xworm | d9893a1d31b8338aedd6f9116cb5dc2c04ace45ca6f065e829ecb68c41db96c7

General

Target

wizwormv4.exe
Size

13.3MB
MD5

326cae42b360bc91696a9a09d1f497f9
SHA1

9162a3fa7edd91db0b4b209ffb632f4933530e19
SHA256

d9893a1d31b8338aedd6f9116cb5dc2c04ace45ca6f065e829ecb68c41db96c7
SHA512

a89d1551d86502d222346d44337cccabb0de1586e0d1b8981b9e63676c2341054d61fdb77d07df3aeca0920b60de5031f45067bd23bf3bb0e198224f441c910a
SSDEEP

393216:uOLsLayrPGrYlesyvrNxJ/2eMxV3ODQvT6O9lDp2h:jALHbOEiNiDhmQjg

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

C2

3skr.uncofig.com:9999

Mutex

wRjQMjeNtaZnUCMU

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000120fc-6.dat	family_xworm
behavioral1/memory/2988-8-0x0000000001220000-0x0000000001230000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2928	powershell.exe
1684	powershell.exe
3036	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\set.lnk	set.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\set.lnk	set.exe

Executes dropped EXE 2 IoCs

pid	Process
2988	set.exe
1824	WizWorm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2312	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2928	powershell.exe
1684	powershell.exe
3036	powershell.exe
2988	set.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	set.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2988	set.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2988	set.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2988	2840	wizwormv4.exe	29
PID 2840 wrote to memory of 2988	2840	wizwormv4.exe	29
PID 2840 wrote to memory of 2988	2840	wizwormv4.exe	29
PID 2840 wrote to memory of 1824	2840	wizwormv4.exe	30
PID 2840 wrote to memory of 1824	2840	wizwormv4.exe	30
PID 2840 wrote to memory of 1824	2840	wizwormv4.exe	30
PID 1824 wrote to memory of 2796	1824	WizWorm.exe	32
PID 1824 wrote to memory of 2796	1824	WizWorm.exe	32
PID 1824 wrote to memory of 2796	1824	WizWorm.exe	32
PID 2988 wrote to memory of 2928	2988	set.exe	33
PID 2988 wrote to memory of 2928	2988	set.exe	33
PID 2988 wrote to memory of 2928	2988	set.exe	33
PID 2988 wrote to memory of 1684	2988	set.exe	35
PID 2988 wrote to memory of 1684	2988	set.exe	35
PID 2988 wrote to memory of 1684	2988	set.exe	35
PID 2988 wrote to memory of 3036	2988	set.exe	37
PID 2988 wrote to memory of 3036	2988	set.exe	37
PID 2988 wrote to memory of 3036	2988	set.exe	37
PID 2988 wrote to memory of 1076	2988	set.exe	39
PID 2988 wrote to memory of 1076	2988	set.exe	39
PID 2988 wrote to memory of 1076	2988	set.exe	39
PID 1076 wrote to memory of 2312	1076	cmd.exe	41
PID 1076 wrote to memory of 2312	1076	cmd.exe	41
PID 1076 wrote to memory of 2312	1076	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\wizwormv4.exe
"C:\Users\Admin\AppData\Local\Temp\wizwormv4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\set.exe
  "C:\Users\Admin\AppData\Local\Temp\set.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\set.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'set.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\set.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDD16.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2312
- C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1824 -s 608
    3⤵
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WizWorm.exe

Filesize
19.8MB

MD5
df02e1780dd49d8f537b1250211696fa

SHA1
ed88bba690cae57196ba10fa01ec1b86f6a39fd6

SHA256
27d5ba22bafbd94685f9c8cd3e6ebabd88e2a94bbd6be8ec25ec023b0e5c066d

SHA512
fef2bbc7840fa1066ac696d0da731adaa2d57b5a63b94cf7362ede33cb590452ddd9ec253d4c03b8b7e86e93fa4a367c0882fa8f498f40a19944ccad4674d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.exe

Filesize
38KB

MD5
e1929d0781ff08abf8be3051479043b6

SHA1
0605a5657e022bd1cadf80f13446c678728dcde9

SHA256
b4ae6a462c5f24bec5870f6e92d94a00b1e1a4abd95e5433d6ac99a0f9d92042

SHA512
fb47c341b636293d500f1892f02e2be2b16bd0301eedc0c30025c00ae22ce3fe6d42abc0a4837cc5551eeed6cd5bbe815a0301db86bac6a84177a6c103d54d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD16.tmp.bat

Filesize
155B

MD5
b207f9eecf1711b6aa27f1a6d74822a8

SHA1
aa25320fad58d9c914a4a49a47d010dcb95f555f

SHA256
9fc830eef1428c8206e2de2dd5b9dc8e2d01210e41b4156dd0039ab2f8c887e2

SHA512
da77c03b23acfc8d7959eb6f564a51462698466a9a44c71329592c725a6ad7877ec51c626c7f911a6309ca1016afe776c344a2db963c47b339c8a40c45a73e09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3GFL4PYJMUTE83RP2NYG.temp

Filesize
7KB

MD5
975d91185717e455c949655f82bb4df4

SHA1
34bd0278369f90464457e014e7de4d1a56c31649

SHA256
c0e26cc1d6716135bff2117e57702e0006bdaaccddc1fe00d9612b40503ff18e

SHA512
6940db9466ff89734f4b769dae52ddad5f9ae7b223dcbd32a4cc4b87a0f4c7d5bb07ec9beda6ea1e0c5f7ca0fa3cda9df05cc935895dd4bde8bb6e3a88286178

Download Submit
memory/1684-31-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/1684-30-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/1824-17-0x0000000000280000-0x000000000165A000-memory.dmp

Filesize
19.9MB

Download
memory/2840-9-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-18-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

Filesize
4KB

Download
memory/2840-1-0x0000000000C10000-0x000000000195E000-memory.dmp

Filesize
13.3MB

Download
memory/2928-23-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2928-24-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2988-10-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-8-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/2988-37-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-53-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing