token: SeDebugPrivilege 2092 WizClient.exe Token: SeDebugPrivilege 604 WizClient.exe Token: SeDebugPrivilege 2736 WizClient.exe Token: SeDebugPrivilege 2948 WizClient.exe Token: SeDebugPrivilege 560 WizClient.exe Token: SeDebugPrivilege 1236 WizClient.exe Token: SeDebugPrivilege 2584 WizClient.exe Token: SeDebugPrivilege 2404 WizClient.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
WizClient.exetaskeng.exedescription pid process target process PID 2860 wrote to memory of 2400 2860 WizClient.exe powershell.exe PID 2860 wrote to memory of 2400 2860 WizClient.exe powershell.exe PID 2860 wrote to memory of 2400 2860 WizClient.exe powershell.exe PID 2860 wrote to memory of 2704 2860 WizClient.exe powershell.exe PID 2860 wrote to memory of 2704 2860 WizClient.exe powershell.exe PID 2860 wrote to memory of 2704 2860 WizClient.exe powershell.exe PID 2860 wrote to memory of 2916 2860 WizClient.exe powershell.exe PID 2860 wrote to memory of 2916 2860 WizClient.exe powershell.exe PID 2860 wrote to memory of 2916 2860 WizClient.exe powershell.exe PID 2860 wrote to memory of 2368 2860 WizClient.exe schtasks.exe PID 2860 wrote to memory of 2368 2860 WizClient.exe schtasks.exe PID 2860 wrote to memory of 2368 2860 WizClient.exe schtasks.exe PID 356 wrote to memory of 812 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 812 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 812 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2092 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2092 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2092 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 604 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 604 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 604 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2736 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2736 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2736 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2948 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2948 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2948 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 560 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 560 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 560 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 1236 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 1236 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 1236 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2312 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2312 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2312 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2584 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2584 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2584 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2404 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2404 356 taskeng.exe WizClient.exe PID 356 wrote to memory of 2404 356 taskeng.exe WizClient.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WizClient.exe"C:\Users\Admin\AppData\Local\Temp\WizClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\ProgramData\WizClient.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {D9A06F15-B078-4737-99E2-A8671F3DCF9C} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\WizClient.exeC:\ProgramData\WizClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WizClient.exeC:\ProgramData\WizClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WizClient.exeC:\ProgramData\WizClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WizClient.exeC:\ProgramData\WizClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WizClient.exeC:\ProgramData\WizClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WizClient.exeC:\ProgramData\WizClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WizClient.exeC:\ProgramData\WizClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WizClient.exeC:\ProgramData\WizClient.exe2⤵
- Executes dropped EXE
-
C:\ProgramData\WizClient.exeC:\ProgramData\WizClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WizClient.exeC:\ProgramData\WizClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WizClient.exeFilesize
68KB
MD5e076fab0807e1c2cbe8ae691e908cb8d
SHA1dc6c4c935b460fa0413f4bf04c2cdf474cc3dc12
SHA2560fbe615cf00da3b08bd0aac5c5c0f7c20a66d66f388436c6e361bfea0a0c6954
SHA5126487a6f4f05b9ecebf336cda0a79fc55d27c73900553d2ba397242c149f8eb1c4132d2e5605452b91577ce94560c2b85a151ccd23ce3293366e5fe69da0ebda8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5951f35b939aaa165bce889058c89468c
SHA178496387c117d53ed339e25c0f3ced626f799a2f
SHA25684a53fd7b2aca146589355ae58a0f59808fda46862a9400227bbeb1ef2f132aa
SHA512973ccaa4ea0bdef3f4595d611f3e442d736a8e06e4e68e0ceff1ddb114aa29617bbd4ae3b8baec378228a7abea4fa35e018c73fee9659bb8151bb872c9acb7f1
-
memory/560-45-0x0000000001200000-0x0000000001218000-memory.dmpFilesize
96KB
-
memory/812-35-0x0000000000810000-0x0000000000828000-memory.dmpFilesize
96KB
-
memory/1236-47-0x0000000000240000-0x0000000000258000-memory.dmpFilesize
96KB
-
memory/2092-39-0x0000000000FB0000-0x0000000000FC8000-memory.dmpFilesize
96KB
-
memory/2400-8-0x000000001B660000-0x000000001B942000-memory.dmpFilesize
2.9MB
-
memory/2400-9-0x0000000001F80000-0x0000000001F88000-memory.dmpFilesize
32KB
-
memory/2400-7-0x0000000002CA0000-0x0000000002D20000-memory.dmpFilesize
512KB
-
memory/2584-50-0x0000000000DC0000-0x0000000000DD8000-memory.dmpFilesize
96KB
-
memory/2704-15-0x000000001B570000-0x000000001B852000-memory.dmpFilesize
2.9MB
-
memory/2704-16-0x0000000001D90000-0x0000000001D98000-memory.dmpFilesize
32KB
-
memory/2860-30-0x000007FEF5353000-0x000007FEF5354000-memory.dmpFilesize
4KB
-
memory/2860-31-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmpFilesize
9.9MB
-
memory/2860-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmpFilesize
4KB
-
memory/2860-36-0x00000000008A0000-0x00000000008AC000-memory.dmpFilesize
48KB
-
memory/2860-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmpFilesize
9.9MB
-
memory/2860-1-0x00000000008D0000-0x00000000008E8000-memory.dmpFilesize
96KB
-
memory/2948-43-0x0000000001060000-0x0000000001078000-memory.dmpFilesize
96KB