xworm | 4bfe2784c6339e3ec2bbed7c751f88106524516dde2bb249a29b0cc883ff6a34

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizWorm.exe
Size

100KB
MD5

314952857dbaa3f03c09355737b1d2c6
SHA1

2da8d4cceecdc52609f34ee6adf5876bcf6cea94
SHA256

4bfe2784c6339e3ec2bbed7c751f88106524516dde2bb249a29b0cc883ff6a34
SHA512

7dd9cb1152ea82a1e83f65b3e98071e30bdcb494f61362255d2301bcde227b9614548f182a179927be87c9b521f4e8295bc7a5ec78c4ca6132f38b445d0a839b
SSDEEP

3072:hH3WH59UsdQoP4iGz6v1DLgMrwPbWPsqoj:hHmHwYP4iI6NUMEPbWPe

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

mailing-perception.gl.at.ply.gg:63145

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4868-44-0x000000001BB30000-0x000000001BB4A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.exe
4960	powershell.exe
4100	powershell.exe
1156	powershell.exe
4428	powershell.exe
1908	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WizWorm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk	WizWorm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk	WizWorm.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	WizWorm.exe
2188	WizWorm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizWorm = "C:\\ProgramData\\WizWorm.exe"	WizWorm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1456	schtasks.exe
3296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1908	powershell.exe
1908	powershell.exe
2444	powershell.exe
2444	powershell.exe
4960	powershell.exe
4960	powershell.exe
4100	powershell.exe
4100	powershell.exe
1156	powershell.exe
1156	powershell.exe
4428	powershell.exe
4428	powershell.exe
4868	WizWorm.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	WizWorm.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4868	WizWorm.exe
Token: SeDebugPrivilege	2156	WizWorm.exe
Token: SeDebugPrivilege	2188	WizWorm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4868	WizWorm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 1908	4868	WizWorm.exe	90
PID 4868 wrote to memory of 1908	4868	WizWorm.exe	90
PID 4868 wrote to memory of 2444	4868	WizWorm.exe	92
PID 4868 wrote to memory of 2444	4868	WizWorm.exe	92
PID 4868 wrote to memory of 4960	4868	WizWorm.exe	95
PID 4868 wrote to memory of 4960	4868	WizWorm.exe	95
PID 4868 wrote to memory of 1456	4868	WizWorm.exe	97
PID 4868 wrote to memory of 1456	4868	WizWorm.exe	97
PID 4868 wrote to memory of 4100	4868	WizWorm.exe	101
PID 4868 wrote to memory of 4100	4868	WizWorm.exe	101
PID 4868 wrote to memory of 1156	4868	WizWorm.exe	103
PID 4868 wrote to memory of 1156	4868	WizWorm.exe	103
PID 4868 wrote to memory of 4428	4868	WizWorm.exe	105
PID 4868 wrote to memory of 4428	4868	WizWorm.exe	105
PID 4868 wrote to memory of 3296	4868	WizWorm.exe	107
PID 4868 wrote to memory of 3296	4868	WizWorm.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
"C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "WizWorm" /tr "C:\ProgramData\WizWorm.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizWorm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWorm" /tr "C:\ProgramData\WizWorm.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3296

C:\ProgramData\WizWorm.exe
C:\ProgramData\WizWorm.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\ProgramData\WizWorm.exe
C:\ProgramData\WizWorm.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WizWorm.exe

Filesize
100KB

MD5
314952857dbaa3f03c09355737b1d2c6

SHA1
2da8d4cceecdc52609f34ee6adf5876bcf6cea94

SHA256
4bfe2784c6339e3ec2bbed7c751f88106524516dde2bb249a29b0cc883ff6a34

SHA512
7dd9cb1152ea82a1e83f65b3e98071e30bdcb494f61362255d2301bcde227b9614548f182a179927be87c9b521f4e8295bc7a5ec78c4ca6132f38b445d0a839b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWorm.exe.log

Filesize
1KB

MD5
3982d6d16fd43ae609fd495bb33433a2

SHA1
6c33cd681fdfd9a844a3128602455a768e348765

SHA256
9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9

SHA512
4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a222b677de9924ed7b71add9ab83d267

SHA1
78bb726d6754e5da456560c8f603bb352cfcd2b0

SHA256
95d38fd39e6e6eb24bcb1c20761884a53fa9eb288070d689dc93ea1ee26e741d

SHA512
6ab45bd3d154ca8f26b1150df18a16883516d82f8106846a33320da898788253fe845ab4df4d3088f8ab6a541ac1f2080d4684b773d13a94ea9bb7c411fbf224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2253c665505da63342ef14dd8197f0b5

SHA1
466f37281031aea4ac775d9fb8e91489a85faf82

SHA256
27948dca356cfdff3a5480bdca63a66963505ad1bdc7ff42d1380bf418667436

SHA512
c45fd978256c168493b900ffddded099e0717068b772012bdebfcdcb2377f7a4adf2b968eb37125ed98fdcfb277c9f81fa02f90cfec60f4915d3027c27d7da0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e7cebf3b7ef4a6001988e0da1e82cc1d

SHA1
c4345e45710589200d39b79d407fc370be963296

SHA256
1bcc9d14f60f45002c38384b6765a0d9462ae90abf7c954d24a997f0167e325d

SHA512
d3bb57029ac793c37be4f673c1d7d67202235b72d12e5e42f7dc46e82f0e4cf179b9048a930bb9f076a82686c5014b337245928c04873448bfc55e7769cffa31

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epbqjayh.fy2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1908-18-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-15-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-14-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-12-0x00000276CC540000-0x00000276CC562000-memory.dmp

Filesize
136KB

Download
memory/1908-13-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/4868-0-0x00007FFA105F3000-0x00007FFA105F5000-memory.dmp

Filesize
8KB

Download
memory/4868-42-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/4868-44-0x000000001BB30000-0x000000001BB4A000-memory.dmp

Filesize
104KB

Download
memory/4868-2-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/4868-1-0x0000000000D40000-0x0000000000D60000-memory.dmp

Filesize
128KB

Download