vjw0rm | 30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2

General

Target

30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe
Size

808KB
MD5

97f0e987446dc19d888bff693ae44eb0
SHA1

5f8f941d3197cb6c0b314e966d677ad3e340594c
SHA256

30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2
SHA512

a5ee9ee3779ea9e579f7f41d0a98d433f2b0f12ee64f6f234612a53b1b29772b7384ecbcdef262dff68ca113a8eea8135e19321fa4efc1fca329acf0e1801e44
SSDEEP

12288:iRhNJJWyiyLqgqXGb0krJIDnv44WpPCaq8hFVZwyWgG0DOFdgf0FBPdAA:wWuLqCOT44WphTZjGPFdBA

Score

10^/10

vjw0rm xworm execution rat trojan worm

Malware Config

Extracted

Family

xworm

C2

192.168.1.8:7000

Attributes

Install_directory
%AppData%
install_file
XClienamrt.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cdc-16.dat	family_xworm
behavioral1/memory/2736-19-0x0000000000CE0000-0x0000000000D26000-memory.dmp	family_xworm

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2400	powershell.exe
1860	powershell.exe
1804	powershell.exe
1040	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClienamrt.lnk	XClientamor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClienamrt.lnk	XClientamor.exe

Executes dropped EXE 2 IoCs

pid	Process
2036	Outputbinded.exe
2736	XClientamor.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2400	powershell.exe
1860	powershell.exe
1804	powershell.exe
1040	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	XClientamor.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2736	XClientamor.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2036	2232	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2036	2232	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2036	2232	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2980	2232	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe	29
PID 2232 wrote to memory of 2980	2232	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe	29
PID 2232 wrote to memory of 2980	2232	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 2736	2036	Outputbinded.exe	31
PID 2036 wrote to memory of 2736	2036	Outputbinded.exe	31
PID 2036 wrote to memory of 2736	2036	Outputbinded.exe	31
PID 2736 wrote to memory of 2400	2736	XClientamor.exe	33
PID 2736 wrote to memory of 2400	2736	XClientamor.exe	33
PID 2736 wrote to memory of 2400	2736	XClientamor.exe	33
PID 2736 wrote to memory of 1860	2736	XClientamor.exe	36
PID 2736 wrote to memory of 1860	2736	XClientamor.exe	36
PID 2736 wrote to memory of 1860	2736	XClientamor.exe	36
PID 2736 wrote to memory of 1804	2736	XClientamor.exe	38
PID 2736 wrote to memory of 1804	2736	XClientamor.exe	38
PID 2736 wrote to memory of 1804	2736	XClientamor.exe	38
PID 2736 wrote to memory of 1040	2736	XClientamor.exe	40
PID 2736 wrote to memory of 1040	2736	XClientamor.exe	40
PID 2736 wrote to memory of 1040	2736	XClientamor.exe	40

C:\Users\Admin\AppData\Local\Temp\30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Roaming\Outputbinded.exe
  "C:\Users\Admin\AppData\Roaming\Outputbinded.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Roaming\XClientamor.exe
    "C:\Users\Admin\AppData\Roaming\XClientamor.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClientamor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClientamor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClienamrt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClienamrt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1040
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\amor.js"
  2⤵
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cce52118091507433fb36b9819bbab3e

SHA1
1f1fcda786fd52c2443136e38e384fa2ff2ff8cf

SHA256
43fb18aaeb62b6991cf8891fbc84164838eb573e5d5e951e9206da60802f9120

SHA512
36dc36fb3bc71a6e8fae2e0b052034598bd5c53642212dde3a58a9e7b4bbabc3b0cb908fc3e9013524e139643f2d0dc7ccd0ffcf6a4be980a0a7ef96632f0816

Download Submit
C:\Users\Admin\AppData\Roaming\Outputbinded.exe

Filesize
686KB

MD5
5d692aa620cbca52d380150edcf51377

SHA1
bfaaf5ea9910324e3d9f3d95c5a8ca4d94924d86

SHA256
65302dc08b26b59a91943d82c7c5b79a017164bd7623576cbefcb9851098bf3c

SHA512
0c3e90f6e169a9876f4095774d6fec1b76bc0e23c00b254610ed58f4238bcd0547c7f8974d171587783659752c415267cb4d2499f1a6ac18ed7760f78103bc67

Download Submit
C:\Users\Admin\AppData\Roaming\XClientamor.exe

Filesize
260KB

MD5
9b839a50e55b18129f81629c61f912f7

SHA1
71e1feea8c12bd8b2501bf065d56fef8eae0517c

SHA256
92a21332ad995d61804e80d50abd6571a6faf3932ad574ff23939e84362485ae

SHA512
abcb038106c8c771c39a66f1f79885619a0a031a567d2a84acfb848545c8cd12dc1e64baa14f1151229de2abaf68fc023f6455cb47d6b29ec90832d0f2de9971

Download Submit
C:\Users\Admin\AppData\Roaming\amor.js

Filesize
3KB

MD5
e58364ddc8daeac92739f0b2c7547f9c

SHA1
ae2aa6f9cb8f4627d83c6158571689d596294cfe

SHA256
d03047394e431fbc6d68c74d2ac5348801ff1c4d7d3e12b1e3d873474c3cdf30

SHA512
d3e710f1c70883d5576ecdfec705c8edc671c533ebd353048c02d3bc8d9499a18d62c1cee8532d9c9ce325ca4966e53b40322e428cc0b20070971b974f8a673b

Download Submit
memory/1860-35-0x000000001AF80000-0x000000001AF88000-memory.dmp

Filesize
32KB

Download
memory/1860-34-0x000000001B020000-0x000000001B302000-memory.dmp

Filesize
2.9MB

Download
memory/2036-11-0x0000000001210000-0x00000000012C0000-memory.dmp

Filesize
704KB

Download
memory/2036-22-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-1-0x0000000000340000-0x0000000000410000-memory.dmp

Filesize
832KB

Download
memory/2232-20-0x000000001A740000-0x000000001A750000-memory.dmp

Filesize
64KB

Download
memory/2232-0-0x000007FEF5363000-0x000007FEF5364000-memory.dmp

Filesize
4KB

Download
memory/2400-27-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2400-28-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2736-19-0x0000000000CE0000-0x0000000000D26000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing