xworm | 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe
Size

40KB
MD5

04ca884a9dfccd6baaee58f2177080d0
SHA1

c10be9c9b0ec84918aaecc237683cb199af0265b
SHA256

42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414
SHA512

8827a87f4062af43b5f3d2c9c48533c8e9962e88163e3979c42e597918cefc8090860dd8b6c10b67af643bd7f5f60dcfd6f1adf258fa28b41a59f4481613994c
SSDEEP

768:YNfPMSk3K/EzTb/0X8WuFZ4ZJF5PC9O9L68OMh43/Ol:Yf05a/CTjS89wFc9UL68OMui

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

156.225.129.219:7000

Mutex

UgCHSjyyhcAoKoh0

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/3192-1-0x0000000000C10000-0x0000000000C20000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1064 powershell.exe
3324 powershell.exe
3004 powershell.exe
3756 powershell.exe

resource	yara_rule
behavioral2/memory/3192-1-0x0000000000C10000-0x0000000000C20000-memory.dmp	family_xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

Drops startup file 2 IoCs

Processes:

42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
14	ip-api.com

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

pid	process
1064	powershell.exe
1064	powershell.exe
3324	powershell.exe
3324	powershell.exe
3004	powershell.exe
3004	powershell.exe
3756	powershell.exe
3756	powershell.exe
3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

pid process

3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

pid	process
3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe

description	pid	process	target process
PID 3192 wrote to memory of 1064	3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe	powershell.exe
PID 3192 wrote to memory of 1064	3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe	powershell.exe
PID 3192 wrote to memory of 3324	3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe	powershell.exe
PID 3192 wrote to memory of 3324	3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe	powershell.exe
PID 3192 wrote to memory of 3004	3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe	powershell.exe
PID 3192 wrote to memory of 3004	3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe	powershell.exe
PID 3192 wrote to memory of 3756	3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe	powershell.exe
PID 3192 wrote to memory of 3756	3192	42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\csrss'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
f4038903775bd49192beef39594c3614

SHA1
db4d190d86ea4a231ce6b5408860220a1020077f

SHA256
97a71179aa74dbcd1c58694ee6d2fa7faa432312db4f803611ac478d9c0256ec

SHA512
059cf3c5afc9cc7eace9a6a9ae05db5ad1f7620e6def9885a317c377eb6cfe2056e4f3aa03c7a2035d21a332626d292116594303d97c5c82b8c5b0eedcbb9332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d298fb959e456936bab85c646ae01f62

SHA1
34b7adb3a4da5ef84f81101c13a293b7fd059a7d

SHA256
0a173048ea747b64f3495f90a8f76c51711be0d1725f2fb95dbfc269ceccb85a

SHA512
2ea3879d98e961e9398ff3007531f65a4b1022c844d6204df8589382ebdb2cb37c9d70d8ce6e97aed088d6e73e60072951a458a62154a7af8a23c8ca86d7ab87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0za2nza.j0p.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1064-18-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

Filesize
10.8MB

Download
memory/1064-12-0x00000252DD960000-0x00000252DD982000-memory.dmp

Filesize
136KB

Download
memory/1064-15-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

Filesize
10.8MB

Download
memory/1064-14-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

Filesize
10.8MB

Download
memory/1064-13-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-45-0x00000253E7390000-0x00000253E75AC000-memory.dmp

Filesize
2.1MB

Download
memory/3004-44-0x00000253E7260000-0x00000253E72A8000-memory.dmp

Filesize
288KB

Download
memory/3192-2-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-0-0x00007FF816413000-0x00007FF816415000-memory.dmp

Filesize
8KB

Download
memory/3192-1-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/3192-60-0x00007FF816413000-0x00007FF816415000-memory.dmp

Filesize
8KB

Download
memory/3192-61-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3324-31-0x000002C2E9F80000-0x000002C2E9FC8000-memory.dmp

Filesize
288KB

Download
memory/3324-32-0x000002C2EA030000-0x000002C2EA24C000-memory.dmp

Filesize
2.1MB

Download