xworm | 88d0612d150853b8e7f3d3e3bfbc5d96d0469df4b53b6e2afbb882e39324b3c6

Resubmissions

19-01-2025 17:36

250119-v6kq4syjhv 10

19-01-2025 15:53

250119-tb5mcsvjdt 10

Analysis

max time kernel
43s
max time network
33s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-01-2025 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nezur_Internal.exe
Size

1.3MB
MD5

c8e3253dfa6d5a21b87950dd7eb2c652
SHA1

c0d8849408efd3b42e07b8f43ecb2979158c9c0f
SHA256

b8d5ab8adf0da37f5fcd09e09d3bab66458f4cd6fefc5760daa8c247fd55eb76
SHA512

efa4cc3ccaa797c9f9c64c4aa6f4f0aa995d3e36bfe0563b7ffce0978ff880bc4fa913c363fbf7792fe552753098e870642b35602cf8625938e9ff84a1d376d9
SSDEEP

24576:cUTaQIolipFeyKvY4JMdA9MpBO++aBIbH1CAB1v:caIowzeth9KIbHhBp

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

drive-mens.gl.at.ply.gg:20498

Attributes

Install_directory
%AppData%
install_file
SystemUser.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0051000000046172-6.dat	family_xworm
behavioral1/memory/4344-24-0x0000000000C20000-0x0000000000C30000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation	Nezur_Internal.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnk	wyvernunbanner.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnk	wyvernunbanner.exe

Executes dropped EXE 2 IoCs

pid	Process
4344	wyvernunbanner.exe
2292	Nezur_Loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2292	Nezur_Loader.exe
2292	Nezur_Loader.exe
2292	Nezur_Loader.exe
2292	Nezur_Loader.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	wyvernunbanner.exe
Token: SeDebugPrivilege	2292	Nezur_Loader.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4344	2652	Nezur_Internal.exe	80
PID 2652 wrote to memory of 4344	2652	Nezur_Internal.exe	80
PID 2652 wrote to memory of 2292	2652	Nezur_Internal.exe	81
PID 2652 wrote to memory of 2292	2652	Nezur_Internal.exe	81

cURL User-Agent 1 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	4	curl/8.6.0-DEV

C:\Users\Admin\AppData\Local\Temp\Nezur_Internal.exe
"C:\Users\Admin\AppData\Local\Temp\Nezur_Internal.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Roaming\wyvernunbanner.exe
  "C:\Users\Admin\AppData\Roaming\wyvernunbanner.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Users\Admin\AppData\Roaming\Nezur_Loader.exe
  "C:\Users\Admin\AppData\Roaming\Nezur_Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Nezur_Loader.exe

Filesize
1.2MB

MD5
65e9703b2974342ee9f1689f75de78fc

SHA1
3acb6ca13d01f5b5d3b7016c44cd5cbbe64b5f0a

SHA256
5e12aa23829e37a5ba2250eb4ac4bb859c87bcc337522286b2da85113af7d255

SHA512
b357f60d6dbd19f0f47b608e7c89a5a1c405c9c3915530df71976696fbb7d51c15ac69d01be2ace5668ebc87936e815d8d414472cc0429e29c8cf18edec6cd7d

Download Submit
C:\Users\Admin\AppData\Roaming\wyvernunbanner.exe

Filesize
41KB

MD5
8c0ead2cbe490984b478ec5f694d187c

SHA1
7c2ad7cbeb7722825421cdf457a00259cbd2c177

SHA256
a0150c4e756d7df71931fb9661be086354b36bf654aaa6acc2d51e5ff0da9c25

SHA512
4a0dfd3b984185af61c1502c1894a73738e16ea841c3b877d2ebc5d7bc302b8dbecdbf9b3fc78f2ebdced4e32360c9fde7dfff964ec1701c6627639b8b231d78

Download Submit
memory/2652-0-0x00007FFC6B913000-0x00007FFC6B915000-memory.dmp

Filesize
8KB

Download
memory/2652-1-0x0000000000910000-0x0000000000A66000-memory.dmp

Filesize
1.3MB

Download
memory/4344-24-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4344-28-0x00007FFC6B910000-0x00007FFC6C3D2000-memory.dmp

Filesize
10.8MB

Download
memory/4344-34-0x00007FFC6B910000-0x00007FFC6C3D2000-memory.dmp

Filesize
10.8MB

Download
memory/4344-35-0x00007FFC6B910000-0x00007FFC6C3D2000-memory.dmp

Filesize
10.8MB

Download
memory/4344-36-0x00007FFC6B910000-0x00007FFC6C3D2000-memory.dmp

Filesize
10.8MB

Download