xworm | 8f9e0d533fa5774f0653db9f900b4ef4356d8b3f1f8a90ae5f57bab24f14d86e

Reason

Machine shutdown

General

Target

UniversalInstaller.exe
Size

275KB
MD5

bac631aa713e238ca4cc65b620736715
SHA1

d0f7bcda4d2fdcf3e1f41859e5251d021603f909
SHA256

8f9e0d533fa5774f0653db9f900b4ef4356d8b3f1f8a90ae5f57bab24f14d86e
SHA512

731cc3e56c4b48b278c512712068c815fcd989ed5250c2443c3e38d36eac8e40d969d9b84dfbd1e28fe80c555255006440ec24aa904c63e2d31a086a8bfb11d3
SSDEEP

3072:RdOB4dT+b7chk6qvFORJgmXbcK0L4AFD/l8xZ4uIxPLKKx03fJqWkG1SpPlpQJQU:RdOCob7oOEbGCIEfWcSlaUM/g

Score

10^/10

xworm bootkit discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

23.ip.gl.ply.gg:57577

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2644-1-0x0000000000D50000-0x0000000000D9A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1988	powershell.exe
652	powershell.exe
4700	powershell.exe
2788	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	UniversalInstaller.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	UniversalInstaller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	UniversalInstaller.exe

Executes dropped EXE 2 IoCs

pid	Process
1788	zyvukv.exe
3336	sys3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	UniversalInstaller.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	zyvukv.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zyvukv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys3.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1988	powershell.exe
1988	powershell.exe
652	powershell.exe
652	powershell.exe
4700	powershell.exe
4700	powershell.exe
2788	powershell.exe
2788	powershell.exe
2644	UniversalInstaller.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	UniversalInstaller.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2644	UniversalInstaller.exe
Token: 33	2732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2732	AUDIODG.EXE
Token: SeShutdownPrivilege	3336	sys3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	UniversalInstaller.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1988	2644	UniversalInstaller.exe	89
PID 2644 wrote to memory of 1988	2644	UniversalInstaller.exe	89
PID 2644 wrote to memory of 652	2644	UniversalInstaller.exe	94
PID 2644 wrote to memory of 652	2644	UniversalInstaller.exe	94
PID 2644 wrote to memory of 4700	2644	UniversalInstaller.exe	98
PID 2644 wrote to memory of 4700	2644	UniversalInstaller.exe	98
PID 2644 wrote to memory of 2788	2644	UniversalInstaller.exe	100
PID 2644 wrote to memory of 2788	2644	UniversalInstaller.exe	100
PID 2644 wrote to memory of 1788	2644	UniversalInstaller.exe	113
PID 2644 wrote to memory of 1788	2644	UniversalInstaller.exe	113
PID 2644 wrote to memory of 1788	2644	UniversalInstaller.exe	113
PID 1788 wrote to memory of 3336	1788	zyvukv.exe	114
PID 1788 wrote to memory of 3336	1788	zyvukv.exe	114
PID 1788 wrote to memory of 3336	1788	zyvukv.exe	114

C:\Users\Admin\AppData\Local\Temp\UniversalInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\UniversalInstaller.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\UniversalInstaller.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'UniversalInstaller.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\zyvukv.exe
  "C:\Users\Admin\AppData\Local\Temp\zyvukv.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d5055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cfb22e9b9c08bb1cfe944b622eb7adcb

SHA1
a299c701fb4da010999e61f9127262c7deb4fd97

SHA256
f60461e45422c16638ab514984d3a3b4e1ec8522c224543046a7d8fdf0090af2

SHA512
67962f0976a16c4323d14d4f7f6fe23bf1145db115be59b25f8fdfbe49d2d0672ed868ce7d69cb33b790f50f37b1187d5bd64fddfeb20260c88d4c5f75be4a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2bb005f08e40b9d8c31f1c09da44565d

SHA1
8a7097ecaeca704b6d653bfedea449cfbe79072f

SHA256
d7c96f73a5074bd88297839f5e749996eb91510490acd18d16edd5751f087943

SHA512
3da328cd8050288fcd5e9545812f5b0767aa9c19674d6f6f5dc35e92d436b2690056018910ff5a90f33c1f6d9602c70a256637d52498f1794efc8617fea6cbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xwfnxbbg.yuu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
44B

MD5
e6fb0170e9fff36b3c3856341f7cf3c9

SHA1
c4b0805e1c0a8866ecb322d0f144f6ab4a236e7c

SHA256
88945b8a66c6ff38d926eb43a3a41d92fe4b7f9ad8e3a3d881dea4f96c1c8e60

SHA512
7a0c31f5c946c14d3a0d7a48db8021b4a85ebee54b9ad68b67f269342e90722ab8cb5695940140fb9375bfb822f8fb55362cc98f398a9923c078118ed092f64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyvukv.exe

Filesize
10KB

MD5
5a5f0a3c2302e091d81dc7eaf93d1460

SHA1
35b121df3e84bcc147e0ef9bb26878f8c8327066

SHA256
d14f18e6a192a359e6767600af028668729d6b6e569a66222cf3a4363ad8a608

SHA512
7b53479ab5c912fc13abd5d3b841eee216dc258f1adb62fdc74b1cf1a2f3d9dfcec520ab58dc7214bb31ba2b2f081e43deab66d33edc48e321c68587bb913541

Download Submit
memory/1788-75-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/1788-68-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/1988-13-0x00007FFB10F40000-0x00007FFB11A01000-memory.dmp

Filesize
10.8MB

Download
memory/1988-17-0x00007FFB10F40000-0x00007FFB11A01000-memory.dmp

Filesize
10.8MB

Download
memory/1988-14-0x00007FFB10F40000-0x00007FFB11A01000-memory.dmp

Filesize
10.8MB

Download
memory/1988-12-0x00007FFB10F40000-0x00007FFB11A01000-memory.dmp

Filesize
10.8MB

Download
memory/1988-2-0x000001A7ADB50000-0x000001A7ADB72000-memory.dmp

Filesize
136KB

Download
memory/2644-56-0x00007FFB10F40000-0x00007FFB11A01000-memory.dmp

Filesize
10.8MB

Download
memory/2644-57-0x00007FFB10F40000-0x00007FFB11A01000-memory.dmp

Filesize
10.8MB

Download
memory/2644-59-0x000000001C050000-0x000000001C05C000-memory.dmp

Filesize
48KB

Download
memory/2644-60-0x000000001E730000-0x000000001E7BE000-memory.dmp

Filesize
568KB

Download
memory/2644-0-0x00007FFB10F43000-0x00007FFB10F45000-memory.dmp

Filesize
8KB

Download
memory/2644-1-0x0000000000D50000-0x0000000000D9A000-memory.dmp

Filesize
296KB

Download
memory/2644-77-0x00007FFB10F40000-0x00007FFB11A01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads