xworm | d188547999283b2c4fe26ece445804c6908bc2881cdb496e8b85f842cca5e404

Analysis

max time kernel
20s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 18:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Nova Perm premium.exe
Size

35KB
MD5

d46d842f4dca865e747d78fd160b4ab2
SHA1

839aed104690bcb4b238dfb50709fe3e7e596df2
SHA256

d188547999283b2c4fe26ece445804c6908bc2881cdb496e8b85f842cca5e404
SHA512

a4bb1e549a67f704ea35e13372911b1a1d3d9c333972eadddd580e3f23fb911f15d0f5c1d0af58f19d330935140fb0e507a3a00f367c950ecfd6f8856f417a3c
SSDEEP

384:GxrwquEB4WIwkdoVpoFiQ4+YLsRQkX966LZT7BnA7vHsJQcXT/G58pkFyHBLTIZZ:qfnEd9rVBPph7GVFy79e0OjhAyEo

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

kit-enrollment.gl.at.ply.gg:55332

Mutex

IoEuZ1j6rJu0qWPX

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1800-1-0x0000000000AF0000-0x0000000000B00000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	Nova Perm premium.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	Nova Perm premium.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	Nova Perm premium.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	Nova Perm premium.exe
Token: SeDebugPrivilege	1800	Nova Perm premium.exe
Token: SeShutdownPrivilege	2900	shutdown.exe
Token: SeRemoteShutdownPrivilege	2900	shutdown.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2900	1800	Nova Perm premium.exe	32
PID 1800 wrote to memory of 2900	1800	Nova Perm premium.exe	32
PID 1800 wrote to memory of 2900	1800	Nova Perm premium.exe	32

C:\Users\Admin\AppData\Local\Temp\Nova Perm premium.exe
"C:\Users\Admin\AppData\Local\Temp\Nova Perm premium.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2900

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-0-0x000007FEF5873000-0x000007FEF5874000-memory.dmp

Filesize
4KB

Download
memory/1800-1-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/1800-6-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1800-7-0x000007FEF5873000-0x000007FEF5874000-memory.dmp

Filesize
4KB

Download
memory/1800-8-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1800-9-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-10-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads