vjw0rm | 30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2

General

Target

30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe
Size

808KB
MD5

97f0e987446dc19d888bff693ae44eb0
SHA1

5f8f941d3197cb6c0b314e966d677ad3e340594c
SHA256

30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2
SHA512

a5ee9ee3779ea9e579f7f41d0a98d433f2b0f12ee64f6f234612a53b1b29772b7384ecbcdef262dff68ca113a8eea8135e19321fa4efc1fca329acf0e1801e44
SSDEEP

12288:iRhNJJWyiyLqgqXGb0krJIDnv44WpPCaq8hFVZwyWgG0DOFdgf0FBPdAA:wWuLqCOT44WphTZjGPFdBA

Score

10^/10

vjw0rm xworm execution rat trojan worm

Malware Config

Extracted

Family

xworm

C2

192.168.1.8:7000

Attributes

Install_directory
%AppData%
install_file
XClienamrt.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\XClientamor.exe	family_xworm
behavioral2/memory/2988-34-0x0000000000540000-0x0000000000586000-memory.dmp	family_xworm

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2896 powershell.exe
1708 powershell.exe
2604 powershell.exe
4084 powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exeOutputbinded.exeXClientamor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Outputbinded.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	XClientamor.exe

Drops startup file 2 IoCs

Processes:

XClientamor.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClienamrt.lnk	XClientamor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClienamrt.lnk	XClientamor.exe

Executes dropped EXE 2 IoCs

Processes:

Outputbinded.exeXClientamor.exe

pid process

4132 Outputbinded.exe
2988 XClientamor.exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4132	Outputbinded.exe
2988	XClientamor.exe

Modifies registry class 1 IoCs

Processes:

30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
4084	powershell.exe
4084	powershell.exe
4084	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

XClientamor.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2988	XClientamor.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	2988	XClientamor.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exeOutputbinded.exeXClientamor.exe

description	pid	process	target process
PID 2196 wrote to memory of 4132	2196	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe	Outputbinded.exe
PID 2196 wrote to memory of 4132	2196	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe	Outputbinded.exe
PID 2196 wrote to memory of 3904	2196	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe	WScript.exe
PID 2196 wrote to memory of 3904	2196	30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe	WScript.exe
PID 4132 wrote to memory of 2988	4132	Outputbinded.exe	XClientamor.exe
PID 4132 wrote to memory of 2988	4132	Outputbinded.exe	XClientamor.exe
PID 2988 wrote to memory of 2896	2988	XClientamor.exe	powershell.exe
PID 2988 wrote to memory of 2896	2988	XClientamor.exe	powershell.exe
PID 2988 wrote to memory of 1708	2988	XClientamor.exe	powershell.exe
PID 2988 wrote to memory of 1708	2988	XClientamor.exe	powershell.exe
PID 2988 wrote to memory of 2604	2988	XClientamor.exe	powershell.exe
PID 2988 wrote to memory of 2604	2988	XClientamor.exe	powershell.exe
PID 2988 wrote to memory of 4084	2988	XClientamor.exe	powershell.exe
PID 2988 wrote to memory of 4084	2988	XClientamor.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30dc2290b6b7bad31e59c18d4550117c79a7c36aeb09ca5f54714579adce11a2_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\Outputbinded.exe
  "C:\Users\Admin\AppData\Roaming\Outputbinded.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Users\Admin\AppData\Roaming\XClientamor.exe
    "C:\Users\Admin\AppData\Roaming\XClientamor.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClientamor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClientamor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClienamrt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClienamrt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4084
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\amor.js"
  2⤵
  PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bbc2b43d5e574fe7d193c6fc0eb7302c

SHA1
f22683b94ad593fd0513fef37df1fb5d0880cc22

SHA256
0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

SHA512
287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eiwldmds.4pp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Outputbinded.exe

Filesize
686KB

MD5
5d692aa620cbca52d380150edcf51377

SHA1
bfaaf5ea9910324e3d9f3d95c5a8ca4d94924d86

SHA256
65302dc08b26b59a91943d82c7c5b79a017164bd7623576cbefcb9851098bf3c

SHA512
0c3e90f6e169a9876f4095774d6fec1b76bc0e23c00b254610ed58f4238bcd0547c7f8974d171587783659752c415267cb4d2499f1a6ac18ed7760f78103bc67

Download Submit
C:\Users\Admin\AppData\Roaming\XClientamor.exe

Filesize
260KB

MD5
9b839a50e55b18129f81629c61f912f7

SHA1
71e1feea8c12bd8b2501bf065d56fef8eae0517c

SHA256
92a21332ad995d61804e80d50abd6571a6faf3932ad574ff23939e84362485ae

SHA512
abcb038106c8c771c39a66f1f79885619a0a031a567d2a84acfb848545c8cd12dc1e64baa14f1151229de2abaf68fc023f6455cb47d6b29ec90832d0f2de9971

Download Submit
C:\Users\Admin\AppData\Roaming\amor.js

Filesize
3KB

MD5
e58364ddc8daeac92739f0b2c7547f9c

SHA1
ae2aa6f9cb8f4627d83c6158571689d596294cfe

SHA256
d03047394e431fbc6d68c74d2ac5348801ff1c4d7d3e12b1e3d873474c3cdf30

SHA512
d3e710f1c70883d5576ecdfec705c8edc671c533ebd353048c02d3bc8d9499a18d62c1cee8532d9c9ce325ca4966e53b40322e428cc0b20070971b974f8a673b

Download Submit
memory/2196-0-0x00007FFC06943000-0x00007FFC06945000-memory.dmp

Filesize
8KB

Download
memory/2196-1-0x00000000003D0000-0x00000000004A0000-memory.dmp

Filesize
832KB

Download
memory/2896-36-0x000002AC5CB20000-0x000002AC5CB42000-memory.dmp

Filesize
136KB

Download
memory/2988-34-0x0000000000540000-0x0000000000586000-memory.dmp

Filesize
280KB

Download
memory/4132-35-0x00007FFC06940000-0x00007FFC07401000-memory.dmp

Filesize
10.8MB

Download
memory/4132-20-0x00007FFC06940000-0x00007FFC07401000-memory.dmp

Filesize
10.8MB

Download
memory/4132-17-0x00000000001A0000-0x0000000000250000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads