xworm | 4bfe2784c6339e3ec2bbed7c751f88106524516dde2bb249a29b0cc883ff6a34

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizWorm.exe
Size

100KB
MD5

314952857dbaa3f03c09355737b1d2c6
SHA1

2da8d4cceecdc52609f34ee6adf5876bcf6cea94
SHA256

4bfe2784c6339e3ec2bbed7c751f88106524516dde2bb249a29b0cc883ff6a34
SHA512

7dd9cb1152ea82a1e83f65b3e98071e30bdcb494f61362255d2301bcde227b9614548f182a179927be87c9b521f4e8295bc7a5ec78c4ca6132f38b445d0a839b
SSDEEP

3072:hH3WH59UsdQoP4iGz6v1DLgMrwPbWPsqoj:hHmHwYP4iI6NUMEPbWPe

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

mailing-perception.gl.at.ply.gg:63145

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1128-25-0x0000000002040000-0x000000000205A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe
2752	powershell.exe
2340	powershell.exe
1268	powershell.exe
2492	powershell.exe
2744	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk	WizWorm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk	WizWorm.exe

Executes dropped EXE 2 IoCs

pid	Process
1796	WizWorm.exe
1960	WizWorm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WizWorm = "C:\\ProgramData\\WizWorm.exe"	WizWorm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WizWorm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WizWorm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1808	schtasks.exe
2772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2744	powershell.exe
2648	powershell.exe
2752	powershell.exe
2340	powershell.exe
1268	powershell.exe
2492	powershell.exe
1128	WizWorm.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	WizWorm.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1128	WizWorm.exe
Token: SeDebugPrivilege	1796	WizWorm.exe
Token: SeDebugPrivilege	1960	WizWorm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1128	WizWorm.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2744	1128	WizWorm.exe	32
PID 1128 wrote to memory of 2744	1128	WizWorm.exe	32
PID 1128 wrote to memory of 2744	1128	WizWorm.exe	32
PID 1128 wrote to memory of 2648	1128	WizWorm.exe	34
PID 1128 wrote to memory of 2648	1128	WizWorm.exe	34
PID 1128 wrote to memory of 2648	1128	WizWorm.exe	34
PID 1128 wrote to memory of 2752	1128	WizWorm.exe	36
PID 1128 wrote to memory of 2752	1128	WizWorm.exe	36
PID 1128 wrote to memory of 2752	1128	WizWorm.exe	36
PID 1128 wrote to memory of 1808	1128	WizWorm.exe	38
PID 1128 wrote to memory of 1808	1128	WizWorm.exe	38
PID 1128 wrote to memory of 1808	1128	WizWorm.exe	38
PID 1128 wrote to memory of 2340	1128	WizWorm.exe	40
PID 1128 wrote to memory of 2340	1128	WizWorm.exe	40
PID 1128 wrote to memory of 2340	1128	WizWorm.exe	40
PID 1128 wrote to memory of 1268	1128	WizWorm.exe	42
PID 1128 wrote to memory of 1268	1128	WizWorm.exe	42
PID 1128 wrote to memory of 1268	1128	WizWorm.exe	42
PID 1128 wrote to memory of 2492	1128	WizWorm.exe	44
PID 1128 wrote to memory of 2492	1128	WizWorm.exe	44
PID 1128 wrote to memory of 2492	1128	WizWorm.exe	44
PID 1128 wrote to memory of 2772	1128	WizWorm.exe	46
PID 1128 wrote to memory of 2772	1128	WizWorm.exe	46
PID 1128 wrote to memory of 2772	1128	WizWorm.exe	46
PID 1360 wrote to memory of 1796	1360	taskeng.exe	49
PID 1360 wrote to memory of 1796	1360	taskeng.exe	49
PID 1360 wrote to memory of 1796	1360	taskeng.exe	49
PID 1360 wrote to memory of 1960	1360	taskeng.exe	51
PID 1360 wrote to memory of 1960	1360	taskeng.exe	51
PID 1360 wrote to memory of 1960	1360	taskeng.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
"C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "WizWorm" /tr "C:\ProgramData\WizWorm.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWorm" /tr "C:\ProgramData\WizWorm.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2772

C:\Windows\system32\taskeng.exe
taskeng.exe {7DFEE5A0-584A-4559-8C1D-21971396994E} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1360
- C:\ProgramData\WizWorm.exe
  C:\ProgramData\WizWorm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\ProgramData\WizWorm.exe
  C:\ProgramData\WizWorm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WizWorm.exe

Filesize
100KB

MD5
314952857dbaa3f03c09355737b1d2c6

SHA1
2da8d4cceecdc52609f34ee6adf5876bcf6cea94

SHA256
4bfe2784c6339e3ec2bbed7c751f88106524516dde2bb249a29b0cc883ff6a34

SHA512
7dd9cb1152ea82a1e83f65b3e98071e30bdcb494f61362255d2301bcde227b9614548f182a179927be87c9b521f4e8295bc7a5ec78c4ca6132f38b445d0a839b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c943b6cc68bf4767e8e1ba85d957404a

SHA1
e3e107eeb85bf37c802a1209177af3e3b1a0aaa4

SHA256
0e011339f814ea4a5545050d4207cf99acbd5e5754d28d089889d15d89ac6dde

SHA512
b781bec28591ae5e07d2f02a3423aba73e19886c661a2191734586bf5502c68e31fbffbae7807d189489ae3a62d51ebe1d323a1df88912a9a527a3cb11a22daf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
862a37446bc402b9097533e17414bde3

SHA1
f6e18e4e94837d75eee2bdfe1c43bd6fe56ead66

SHA256
9d81745d5a2ca4bc5ff322dcd7af6e95041de753ba73823daafa06a973519079

SHA512
e1633e553d1b3b4f8955a1fb4c68eb8a54b04646c7724a4be54552428a48adf66b4e8fa72cfaa75dbc146f943684c850d4a24251fe826d5c793816eb384c3a34

Download Submit
memory/1128-26-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1128-1-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/1128-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1128-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/1128-24-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/1128-25-0x0000000002040000-0x000000000205A000-memory.dmp

Filesize
104KB

Download
memory/1796-55-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1960-58-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/2648-16-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2648-15-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2744-9-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2744-8-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2744-7-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download