xworm | 17c1f9a31518a1aebdd3ec97dd872d936f763f41f69c7dd3b3724d7733f21586

Analysis

max time kernel
59s
max time network
60s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15-06-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Yarzakiybgz.exe
Size

4.6MB
MD5

56891578417c0cd6d58e36890b3fee70
SHA1

03542983d5be13ae8e4225e1146da271e542ef0f
SHA256

17c1f9a31518a1aebdd3ec97dd872d936f763f41f69c7dd3b3724d7733f21586
SHA512

1eb504aea2a97d7e396a44576dff9838ff09e806e95b7020ab42672cc7402d5bc089d0d998389c328e1b9d144e09cd90f55a9298366628c16f6704f969e351ae
SSDEEP

24576:XMIAGhLNtPVg+oerzaKogtxArqsOoF6jT6ZrE3+TtxpzVOx9LMtKOj+qrUwo36q+:XMP

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1488-4897-0x0000000006CD0000-0x0000000006D04000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1656 powershell.exe
2572 powershell.exe

pid	process
1656	powershell.exe
2572	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Yarzakiybgz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Docker \\.exe"	Yarzakiybgz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

8 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Yarzakiybgz.exepowershell.exepowershell.exe

pid process

1488 Yarzakiybgz.exe
2572 powershell.exe
2572 powershell.exe
1656 powershell.exe
1656 powershell.exe

flow	ioc
8	pastebin.com

flow	ioc
2	ip-api.com

pid	process
1488	Yarzakiybgz.exe
2572	powershell.exe
2572	powershell.exe
1656	powershell.exe
1656	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Yarzakiybgz.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1488	Yarzakiybgz.exe
Token: SeDebugPrivilege	1488	Yarzakiybgz.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Yarzakiybgz.exe

description	pid	process	target process
PID 1488 wrote to memory of 2572	1488	Yarzakiybgz.exe	powershell.exe
PID 1488 wrote to memory of 2572	1488	Yarzakiybgz.exe	powershell.exe
PID 1488 wrote to memory of 2572	1488	Yarzakiybgz.exe	powershell.exe
PID 1488 wrote to memory of 1656	1488	Yarzakiybgz.exe	powershell.exe
PID 1488 wrote to memory of 1656	1488	Yarzakiybgz.exe	powershell.exe
PID 1488 wrote to memory of 1656	1488	Yarzakiybgz.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Yarzakiybgz.exe
"C:\Users\Admin\AppData\Local\Temp\Yarzakiybgz.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Yarzakiybgz.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Yarzakiybgz.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8b113126b9112a7d707acbc8856bab55

SHA1
8a73218222bc62b3073a6f473f2f7e18b7b7cab2

SHA256
aeaa55bed69870c4676f8a7f2cb6df66ec52dfa9186c52cafecf7e50feadb846

SHA512
0713868c241e9bc199ae19b49d5a379cb347d725ec80c8f116706d7eb41e7a57b15922792d8a7a28ae2c83a5b1322fdafe166e47b331d4e05544031bad6c7148

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d4x5fypq.dy0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1488-20-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-36-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-2-0x0000000006750000-0x0000000006982000-memory.dmp

Filesize
2.2MB

Download
memory/1488-3-0x0000000006F30000-0x00000000074D6000-memory.dmp

Filesize
5.6MB

Download
memory/1488-4-0x0000000006A20000-0x0000000006AB2000-memory.dmp

Filesize
584KB

Download
memory/1488-22-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-24-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-50-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-48-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-68-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-66-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-64-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-62-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-58-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-56-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-54-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-52-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-46-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-60-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-44-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-42-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-40-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-38-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-18-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-32-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-30-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-28-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-26-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-16-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-14-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-12-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-10-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-8-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-6-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-35-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/1488-5-0x0000000006750000-0x000000000697D000-memory.dmp

Filesize
2.2MB

Download
memory/1488-1-0x0000000000610000-0x0000000000AA4000-memory.dmp

Filesize
4.6MB

Download
memory/1488-4891-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/1488-4892-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/1488-4893-0x0000000005510000-0x000000000557E000-memory.dmp

Filesize
440KB

Download
memory/1488-4894-0x0000000005580000-0x00000000055CC000-memory.dmp

Filesize
304KB

Download
memory/1488-4895-0x0000000006C80000-0x0000000006CD4000-memory.dmp

Filesize
336KB

Download
memory/1488-4897-0x0000000006CD0000-0x0000000006D04000-memory.dmp

Filesize
208KB

Download
memory/1488-4898-0x0000000006DD0000-0x0000000006E6C000-memory.dmp

Filesize
624KB

Download
memory/1488-4899-0x00000000075E0000-0x0000000007646000-memory.dmp

Filesize
408KB

Download
memory/1488-4900-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/1488-4929-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/1656-4957-0x000000006FDA0000-0x000000006FDEC000-memory.dmp

Filesize
304KB

Download
memory/1656-4947-0x00000000060C0000-0x0000000006417000-memory.dmp

Filesize
3.3MB

Download
memory/2572-4930-0x0000000006E30000-0x0000000006E4E000-memory.dmp

Filesize
120KB

Download
memory/2572-4905-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/2572-4932-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/2572-4933-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/2572-4906-0x00000000055F0000-0x0000000005612000-memory.dmp

Filesize
136KB

Download
memory/2572-4907-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/2572-4916-0x0000000005770000-0x0000000005AC7000-memory.dmp

Filesize
3.3MB

Download
memory/2572-4917-0x0000000005C30000-0x0000000005C4E000-memory.dmp

Filesize
120KB

Download
memory/2572-4918-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/2572-4919-0x0000000006BF0000-0x0000000006C24000-memory.dmp

Filesize
208KB

Download
memory/2572-4920-0x000000006FDA0000-0x000000006FDEC000-memory.dmp

Filesize
304KB

Download
memory/2572-4901-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/2572-4945-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/2572-4903-0x0000000004ED0000-0x00000000054FA000-memory.dmp

Filesize
6.2MB

Download
memory/2572-4902-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/2572-4935-0x0000000006F80000-0x0000000006F9A000-memory.dmp

Filesize
104KB

Download
memory/2572-4934-0x00000000075D0000-0x0000000007C4A000-memory.dmp

Filesize
6.5MB

Download
memory/2572-4936-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

Filesize
40KB

Download
memory/2572-4937-0x0000000007220000-0x00000000072B6000-memory.dmp

Filesize
600KB

Download
memory/2572-4938-0x0000000007190000-0x00000000071A1000-memory.dmp

Filesize
68KB

Download
memory/2572-4939-0x00000000071C0000-0x00000000071CE000-memory.dmp

Filesize
56KB

Download
memory/2572-4940-0x00000000071D0000-0x00000000071E5000-memory.dmp

Filesize
84KB

Download
memory/2572-4904-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/2572-4941-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/2572-4942-0x00000000072C0000-0x00000000072C8000-memory.dmp

Filesize
32KB

Download
memory/2572-4931-0x0000000006E50000-0x0000000006EF4000-memory.dmp

Filesize
656KB

Download