xworm | 88d0612d150853b8e7f3d3e3bfbc5d96d0469df4b53b6e2afbb882e39324b3c6

Analysis

max time kernel
21s
max time network
27s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/01/2025, 15:53 UTC

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Nezur_Internal.exe
Size

1.3MB
MD5

c8e3253dfa6d5a21b87950dd7eb2c652
SHA1

c0d8849408efd3b42e07b8f43ecb2979158c9c0f
SHA256

b8d5ab8adf0da37f5fcd09e09d3bab66458f4cd6fefc5760daa8c247fd55eb76
SHA512

efa4cc3ccaa797c9f9c64c4aa6f4f0aa995d3e36bfe0563b7ffce0978ff880bc4fa913c363fbf7792fe552753098e870642b35602cf8625938e9ff84a1d376d9
SSDEEP

24576:cUTaQIolipFeyKvY4JMdA9MpBO++aBIbH1CAB1v:caIowzeth9KIbHhBp

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

drive-mens.gl.at.ply.gg:20498

Attributes

Install_directory
%AppData%
install_file
SystemUser.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225c-5.dat	family_xworm
behavioral1/memory/1668-8-0x0000000000EB0000-0x0000000000EC0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnk	wyvernunbanner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnk	wyvernunbanner.exe

Executes dropped EXE 1 IoCs

pid	Process
1668	wyvernunbanner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	wyvernunbanner.exe
Token: SeShutdownPrivilege	2712	shutdown.exe
Token: SeRemoteShutdownPrivilege	2712	shutdown.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1668	2344	Nezur_Internal.exe	29
PID 2344 wrote to memory of 1668	2344	Nezur_Internal.exe	29
PID 2344 wrote to memory of 1668	2344	Nezur_Internal.exe	29
PID 1668 wrote to memory of 2712	1668	wyvernunbanner.exe	31
PID 1668 wrote to memory of 2712	1668	wyvernunbanner.exe	31
PID 1668 wrote to memory of 2712	1668	wyvernunbanner.exe	31

C:\Users\Admin\AppData\Local\Temp\Nezur_Internal.exe
"C:\Users\Admin\AppData\Local\Temp\Nezur_Internal.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Roaming\wyvernunbanner.exe
  "C:\Users\Admin\AppData\Roaming\wyvernunbanner.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2732

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1616

Network

DNS

drive-mens.gl.at.ply.gg

wyvernunbanner.exe

Remote address:

8.8.8.8:53

Request

drive-mens.gl.at.ply.gg

IN A

Response

drive-mens.gl.at.ply.gg

IN A

147.185.221.25

147.185.221.25:20498

drive-mens.gl.at.ply.gg

wyvernunbanner.exe

574 B
250 B
6
5

8.8.8.8:53

drive-mens.gl.at.ply.gg

dns

wyvernunbanner.exe

69 B
85 B
1
1

DNS Request

drive-mens.gl.at.ply.gg

DNS Response

147.185.221.25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wyvernunbanner.exe

Filesize
41KB

MD5
8c0ead2cbe490984b478ec5f694d187c

SHA1
7c2ad7cbeb7722825421cdf457a00259cbd2c177

SHA256
a0150c4e756d7df71931fb9661be086354b36bf654aaa6acc2d51e5ff0da9c25

SHA512
4a0dfd3b984185af61c1502c1894a73738e16ea841c3b877d2ebc5d7bc302b8dbecdbf9b3fc78f2ebdced4e32360c9fde7dfff964ec1701c6627639b8b231d78

Download Submit
memory/1668-8-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/1668-11-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/1668-16-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/1668-17-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/1668-18-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/1668-19-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2344-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

Filesize
4KB

Download
memory/2344-1-0x0000000001050000-0x00000000011A6000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.