Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 21:34
Behavioral task
behavioral1
Sample
WizWorm.exe
Resource
win7-20240220-en
General
-
Target
WizWorm.exe
-
Size
99KB
-
MD5
a9b00ac5f9c02e540c61381a5fae62c3
-
SHA1
273e272cc73d519c5cba2839de4e6043fd8977b0
-
SHA256
3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38
-
SHA512
924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570
-
SSDEEP
1536:n1vP5KmktoR0wQNB+QC+ZMh/uFPah6x2C4bFwOL/n6106/Y7FwoOLTrXatVSFayK:VxLCLN06PahfLbFZL/6PWZOL6GPPy
Malware Config
Extracted
xworm
auto-london.gl.at.ply.gg:51655
-
Install_directory
%LocalAppData%
-
install_file
NigNigRat.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/3032-32-0x0000000000D10000-0x0000000000D1C000-memory.dmp disable_win_def -
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3032-1-0x0000000001130000-0x000000000114E000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\WizWorm.exe family_xworm behavioral1/memory/112-36-0x0000000000220000-0x000000000023E000-memory.dmp family_xworm behavioral1/memory/1968-39-0x0000000000EA0000-0x0000000000EBE000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 2600 powershell.exe 2548 powershell.exe 2816 powershell.exe -
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
Processes:
WizWorm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk WizWorm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk WizWorm.exe -
Executes dropped EXE 2 IoCs
Processes:
WizWorm.exeWizWorm.exepid process 112 WizWorm.exe 1968 WizWorm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WizWorm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WizWorm = "C:\\Users\\Admin\\AppData\\Local\\WizWorm.exe" WizWorm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exeWizWorm.exepid process 2600 powershell.exe 2548 powershell.exe 2816 powershell.exe 3032 WizWorm.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WizWorm.exepowershell.exepowershell.exepowershell.exeWizWorm.exeWizWorm.exedescription pid process Token: SeDebugPrivilege 3032 WizWorm.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 3032 WizWorm.exe Token: SeDebugPrivilege 112 WizWorm.exe Token: SeDebugPrivilege 1968 WizWorm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WizWorm.exepid process 3032 WizWorm.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WizWorm.exetaskeng.exedescription pid process target process PID 3032 wrote to memory of 2600 3032 WizWorm.exe powershell.exe PID 3032 wrote to memory of 2600 3032 WizWorm.exe powershell.exe PID 3032 wrote to memory of 2600 3032 WizWorm.exe powershell.exe PID 3032 wrote to memory of 2548 3032 WizWorm.exe powershell.exe PID 3032 wrote to memory of 2548 3032 WizWorm.exe powershell.exe PID 3032 wrote to memory of 2548 3032 WizWorm.exe powershell.exe PID 3032 wrote to memory of 2816 3032 WizWorm.exe powershell.exe PID 3032 wrote to memory of 2816 3032 WizWorm.exe powershell.exe PID 3032 wrote to memory of 2816 3032 WizWorm.exe powershell.exe PID 3032 wrote to memory of 1452 3032 WizWorm.exe schtasks.exe PID 3032 wrote to memory of 1452 3032 WizWorm.exe schtasks.exe PID 3032 wrote to memory of 1452 3032 WizWorm.exe schtasks.exe PID 1616 wrote to memory of 112 1616 taskeng.exe WizWorm.exe PID 1616 wrote to memory of 112 1616 taskeng.exe WizWorm.exe PID 1616 wrote to memory of 112 1616 taskeng.exe WizWorm.exe PID 1616 wrote to memory of 1968 1616 taskeng.exe WizWorm.exe PID 1616 wrote to memory of 1968 1616 taskeng.exe WizWorm.exe PID 1616 wrote to memory of 1968 1616 taskeng.exe WizWorm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WizWorm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWorm" /tr "C:\Users\Admin\AppData\Local\WizWorm.exe"2⤵
- Creates scheduled task(s)
PID:1452
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1062197A-4F26-493F-BBDD-F74793DC0A07} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\WizWorm.exeC:\Users\Admin\AppData\Local\WizWorm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Users\Admin\AppData\Local\WizWorm.exeC:\Users\Admin\AppData\Local\WizWorm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5a9b00ac5f9c02e540c61381a5fae62c3
SHA1273e272cc73d519c5cba2839de4e6043fd8977b0
SHA2563ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38
SHA512924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d885225bd3f67a7a8bff684fc067d04d
SHA1131edc9aa0ba07cf9773642a4b735061ade0c37c
SHA25622b4690c700b5bb48cefc346b933022ae5ec86c9610c0c7c3442f91903161030
SHA51242852201e4b4cf01ca1ba85d2faf7700e1462fd0818af11a3bf846e645acf278c5e37b9d707035245712a65b5d1bd74780cc6a1d39b94f2481e47f457880779f