xworm | 4a5bbd5ba1ed7614f8b9ded791b172ab6ff2f3daa7da24c75922f9eaf18967d0

Analysis

max time kernel
58s
max time network
58s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
15-06-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nrfvvuactxo.exe
Size

4.4MB
MD5

8ef489877621249875254de78a073dd9
SHA1

a386209782e888667a9639f9cc951b163b45c4b3
SHA256

4a5bbd5ba1ed7614f8b9ded791b172ab6ff2f3daa7da24c75922f9eaf18967d0
SHA512

c2f7b7bceadef6a634cd71aeed3578308c1ba85289f323db2f3a1663f22c7153dc04de8adbf145fa19136b8db9b8ad0ff378ae046c7ba26a9dd3284d93f10ed1
SSDEEP

24576:eJnIX7BfBOnUzHaYUHPZoCABNI6vIZheMUEKRfNBsm3PAqYCZY4gZauyTo0q3gHd:eI

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

Mc35OpRlVfHYgK3s

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/EiiXCJbn

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2316-4901-0x0000000000950000-0x0000000000962000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3684 powershell.exe
3016 powershell.exe

pid	process
3684	powershell.exe
3016	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Nrfvvuactxo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ilvrcqkyi = "C:\\Users\\Admin\\AppData\\Roaming\\Ilvrcqkyi.exe"	Nrfvvuactxo.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
4 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Nrfvvuactxo.exe

description pid process target process

PID 332 set thread context of 2316 332 Nrfvvuactxo.exe Nrfvvuactxo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Nrfvvuactxo.exepowershell.exepowershell.exeNrfvvuactxo.exe

pid process

332 Nrfvvuactxo.exe
3684 powershell.exe
3684 powershell.exe
3016 powershell.exe
3016 powershell.exe
2316 Nrfvvuactxo.exe

flow	ioc
3	pastebin.com
4	pastebin.com

flow	ioc
1	ip-api.com

description	pid	process	target process
PID 332 set thread context of 2316	332	Nrfvvuactxo.exe	Nrfvvuactxo.exe

pid	process
332	Nrfvvuactxo.exe
3684	powershell.exe
3684	powershell.exe
3016	powershell.exe
3016	powershell.exe
2316	Nrfvvuactxo.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Nrfvvuactxo.exeNrfvvuactxo.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	332	Nrfvvuactxo.exe
Token: SeDebugPrivilege	332	Nrfvvuactxo.exe
Token: SeDebugPrivilege	2316	Nrfvvuactxo.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2316	Nrfvvuactxo.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Nrfvvuactxo.exe

pid process

2316 Nrfvvuactxo.exe

pid	process
2316	Nrfvvuactxo.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Nrfvvuactxo.exeNrfvvuactxo.exe

description	pid	process	target process
PID 332 wrote to memory of 2316	332	Nrfvvuactxo.exe	Nrfvvuactxo.exe
PID 332 wrote to memory of 2316	332	Nrfvvuactxo.exe	Nrfvvuactxo.exe
PID 332 wrote to memory of 2316	332	Nrfvvuactxo.exe	Nrfvvuactxo.exe
PID 332 wrote to memory of 2316	332	Nrfvvuactxo.exe	Nrfvvuactxo.exe
PID 332 wrote to memory of 2316	332	Nrfvvuactxo.exe	Nrfvvuactxo.exe
PID 332 wrote to memory of 2316	332	Nrfvvuactxo.exe	Nrfvvuactxo.exe
PID 332 wrote to memory of 2316	332	Nrfvvuactxo.exe	Nrfvvuactxo.exe
PID 332 wrote to memory of 2316	332	Nrfvvuactxo.exe	Nrfvvuactxo.exe
PID 2316 wrote to memory of 3684	2316	Nrfvvuactxo.exe	powershell.exe
PID 2316 wrote to memory of 3684	2316	Nrfvvuactxo.exe	powershell.exe
PID 2316 wrote to memory of 3684	2316	Nrfvvuactxo.exe	powershell.exe
PID 2316 wrote to memory of 3016	2316	Nrfvvuactxo.exe	powershell.exe
PID 2316 wrote to memory of 3016	2316	Nrfvvuactxo.exe	powershell.exe
PID 2316 wrote to memory of 3016	2316	Nrfvvuactxo.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Nrfvvuactxo.exe
"C:\Users\Admin\AppData\Local\Temp\Nrfvvuactxo.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\Nrfvvuactxo.exe
"C:\Users\Admin\AppData\Local\Temp\Nrfvvuactxo.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nrfvvuactxo.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nrfvvuactxo.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nrfvvuactxo.exe.log
Filesize
897B

MD5
ae5902f6f08a0ccf65d2b2cf5de35baf

SHA1
fed0917857eab4faba95d0e6bc035527a73775fe

SHA256
4ca1e95c28fcf10cfb00e6dd1a952d85e4968614b2f455ee915eca088f09f09b

SHA512
9aef0ff0f00fefad8897ee8de23999aad33bfb243afb5884286aaf7e32a86386585e4fc35b426397f940b0df4426b49d463ab7dbc64f1e06c9ce319cb6385ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
6a2324bdd963058141dbe12b4ada4a4b

SHA1
502d935f9bea1a5f2b1c83f84ce8c5bf1adeda31

SHA256
28f53bd9299dadd390aaa27c2092265fb8b7842c8c651349d5e12009cdcc2b45

SHA512
3362a76c196935800af69656bac64fabab975e702a7b440f173d9362df8ec39ccefe234f0435d85d2edcf7afdeacf32d9805505a444780d31b27ef67cb56675e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ihcu3ec.tna.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/332-44-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-18-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-2-0x0000000006F80000-0x00000000071A0000-memory.dmp

Filesize
2.1MB

Download
memory/332-3-0x0000000007750000-0x0000000007CF6000-memory.dmp

Filesize
5.6MB

Download
memory/332-4-0x0000000007240000-0x00000000072D2000-memory.dmp

Filesize
584KB

Download
memory/332-10-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-5-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-14-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-24-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-26-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-64-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-42-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-40-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-38-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-36-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-34-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-32-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-30-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-28-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-22-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-20-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-4892-0x0000000005EB0000-0x0000000005F0C000-memory.dmp

Filesize
368KB

Download
memory/332-16-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-12-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-8-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-4893-0x0000000005F10000-0x0000000005F5C000-memory.dmp

Filesize
304KB

Download
memory/332-66-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-62-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-60-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-58-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-56-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-54-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-52-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-50-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-48-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-46-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-0-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/332-68-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-1-0x0000000000E60000-0x00000000012D0000-memory.dmp

Filesize
4.4MB

Download
memory/332-4891-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download
memory/332-6-0x0000000006F80000-0x000000000719B000-memory.dmp

Filesize
2.1MB

Download
memory/332-4894-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/332-4895-0x00000000065D0000-0x0000000006624000-memory.dmp

Filesize
336KB

Download
memory/332-4899-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download
memory/2316-4969-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download
memory/2316-4900-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download
memory/2316-4902-0x0000000004EC0000-0x0000000004F5C000-memory.dmp

Filesize
624KB

Download
memory/2316-4903-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download
memory/2316-4968-0x0000000006A40000-0x0000000006A4C000-memory.dmp

Filesize
48KB

Download
memory/2316-4967-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download
memory/2316-4966-0x0000000006830000-0x000000000683A000-memory.dmp

Filesize
40KB

Download
memory/2316-4901-0x0000000000950000-0x0000000000962000-memory.dmp

Filesize
72KB

Download
memory/3016-4954-0x0000000005840000-0x0000000005B97000-memory.dmp

Filesize
3.3MB

Download
memory/3016-4956-0x000000006F6D0000-0x000000006F71C000-memory.dmp

Filesize
304KB

Download
memory/3684-4908-0x00000000059C0000-0x00000000059E2000-memory.dmp

Filesize
136KB

Download
memory/3684-4914-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/3684-4919-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/3684-4920-0x00000000066A0000-0x00000000066EC000-memory.dmp

Filesize
304KB

Download
memory/3684-4921-0x0000000007610000-0x0000000007644000-memory.dmp

Filesize
208KB

Download
memory/3684-4922-0x000000006F6D0000-0x000000006F71C000-memory.dmp

Filesize
304KB

Download
memory/3684-4931-0x0000000007850000-0x000000000786E000-memory.dmp

Filesize
120KB

Download
memory/3684-4932-0x0000000007880000-0x0000000007924000-memory.dmp

Filesize
656KB

Download
memory/3684-4933-0x0000000008000000-0x000000000867A000-memory.dmp

Filesize
6.5MB

Download
memory/3684-4934-0x00000000079C0000-0x00000000079DA000-memory.dmp

Filesize
104KB

Download
memory/3684-4935-0x0000000007A30000-0x0000000007A3A000-memory.dmp

Filesize
40KB

Download
memory/3684-4918-0x00000000061B0000-0x0000000006507000-memory.dmp

Filesize
3.3MB

Download
memory/3684-4937-0x0000000007BD0000-0x0000000007BE1000-memory.dmp

Filesize
68KB

Download
memory/3684-4938-0x0000000007C00000-0x0000000007C0E000-memory.dmp

Filesize
56KB

Download
memory/3684-4939-0x0000000007C10000-0x0000000007C25000-memory.dmp

Filesize
84KB

Download
memory/3684-4907-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download
memory/3684-4906-0x0000000005A30000-0x000000000605A000-memory.dmp

Filesize
6.2MB

Download
memory/3684-4905-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download
memory/3684-4904-0x0000000002E60000-0x0000000002E96000-memory.dmp

Filesize
216KB

Download
memory/3684-4936-0x0000000007C60000-0x0000000007CF6000-memory.dmp

Filesize
600KB

Download
memory/3684-4940-0x0000000007D20000-0x0000000007D3A000-memory.dmp

Filesize
104KB

Download
memory/3684-4941-0x0000000007D00000-0x0000000007D08000-memory.dmp

Filesize
32KB

Download
memory/3684-4944-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download