xworm | ee94f31406ba029502b3737f9d2c2d2d22448643deaa3095239a55b58b9169c8

Analysis

max time kernel
1563s
max time network
1568s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NLHybrid Fixer.exe
Size

42KB
MD5

269085c7755574a5cd840b298a0b4a55
SHA1

3b20a9f3c0e5ed34d37c5c915c07fd93da7d7cbd
SHA256

ee94f31406ba029502b3737f9d2c2d2d22448643deaa3095239a55b58b9169c8
SHA512

47b5782e53cf03bb5eb8f96584b9e0608bc10038b8721761bf67af75ed0b77a2e51ef94a9d62302e6e0d45885e72d47b80815caa8c063a616d50b646885b5f65
SSDEEP

768:yvD19vXwj/0OhWgEiymT+jxPuqF3t9NRX6POChM0LevH:I19/wj/F8iy/P5F99NRX6POCK0k

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

remote-newest.gl.at.ply.gg:62113

fund-scared.gl.at.ply.gg:62113

Mutex

UrM5eoX12ULh6st6

Attributes

Install_directory
%Userprofile%
install_file
win64updater.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2332-1-0x0000000001390000-0x00000000013A0000-memory.dmp	family_xworm
behavioral1/files/0x000b00000001225f-34.dat	family_xworm
behavioral1/memory/1672-36-0x0000000001210000-0x0000000001220000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2720	powershell.exe
2308	powershell.exe
2768	powershell.exe
2784	powershell.exe

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win64updater.lnk	NLHybrid Fixer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win64updater.lnk	NLHybrid Fixer.exe

Executes dropped EXE 1 IoCs

pid	Process
1672	win64updater.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\win64updater = "C:\\Users\\Admin\\win64updater.exe"	NLHybrid Fixer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1128	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2332	NLHybrid Fixer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2308	powershell.exe
2768	powershell.exe
2784	powershell.exe
2720	powershell.exe
2332	NLHybrid Fixer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	NLHybrid Fixer.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2332	NLHybrid Fixer.exe
Token: SeDebugPrivilege	1672	win64updater.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2332	NLHybrid Fixer.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2308	2332	NLHybrid Fixer.exe	31
PID 2332 wrote to memory of 2308	2332	NLHybrid Fixer.exe	31
PID 2332 wrote to memory of 2308	2332	NLHybrid Fixer.exe	31
PID 2332 wrote to memory of 2768	2332	NLHybrid Fixer.exe	33
PID 2332 wrote to memory of 2768	2332	NLHybrid Fixer.exe	33
PID 2332 wrote to memory of 2768	2332	NLHybrid Fixer.exe	33
PID 2332 wrote to memory of 2784	2332	NLHybrid Fixer.exe	35
PID 2332 wrote to memory of 2784	2332	NLHybrid Fixer.exe	35
PID 2332 wrote to memory of 2784	2332	NLHybrid Fixer.exe	35
PID 2332 wrote to memory of 2720	2332	NLHybrid Fixer.exe	37
PID 2332 wrote to memory of 2720	2332	NLHybrid Fixer.exe	37
PID 2332 wrote to memory of 2720	2332	NLHybrid Fixer.exe	37
PID 2332 wrote to memory of 3004	2332	NLHybrid Fixer.exe	39
PID 2332 wrote to memory of 3004	2332	NLHybrid Fixer.exe	39
PID 2332 wrote to memory of 3004	2332	NLHybrid Fixer.exe	39
PID 1064 wrote to memory of 1672	1064	taskeng.exe	43
PID 1064 wrote to memory of 1672	1064	taskeng.exe	43
PID 1064 wrote to memory of 1672	1064	taskeng.exe	43
PID 2332 wrote to memory of 2164	2332	NLHybrid Fixer.exe	44
PID 2332 wrote to memory of 2164	2332	NLHybrid Fixer.exe	44
PID 2332 wrote to memory of 2164	2332	NLHybrid Fixer.exe	44
PID 2332 wrote to memory of 2864	2332	NLHybrid Fixer.exe	46
PID 2332 wrote to memory of 2864	2332	NLHybrid Fixer.exe	46
PID 2332 wrote to memory of 2864	2332	NLHybrid Fixer.exe	46
PID 2864 wrote to memory of 1128	2864	cmd.exe	48
PID 2864 wrote to memory of 1128	2864	cmd.exe	48
PID 2864 wrote to memory of 1128	2864	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe
"C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NLHybrid Fixer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\win64updater.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'win64updater.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "win64updater" /tr "C:\Users\Admin\win64updater.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3004
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "win64updater"
  2⤵
  PID:2164
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB5C8.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1128

C:\Windows\system32\taskeng.exe
taskeng.exe {25692E8A-F1F9-4F53-9079-33203AFA3BB7} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\win64updater.exe
  C:\Users\Admin\win64updater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB5C8.tmp.bat

Filesize
166B

MD5
f9d25fafcedc4262d44f86db72bbef62

SHA1
252f1c5cd55544a84939e6995d2b56a949534700

SHA256
d09e1dd50c9e2ad58e83fdd2d1ba4afc5c1c383990aa4a8737a2168c5a80598c

SHA512
69a5019b9b1c4740f2fb94e65c0b1a219a24eb95d43313b2d26b9c10077fc8dd28afcf591c4cc7fa965a501418eeef02f45b7559563676ffcdfd57026a4a0e1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B82YDCNZ7JUOMLPE7OYC.temp

Filesize
7KB

MD5
46f41e06e56cde5dd25ad8dffa778da6

SHA1
05ab3fcf51b055eaf6f13ff48d956d7a13a76e05

SHA256
1f704c4a0edb1797b280b0fe038de73807b0057063f6a53e20d229b9aff8e61d

SHA512
58d8908c969f483ca26707585b6ddc9b1de27bfe0ba3fc735e8345cfc9bd248fea9d12f3318f58020ab67fa4660004f697438f503d20f63168070c46dbb0cb67

Download Submit
C:\Users\Admin\win64updater.exe

Filesize
42KB

MD5
269085c7755574a5cd840b298a0b4a55

SHA1
3b20a9f3c0e5ed34d37c5c915c07fd93da7d7cbd

SHA256
ee94f31406ba029502b3737f9d2c2d2d22448643deaa3095239a55b58b9169c8

SHA512
47b5782e53cf03bb5eb8f96584b9e0608bc10038b8721761bf67af75ed0b77a2e51ef94a9d62302e6e0d45885e72d47b80815caa8c063a616d50b646885b5f65

Download Submit
memory/1672-36-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/2308-6-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/2308-8-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/2308-7-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2332-31-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2332-30-0x0000000000BE0000-0x0000000000C60000-memory.dmp

Filesize
512KB

Download
memory/2332-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2332-32-0x0000000000BE0000-0x0000000000C60000-memory.dmp

Filesize
512KB

Download
memory/2332-1-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2768-15-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2768-14-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download