xworm | 1bbed9ce42fa9fc59da66af162fb7b5b13bfba8a197b8b81c32d780e3e6dab83

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uzi - Virtualizer.exe
Size

1.5MB
MD5

19e10caeb8e008c60153b2b2a6702da1
SHA1

0919cc85e5a5a947ca6f335e6bc22f945f210e40
SHA256

1bbed9ce42fa9fc59da66af162fb7b5b13bfba8a197b8b81c32d780e3e6dab83
SHA512

c6c2eff95674ebb581dfedb383dbd551e5bb5db8e57302e3dd6ec8c122e73266d4cc779576dda57c17cbea87ead50039e418493788bcb3548a0d4834e6058616
SSDEEP

49152:ATg85+uqK7elPJFjvPmp8ke3oZg9yClEWpSCFLHypui:Ur5+lq6/jWp8ke3oZgYudLHy

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

road-stars.gl.at.ply.gg:55299

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00090000000120d6-5.dat	family_xworm
behavioral1/memory/1540-13-0x00000000002B0000-0x00000000002C8000-memory.dmp	family_xworm
behavioral1/memory/1036-53-0x0000000000CE0000-0x0000000000CF8000-memory.dmp	family_xworm
behavioral1/memory/2896-56-0x0000000000D90000-0x0000000000DA8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe
2572	powershell.exe
2568	powershell.exe
2212	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Keyauth-Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Keyauth-Host.exe

Executes dropped EXE 4 IoCs

pid	Process
1540	Keyauth-Host.exe
2268	Uzivert Private.exe
1036	svchost.exe
2896	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1364	Uzi - Virtualizer.exe
1980	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe"	Keyauth-Host.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2596	powershell.exe
2344	taskmgr.exe
2344	taskmgr.exe
2572	powershell.exe
2568	powershell.exe
2344	taskmgr.exe
2212	powershell.exe
2344	taskmgr.exe
1540	Keyauth-Host.exe
2344	taskmgr.exe
2344	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	Keyauth-Host.exe
Token: SeDebugPrivilege	2344	taskmgr.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1540	Keyauth-Host.exe
Token: SeDebugPrivilege	1036	svchost.exe
Token: SeDebugPrivilege	2896	svchost.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe
2344	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1540	Keyauth-Host.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1540	1364	Uzi - Virtualizer.exe	28
PID 1364 wrote to memory of 1540	1364	Uzi - Virtualizer.exe	28
PID 1364 wrote to memory of 1540	1364	Uzi - Virtualizer.exe	28
PID 1364 wrote to memory of 2268	1364	Uzi - Virtualizer.exe	29
PID 1364 wrote to memory of 2268	1364	Uzi - Virtualizer.exe	29
PID 1364 wrote to memory of 2268	1364	Uzi - Virtualizer.exe	29
PID 1540 wrote to memory of 2596	1540	Keyauth-Host.exe	33
PID 1540 wrote to memory of 2596	1540	Keyauth-Host.exe	33
PID 1540 wrote to memory of 2596	1540	Keyauth-Host.exe	33
PID 1540 wrote to memory of 2572	1540	Keyauth-Host.exe	35
PID 1540 wrote to memory of 2572	1540	Keyauth-Host.exe	35
PID 1540 wrote to memory of 2572	1540	Keyauth-Host.exe	35
PID 1540 wrote to memory of 2568	1540	Keyauth-Host.exe	37
PID 1540 wrote to memory of 2568	1540	Keyauth-Host.exe	37
PID 1540 wrote to memory of 2568	1540	Keyauth-Host.exe	37
PID 1540 wrote to memory of 2212	1540	Keyauth-Host.exe	39
PID 1540 wrote to memory of 2212	1540	Keyauth-Host.exe	39
PID 1540 wrote to memory of 2212	1540	Keyauth-Host.exe	39
PID 1540 wrote to memory of 1936	1540	Keyauth-Host.exe	41
PID 1540 wrote to memory of 1936	1540	Keyauth-Host.exe	41
PID 1540 wrote to memory of 1936	1540	Keyauth-Host.exe	41
PID 1044 wrote to memory of 1036	1044	taskeng.exe	46
PID 1044 wrote to memory of 1036	1044	taskeng.exe	46
PID 1044 wrote to memory of 1036	1044	taskeng.exe	46
PID 1044 wrote to memory of 2896	1044	taskeng.exe	47
PID 1044 wrote to memory of 2896	1044	taskeng.exe	47
PID 1044 wrote to memory of 2896	1044	taskeng.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Uzi - Virtualizer.exe
"C:\Users\Admin\AppData\Local\Temp\Uzi - Virtualizer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\Keyauth-Host.exe
  "C:\Users\Admin\AppData\Local\Temp\Keyauth-Host.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Keyauth-Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Keyauth-Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1936
- C:\Users\Admin\AppData\Local\Temp\Uzivert Private.exe
  "C:\Users\Admin\AppData\Local\Temp\Uzivert Private.exe"
  2⤵
  - Executes dropped EXE
  PID:2268

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2344

C:\Windows\system32\taskeng.exe
taskeng.exe {9C6462A0-4B0E-496A-A329-90A5305033A7} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\svchost.exe
  C:\Users\Admin\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Users\Admin\svchost.exe
  C:\Users\Admin\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Keyauth-Host.exe

Filesize
74KB

MD5
682f9a9f1a1c950efcc9a37adcddeb8a

SHA1
eab7b22299d7f4b838dd4b57862491d6e728ee22

SHA256
7fd8250dc06501a85472d75de54bc63bb98cfbca6e7cf560cae046bee0685a48

SHA512
471e5a4c668375da48525fadf8cb9cd3eff9fb4756d48c319ad5b5f1dcf88960630fc576cc2b5297ab3039b52a3f9c4239de19ef3e49026cf7c20d21cc0424a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uzivert Private.exe

Filesize
3.0MB

MD5
e623c22e7cacd3d1f3e3a1c1979eff93

SHA1
dcab81a1bc9d0795789390f3584ea681c10e9a4f

SHA256
ddcf28e8153abbc3c5a2ccbf0928a5d83fe5b797cfa3b056723c967fa44ec4be

SHA512
90cd113467568864f7059305282bccf02f0afba2289ad315e8441216771718966bb604e5dd0e84a99af1ab9513479fa0d414a9190992c1869e1e90bfef940831

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b29a8cbcc3dd162d39992df89d9e1b2d

SHA1
a472fd163f6b78ce7544c74e2ae4558ab1472632

SHA256
c15140135bf2c2815aa476488c95fc88ee03cc58b26aabcf74f3aca338482d6d

SHA512
37071656fad28179bf5a223124781044b5ed36d319e595181f3787cc20f8dc3f17d398c492090a4e9f4e582921a116726494194deb9fceae2d8383c84c446fcd

Download Submit
memory/1036-53-0x0000000000CE0000-0x0000000000CF8000-memory.dmp

Filesize
96KB

Download
memory/1364-1-0x0000000000AB0000-0x0000000000C40000-memory.dmp

Filesize
1.6MB

Download
memory/1364-14-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1364-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/1540-13-0x00000000002B0000-0x00000000002C8000-memory.dmp

Filesize
96KB

Download
memory/1540-16-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-43-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-49-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-15-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2344-23-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2344-24-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2572-30-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2572-31-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2596-22-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2596-21-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2896-56-0x0000000000D90000-0x0000000000DA8000-memory.dmp

Filesize
96KB

Download