xworm | d9893a1d31b8338aedd6f9116cb5dc2c04ace45ca6f065e829ecb68c41db96c7

Analysis

max time kernel
200s
max time network
212s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-01-2025 12:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

wizworm v4.exe
Size

13.3MB
MD5

326cae42b360bc91696a9a09d1f497f9
SHA1

9162a3fa7edd91db0b4b209ffb632f4933530e19
SHA256

d9893a1d31b8338aedd6f9116cb5dc2c04ace45ca6f065e829ecb68c41db96c7
SHA512

a89d1551d86502d222346d44337cccabb0de1586e0d1b8981b9e63676c2341054d61fdb77d07df3aeca0920b60de5031f45067bd23bf3bb0e198224f441c910a
SSDEEP

393216:uOLsLayrPGrYlesyvrNxJ/2eMxV3ODQvT6O9lDp2h:jALHbOEiNiDhmQjg

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

3skr.uncofig.com:9999

Mutex

wRjQMjeNtaZnUCMU

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001c00000002ab08-7.dat	family_xworm
behavioral2/memory/1528-15-0x0000000000A30000-0x0000000000A40000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3416	powershell.exe
2312	powershell.exe
3032	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\set.lnk	set.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\set.lnk	set.exe

Executes dropped EXE 3 IoCs

pid	Process
1528	set.exe
920	WizWorm.exe
4788	zpqghe.COM

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3416	powershell.exe
3416	powershell.exe
2312	powershell.exe
2312	powershell.exe
3032	powershell.exe
3032	powershell.exe
1528	set.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	set.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1528	set.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1528	set.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1528	2604	wizworm v4.exe	77
PID 2604 wrote to memory of 1528	2604	wizworm v4.exe	77
PID 2604 wrote to memory of 920	2604	wizworm v4.exe	78
PID 2604 wrote to memory of 920	2604	wizworm v4.exe	78
PID 1528 wrote to memory of 3416	1528	set.exe	83
PID 1528 wrote to memory of 3416	1528	set.exe	83
PID 1528 wrote to memory of 2312	1528	set.exe	85
PID 1528 wrote to memory of 2312	1528	set.exe	85
PID 1528 wrote to memory of 3032	1528	set.exe	87
PID 1528 wrote to memory of 3032	1528	set.exe	87
PID 1528 wrote to memory of 4788	1528	set.exe	89
PID 1528 wrote to memory of 4788	1528	set.exe	89

C:\Users\Admin\AppData\Local\Temp\wizworm v4.exe
"C:\Users\Admin\AppData\Local\Temp\wizworm v4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\set.exe
  "C:\Users\Admin\AppData\Local\Temp\set.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\set.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'set.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\set.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\zpqghe.COM
    "C:\Users\Admin\AppData\Local\Temp\zpqghe.COM"
    3⤵
    - Executes dropped EXE
    PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\MBR2.exe
      "C:\Users\Admin\AppData\Local\Temp\MBR2.exe"
      4⤵
      PID:2780
    - - C:\Windows\System32\MatrixMBR.exe
        
        "C:\Windows\System32\MatrixMBR.exe"
        5⤵
        
        PID:1544
      - C:\Users\Admin\AppData\Local\Temp\GDI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GDI.exe"
        6⤵
        
        PID:1552
      - C:\Users\Admin\AppData\Local\Temp\MBR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MBR.exe"
        6⤵
        
        PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\TROLL5.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL5.exe"
      4⤵
      PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\TROLL2.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL2.exe"
      4⤵
      PID:3516
- C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"
  2⤵
  - Executes dropped EXE
  PID:920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004B8
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Temp\GDI.exe

Filesize
11KB

MD5
c08ae6d9c6ecd7e13f827bf68767785f

SHA1
e71c2ec8d00c1e82b8b07baee0688b0a28604454

SHA256
e153def894c867923dd56a7025b7b0b7bd3ee37c801a5957201d39f999bb28bf

SHA512
c28bbe8abc66ad2433e5a3b93a4601b28225e86cb4bff077fd3224adfa63164bebfa3002a42b1cb4cb3c7ccad0208f8b143b8a17099bea04fcb964e667c7a1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR.exe

Filesize
93KB

MD5
d2fc66cf781a2497fceb4041a93cc676

SHA1
480b1aa31b0b31fc0e0833afbba06533ab9a90ee

SHA256
acddde9514e3b9d5c40b3d1750af5f4187c99f8987b027d6da44fb6bcf79b3ca

SHA512
6c4cb42f786301be7614d4cb0b32601fea151351b0877e2371632435eb2c54bd4cd04d6b23bf4f49017ccaf679331162aac7329a1ed2409e3c2e02d0326e3487

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR2.exe

Filesize
205KB

MD5
3dc0e225f886bae3b655cd9d738ed32f

SHA1
abda127fd477bd9d051cd57b16ac13f44030a9ae

SHA256
c22e2419f04fe03a92255a139ca8814697962e86d191a1d4171788fd0c903f68

SHA512
c8a6c0bfa96defde6f83d847583ff2ec065a43f80f9886259a2d1fe7df306ef6ed7aeed61b7dcf0bdc111fc67419eb66cf1ca44e831711dd4ea7d25ed9aed09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL2.exe

Filesize
105KB

MD5
52a2a5517deb1a06896891a35299ce20

SHA1
badcbdfef312bd71de997a7416ee20cee5d66af6

SHA256
dcdf5140bc51db27f3aec80ae9a66a57aad446a2522904d288770e8d8cde8cee

SHA512
7cb0de412c0508f5af522aeaf3731dda418f72f7cae8dd3f21b34d5cdbc08f9dea8699d59878610496c68d687227a0269739221490d70d03b8e4b84dfd29d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL5.exe

Filesize
712KB

MD5
542a4e400ff233b21a1a3c27751ac783

SHA1
000a67f00b0003531d65a6ed6f16488ae5dcd0fe

SHA256
79f00c7dab0891824136539fabd542c74e26cbed94b9add3f1aa7f793d653de6

SHA512
8335118ca0c268635d9495b331fb65800a32a0631f132cd34ce84ca3b523d0a9e23eee6d76539d0c81d86fda534da56c936914012d8bad35040b15cc8caaf645

Download Submit
C:\Users\Admin\AppData\Local\Temp\WizWorm.exe

Filesize
19.8MB

MD5
df02e1780dd49d8f537b1250211696fa

SHA1
ed88bba690cae57196ba10fa01ec1b86f6a39fd6

SHA256
27d5ba22bafbd94685f9c8cd3e6ebabd88e2a94bbd6be8ec25ec023b0e5c066d

SHA512
fef2bbc7840fa1066ac696d0da731adaa2d57b5a63b94cf7362ede33cb590452ddd9ec253d4c03b8b7e86e93fa4a367c0882fa8f498f40a19944ccad4674d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tt4wp4g4.55w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.exe

Filesize
38KB

MD5
e1929d0781ff08abf8be3051479043b6

SHA1
0605a5657e022bd1cadf80f13446c678728dcde9

SHA256
b4ae6a462c5f24bec5870f6e92d94a00b1e1a4abd95e5433d6ac99a0f9d92042

SHA512
fb47c341b636293d500f1892f02e2be2b16bd0301eedc0c30025c00ae22ce3fe6d42abc0a4837cc5551eeed6cd5bbe815a0301db86bac6a84177a6c103d54d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpqghe.COM

Filesize
921KB

MD5
d0ae6aea701de9f127f91e7efdb50252

SHA1
cb9ef64cbcb999372fb4046e99fe89a03df9bc81

SHA256
c1aeab35f61f12db28274d82713bff400b808625854a18e49504022f92805e31

SHA512
505d11808e9923ff0ec1a51acd51509711f8c5c42da81b47a97249954b06f6f45ddda4655446daeb7f231785cd484ebc6e9ada92b857ad3a8d7ce04276536f13

Download Submit
C:\Windows\System32\MatrixMBR.exe

Filesize
250KB

MD5
24c441662c09b94e14a4096a8e59c316

SHA1
11576cad137bd8ed76efecd711c0390fe5c85292

SHA256
339fe94164952a8454e6ec5fc75e2c38baade2c14b231e47bf41989ffbb55ee4

SHA512
7f6ca1366733c5fb4925001c0846510732031a9e5f1b16291ff596187c20a88f41193389cedcb73e3928c318fc972be4f03e3cb71f1487c34642897ff9a2b590

Download Submit
memory/920-33-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/920-32-0x000001AF674D0000-0x000001AF688AA000-memory.dmp

Filesize
19.9MB

Download
memory/920-31-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/1528-72-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/1528-34-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/1528-74-0x00000000010F0000-0x00000000010FA000-memory.dmp

Filesize
40KB

Download
memory/1528-16-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/1528-71-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/1528-15-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/1544-134-0x0000000000A20000-0x0000000000A66000-memory.dmp

Filesize
280KB

Download
memory/1552-156-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2604-4-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/2604-30-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/2604-1-0x0000000000C30000-0x000000000197E000-memory.dmp

Filesize
13.3MB

Download
memory/2604-0-0x00007FFE22B93000-0x00007FFE22B95000-memory.dmp

Filesize
8KB

Download
memory/2780-103-0x0000000000A50000-0x0000000000A8A000-memory.dmp

Filesize
232KB

Download
memory/3416-40-0x000001EC71FA0000-0x000001EC71FC2000-memory.dmp

Filesize
136KB

Download
memory/3516-135-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4756-118-0x0000000005DD0000-0x0000000006376000-memory.dmp

Filesize
5.6MB

Download
memory/4756-120-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/4756-119-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/4756-117-0x0000000000BE0000-0x0000000000C98000-memory.dmp

Filesize
736KB

Download
memory/4788-81-0x000000001BBD0000-0x000000001BCB4000-memory.dmp

Filesize
912KB

Download
memory/4788-80-0x0000000000D90000-0x0000000000E7C000-memory.dmp

Filesize
944KB

Download