xworm | 317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9

Analysis

max time kernel
148s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe
Size

324KB
MD5

f60edabee0df313d9bd92cbec28e5b90
SHA1

a786c8938c83656ed690c2a104ca4cd4838065ab
SHA256

317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9
SHA512

f043922cd08e6aeb160f4022a60d222d6567cff74c3c8cec952ef293412c70ae0243deac1b07781e96be5124e33cac7294fb87af89f956541040a902995c4918
SSDEEP

768:Ohm7Omh+D1DT3QVYA82vJ6lEbFEPG9pHZ6vOChSzYi34Npp6uBRpeT:OhALh+g+EF19VZ6vOCw5oNpp65T

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:6414

fixed-execution.gl.at.ply.gg:6414

Mutex

0eMY5b21feXBm85M

Attributes

Install_directory
%Temp%
install_file
Discord.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2068-1-0x0000000000240000-0x0000000000298000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\Discord.exe	family_xworm
behavioral1/memory/2568-36-0x0000000001000000-0x0000000001058000-memory.dmp	family_xworm
behavioral1/memory/1104-39-0x0000000000280000-0x00000000002D8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2628 powershell.exe
2472 powershell.exe
2876 powershell.exe
2356 powershell.exe

pid	process
2628	powershell.exe
2472	powershell.exe
2876	powershell.exe
2356	powershell.exe

Drops startup file 2 IoCs

Processes:

317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

Discord.exeDiscord.exe

pid process

2568 Discord.exe
1104 Discord.exe

pid	process
2568	Discord.exe
1104	Discord.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Discord.exe"	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1704 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe

pid process

2628 powershell.exe
2472 powershell.exe
2876 powershell.exe
2356 powershell.exe
2068 317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe

flow	ioc
4	ip-api.com

pid	process
1704	schtasks.exe

pid	process
2628	powershell.exe
2472	powershell.exe
2876	powershell.exe
2356	powershell.exe
2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exeDiscord.exeDiscord.exe

description	pid	process
Token: SeDebugPrivilege	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe
Token: SeDebugPrivilege	2568	Discord.exe
Token: SeDebugPrivilege	1104	Discord.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe

pid process

2068 317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe

pid	process
2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exetaskeng.exe

description	pid	process	target process
PID 2068 wrote to memory of 2628	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2628	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2628	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2472	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2472	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2472	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2876	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2876	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2876	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2356	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2356	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 2356	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	powershell.exe
PID 2068 wrote to memory of 1704	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	schtasks.exe
PID 2068 wrote to memory of 1704	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	schtasks.exe
PID 2068 wrote to memory of 1704	2068	317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe	schtasks.exe
PID 2016 wrote to memory of 2568	2016	taskeng.exe	Discord.exe
PID 2016 wrote to memory of 2568	2016	taskeng.exe	Discord.exe
PID 2016 wrote to memory of 2568	2016	taskeng.exe	Discord.exe
PID 2016 wrote to memory of 1104	2016	taskeng.exe	Discord.exe
PID 2016 wrote to memory of 1104	2016	taskeng.exe	Discord.exe
PID 2016 wrote to memory of 1104	2016	taskeng.exe	Discord.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9_NeikiAnalytics.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Discord.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\taskeng.exe
taskeng.exe {D8F7DAD3-C361-4A0A-97AF-A37B8B362F42} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\Discord.exe
C:\Users\Admin\AppData\Local\Temp\Discord.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Users\Admin\AppData\Local\Temp\Discord.exe
C:\Users\Admin\AppData\Local\Temp\Discord.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Discord.exe
Filesize
324KB

MD5
f60edabee0df313d9bd92cbec28e5b90

SHA1
a786c8938c83656ed690c2a104ca4cd4838065ab

SHA256
317c57e4052e0e8898e68b2ae9118855e953c2efb6b2ea841e4d2d5e16d7f7b9

SHA512
f043922cd08e6aeb160f4022a60d222d6567cff74c3c8cec952ef293412c70ae0243deac1b07781e96be5124e33cac7294fb87af89f956541040a902995c4918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7553918aa24dbf8b260bb671f2602f2b

SHA1
9a96538fcced3573448174a78852bf86a4aa2276

SHA256
9a290512e9698734d57fe3fbec69136c3aea049fa09e98381c95b2cbacf7e609

SHA512
498b0c9e0776d675e8058c314fa37e502c5977b1a6d66d42c5c1f9be95b40bbaad20347a958438dc1824bfd573abe4bc7cfb5ff58ef067455c6d4207f3ee7ee3

Download Submit
memory/1104-39-0x0000000000280000-0x00000000002D8000-memory.dmp

Filesize
352KB

Download
memory/2068-1-0x0000000000240000-0x0000000000298000-memory.dmp

Filesize
352KB

Download
memory/2068-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2068-7-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2068-32-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2472-16-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2472-17-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2568-36-0x0000000001000000-0x0000000001058000-memory.dmp

Filesize
352KB

Download
memory/2628-8-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2628-10-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2628-9-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download