Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 21:34

General

  • Target

    WizWorm.exe

  • Size

    99KB

  • MD5

    a9b00ac5f9c02e540c61381a5fae62c3

  • SHA1

    273e272cc73d519c5cba2839de4e6043fd8977b0

  • SHA256

    3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38

  • SHA512

    924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570

  • SSDEEP

    1536:n1vP5KmktoR0wQNB+QC+ZMh/uFPah6x2C4bFwOL/n6106/Y7FwoOLTrXatVSFayK:VxLCLN06PahfLbFZL/6PWZOL6GPPy

Malware Config

Extracted

Family

xworm

C2

auto-london.gl.at.ply.gg:51655

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    NigNigRat.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables Task Manager via registry modification
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
    "C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WizWorm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWorm" /tr "C:\Users\Admin\AppData\Local\WizWorm.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1452
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1062197A-4F26-493F-BBDD-F74793DC0A07} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Local\WizWorm.exe
      C:\Users\Admin\AppData\Local\WizWorm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:112
    • C:\Users\Admin\AppData\Local\WizWorm.exe
      C:\Users\Admin\AppData\Local\WizWorm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WizWorm.exe

    Filesize

    99KB

    MD5

    a9b00ac5f9c02e540c61381a5fae62c3

    SHA1

    273e272cc73d519c5cba2839de4e6043fd8977b0

    SHA256

    3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38

    SHA512

    924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    d885225bd3f67a7a8bff684fc067d04d

    SHA1

    131edc9aa0ba07cf9773642a4b735061ade0c37c

    SHA256

    22b4690c700b5bb48cefc346b933022ae5ec86c9610c0c7c3442f91903161030

    SHA512

    42852201e4b4cf01ca1ba85d2faf7700e1462fd0818af11a3bf846e645acf278c5e37b9d707035245712a65b5d1bd74780cc6a1d39b94f2481e47f457880779f

  • memory/112-36-0x0000000000220000-0x000000000023E000-memory.dmp

    Filesize

    120KB

  • memory/1968-39-0x0000000000EA0000-0x0000000000EBE000-memory.dmp

    Filesize

    120KB

  • memory/2548-16-0x00000000028F0000-0x00000000028F8000-memory.dmp

    Filesize

    32KB

  • memory/2548-15-0x000000001B570000-0x000000001B852000-memory.dmp

    Filesize

    2.9MB

  • memory/2600-9-0x0000000001F70000-0x0000000001F78000-memory.dmp

    Filesize

    32KB

  • memory/2600-8-0x000000001B690000-0x000000001B972000-memory.dmp

    Filesize

    2.9MB

  • memory/2600-7-0x0000000002900000-0x0000000002980000-memory.dmp

    Filesize

    512KB

  • memory/3032-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

    Filesize

    4KB

  • memory/3032-2-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

    Filesize

    9.9MB

  • memory/3032-1-0x0000000001130000-0x000000000114E000-memory.dmp

    Filesize

    120KB

  • memory/3032-30-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

    Filesize

    4KB

  • memory/3032-31-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

    Filesize

    9.9MB

  • memory/3032-32-0x0000000000D10000-0x0000000000D1C000-memory.dmp

    Filesize

    48KB