xworm | 115e0684c499ca223d9e655d446571a68ba74a94c9a87ef0abab842e786fa585

Analysis

max time kernel
1559s
max time network
1560s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NLHybrid Fixer.exe
Size

78KB
MD5

3c0e5550692a92a15a5dc3e7a02c529f
SHA1

e25e36a2b15770fb59c3be8f32cb030ddf9c6c1e
SHA256

115e0684c499ca223d9e655d446571a68ba74a94c9a87ef0abab842e786fa585
SHA512

7b3bd8e2a969747b77d4b4a19fda85364801415f1b4b95eac1df8cbb643dc119166c736d9d790f8cf71376f897e5652b7775ddb6baacd362b1c478768ca088f6
SSDEEP

1536:mFq6CwjD0dsHJGJY94gWA3h8f59b4gYD6D4LDSa6AJwOVAdrc8ICmfata:mFq6hjDxcJGcR9b4nIMJwOVAddUata

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

remote-newest.gl.at.ply.gg:62113

fund-scared.gl.at.ply.gg:62113

Attributes

Install_directory
%Userprofile%
install_file
win64updater.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2856-1-0x0000000000220000-0x0000000000238000-memory.dmp	family_xworm
behavioral1/files/0x000d0000000120f6-34.dat	family_xworm
behavioral1/memory/1832-36-0x0000000001180000-0x0000000001198000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe
2620	powershell.exe
2480	powershell.exe
576	powershell.exe

Deletes itself 1 IoCs

pid	Process
2500	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win64updater.lnk	NLHybrid Fixer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win64updater.lnk	NLHybrid Fixer.exe

Executes dropped EXE 1 IoCs

pid	Process
1832	win64updater.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\win64updater = "C:\\Users\\Admin\\win64updater.exe"	NLHybrid Fixer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
648	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2072	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2856	NLHybrid Fixer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2792	powershell.exe
2620	powershell.exe
2480	powershell.exe
576	powershell.exe
2856	NLHybrid Fixer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	NLHybrid Fixer.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2856	NLHybrid Fixer.exe
Token: SeDebugPrivilege	1832	win64updater.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2856	NLHybrid Fixer.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2792	2856	NLHybrid Fixer.exe	30
PID 2856 wrote to memory of 2792	2856	NLHybrid Fixer.exe	30
PID 2856 wrote to memory of 2792	2856	NLHybrid Fixer.exe	30
PID 2856 wrote to memory of 2620	2856	NLHybrid Fixer.exe	32
PID 2856 wrote to memory of 2620	2856	NLHybrid Fixer.exe	32
PID 2856 wrote to memory of 2620	2856	NLHybrid Fixer.exe	32
PID 2856 wrote to memory of 2480	2856	NLHybrid Fixer.exe	34
PID 2856 wrote to memory of 2480	2856	NLHybrid Fixer.exe	34
PID 2856 wrote to memory of 2480	2856	NLHybrid Fixer.exe	34
PID 2856 wrote to memory of 576	2856	NLHybrid Fixer.exe	36
PID 2856 wrote to memory of 576	2856	NLHybrid Fixer.exe	36
PID 2856 wrote to memory of 576	2856	NLHybrid Fixer.exe	36
PID 2856 wrote to memory of 2072	2856	NLHybrid Fixer.exe	38
PID 2856 wrote to memory of 2072	2856	NLHybrid Fixer.exe	38
PID 2856 wrote to memory of 2072	2856	NLHybrid Fixer.exe	38
PID 2296 wrote to memory of 1832	2296	taskeng.exe	42
PID 2296 wrote to memory of 1832	2296	taskeng.exe	42
PID 2296 wrote to memory of 1832	2296	taskeng.exe	42
PID 2856 wrote to memory of 2260	2856	NLHybrid Fixer.exe	44
PID 2856 wrote to memory of 2260	2856	NLHybrid Fixer.exe	44
PID 2856 wrote to memory of 2260	2856	NLHybrid Fixer.exe	44
PID 2856 wrote to memory of 2500	2856	NLHybrid Fixer.exe	46
PID 2856 wrote to memory of 2500	2856	NLHybrid Fixer.exe	46
PID 2856 wrote to memory of 2500	2856	NLHybrid Fixer.exe	46
PID 2500 wrote to memory of 648	2500	cmd.exe	48
PID 2500 wrote to memory of 648	2500	cmd.exe	48
PID 2500 wrote to memory of 648	2500	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe
"C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NLHybrid Fixer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\win64updater.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'win64updater.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "win64updater" /tr "C:\Users\Admin\win64updater.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2072
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "win64updater"
  2⤵
  PID:2260
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3312.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:648

C:\Windows\system32\taskeng.exe
taskeng.exe {A00613EE-B27C-4385-885D-1BD822CF5A4E} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\win64updater.exe
  C:\Users\Admin\win64updater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3312.tmp.bat

Filesize
166B

MD5
7a4c1a5fb93f1424ec44f70170fc47df

SHA1
f227c1bb42691ddc322b465d4d613828781ce9de

SHA256
8fb0445805035e7079516e0f3ad354e07bd356518ebd8d7fd93d12da33ab2079

SHA512
7bec09600d2cfc86f7566c586834cf4496bd74df5be4ae21e1286fa41dbfd4b06c1127a0a5fb5eff0b633a4595bf13b3a88fe4ff7d44b0273ff5ac15a74c89ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UFXBPGBW648F2J8SZEHL.temp

Filesize
7KB

MD5
1938139e3e78da80be9dd70edfa21baf

SHA1
a98606165e2f074b616d3792b0506f2cdfe3700f

SHA256
63712b5d18782922430a82e88d1e89c5cdbef105f0744f9c9fb4465280e41e31

SHA512
1c224e597a20f8e2df0a04740c70e5314155c3432fdd3f43f91b5eacff2aed07e9c35afe9a066e600330b07f735ebfa1ecb91850db714bcbe5133cce9ecccdb2

Download Submit
C:\Users\Admin\win64updater.exe

Filesize
78KB

MD5
3c0e5550692a92a15a5dc3e7a02c529f

SHA1
e25e36a2b15770fb59c3be8f32cb030ddf9c6c1e

SHA256
115e0684c499ca223d9e655d446571a68ba74a94c9a87ef0abab842e786fa585

SHA512
7b3bd8e2a969747b77d4b4a19fda85364801415f1b4b95eac1df8cbb643dc119166c736d9d790f8cf71376f897e5652b7775ddb6baacd362b1c478768ca088f6

Download Submit
memory/1832-36-0x0000000001180000-0x0000000001198000-memory.dmp

Filesize
96KB

Download
memory/2620-15-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2620-14-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2792-7-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2792-8-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2792-6-0x0000000002DE0000-0x0000000002E60000-memory.dmp

Filesize
512KB

Download
memory/2856-30-0x0000000000540000-0x00000000005C0000-memory.dmp

Filesize
512KB

Download
memory/2856-31-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/2856-32-0x0000000000540000-0x00000000005C0000-memory.dmp

Filesize
512KB

Download
memory/2856-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/2856-1-0x0000000000220000-0x0000000000238000-memory.dmp

Filesize
96KB

Download