Malware Analysis Report

2024-10-19 06:53

Sample ID 240125-a862xadabp
Target ttd_scam_tool_api.exe
SHA256 7407aaf1912fe74b954790db86481e9f71b69d9ceb5da210366052c64cdf295a
Tags
xworm rat trojan stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7407aaf1912fe74b954790db86481e9f71b69d9ceb5da210366052c64cdf295a

Threat Level: Known bad

The file ttd_scam_tool_api.exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan stealerium stealer

Detect Xworm Payload

Xworm

Stealerium

Contains code to disable Windows Defender

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 00:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 00:54

Reported

2024-01-25 01:29

Platform

win7-20231129-en

Max time kernel

1523s

Max time network

1562s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe

"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'

Network

Country Destination Domain Proto
US 147.185.221.16:40164 tcp
US 147.185.221.16:40164 tcp
US 147.185.221.16:40164 tcp

Files

memory/1652-0-0x0000000000F90000-0x0000000000FA4000-memory.dmp

memory/1652-1-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

memory/2968-6-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2968-7-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/2968-9-0x0000000002C40000-0x0000000002CC0000-memory.dmp

memory/2968-8-0x000007FEF2240000-0x000007FEF2BDD000-memory.dmp

memory/2968-10-0x000007FEF2240000-0x000007FEF2BDD000-memory.dmp

memory/2968-13-0x0000000002C40000-0x0000000002CC0000-memory.dmp

memory/2968-12-0x0000000002C40000-0x0000000002CC0000-memory.dmp

memory/2968-11-0x0000000002C40000-0x0000000002CC0000-memory.dmp

memory/2968-14-0x000007FEF2240000-0x000007FEF2BDD000-memory.dmp

memory/2604-20-0x000000001B650000-0x000000001B932000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E3G8JDFMUNIKLXV6Y8EH.temp

MD5 5b1903b19946c3db6820fbf0b43e9a73
SHA1 41b840d326e26f6ff249967a90fe5808acb62a37
SHA256 582b2dbee88f3674c9b547082970ecd881ebeabf88da85f6b55944839fd7d0f3
SHA512 e9b142c483109eed32ed168fd82f61addac38d8283c0b7f5849cfaaa52d6577ba32ea8089eb42dbca5b45d6cd6d18c6a60c9677d599bc6e221a403e17f6e5a51

memory/2604-22-0x0000000002340000-0x0000000002348000-memory.dmp

memory/2604-21-0x000007FEEFC90000-0x000007FEF062D000-memory.dmp

memory/2604-23-0x0000000002C60000-0x0000000002CE0000-memory.dmp

memory/2604-24-0x000007FEEFC90000-0x000007FEF062D000-memory.dmp

memory/2604-27-0x0000000002C60000-0x0000000002CE0000-memory.dmp

memory/2604-26-0x0000000002C60000-0x0000000002CE0000-memory.dmp

memory/2604-28-0x000007FEEFC90000-0x000007FEF062D000-memory.dmp

memory/1652-29-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2604-25-0x0000000002C60000-0x0000000002CE0000-memory.dmp

memory/1652-30-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

memory/1652-31-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/1652-32-0x000000001C0F0000-0x000000001C1A0000-memory.dmp

memory/1652-34-0x00000000005E0000-0x00000000005EC000-memory.dmp

memory/1652-35-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 00:54

Reported

2024-01-25 01:30

Platform

win10v2004-20231215-en

Max time kernel

1471s

Max time network

1501s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealerium

stealer stealerium

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\Builder.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe

"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap28960:78:7zEvent5209

C:\Users\Admin\Desktop\Builder.exe

"C:\Users\Admin\Desktop\Builder.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt

C:\Users\Admin\Desktop\Builder.exe

"C:\Users\Admin\Desktop\Builder.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 147.185.221.16:40164 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 16.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 147.185.221.16:40164 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 147.185.221.16:40164 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
US 147.185.221.16:40164 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp

Files

memory/2192-0-0x00000000000E0000-0x00000000000F4000-memory.dmp

memory/2192-1-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp

memory/3708-12-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp

memory/3708-11-0x000001F49BE90000-0x000001F49BEB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnenuoa2.xuq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3708-13-0x000001F4B4520000-0x000001F4B4530000-memory.dmp

memory/3708-14-0x000001F4B4520000-0x000001F4B4530000-memory.dmp

memory/3708-15-0x000001F4B4520000-0x000001F4B4530000-memory.dmp

memory/3708-18-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 440cb38dbee06645cc8b74d51f6e5f71
SHA1 d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA256 8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA512 3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

memory/4364-29-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp

memory/4364-30-0x0000022238910000-0x0000022238920000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d8567f2d1c8a09bbfe613145bf78577
SHA1 f2af10d629e6d7d2ecec76c34bd755ecf61be931
SHA256 7437b098af4618fbcefe7522942c862aeaf39a0b82ce05b0797185c552f22a3c
SHA512 89130e5c514e33f5108e308f300614dc63989f3e6a4e762a12982af341ab1c5748dd93fd185698dcf6d3a1ea7234228d04ad962e4ee0a15a683e988f115a84ea

memory/4364-32-0x0000022238910000-0x0000022238920000-memory.dmp

memory/2192-34-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp

memory/4364-35-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp

memory/2192-36-0x000000001AD80000-0x000000001AD90000-memory.dmp

memory/2192-37-0x000000001AD80000-0x000000001AD90000-memory.dmp

memory/2192-38-0x000000001CED0000-0x000000001CF80000-memory.dmp

memory/2192-39-0x000000001D6B0000-0x000000001DBD8000-memory.dmp

C:\Users\Admin\Desktop\Stealerium.zip

MD5 c956487c81dc16555e9232408efbe44d
SHA1 9272088c2dc913b3c6e779a091755b07e7fa3050
SHA256 49d8c623abc37dff7af7d7ea15fa66b27504f166b5bf7a2d486c41ce7923a722
SHA512 1d1f77372991544e502bf6076a2e5c9cea0d80e2afc00a0f4efe97ebf9b74bb18e1b52b3ec02dd3de441fe3114dd3aa15f21fc421ddf93204571acd7b56af64c

C:\Users\Admin\Desktop\Builder.exe

MD5 6c898b9e5467f6d3442a579b7856bdaf
SHA1 9522f2f219deaf4bb52262c2a5d23393037ec35f
SHA256 8bf6beb962bf051de009059554aa265012342bd6ec841abd2aa94ba1335a333f
SHA512 df35d776b2df079a9440ac1b0435e0fe9e4f1c17ee0790b1057ede8f146d90889c1fe727cd5112b27b2f4e96903c83f8ef7d61bc359aa762b708d17ad7676c41

C:\Users\Admin\Desktop\Builder.runtimeconfig.json

MD5 24e4653829de1022d01cd7ddd26e2f22
SHA1 9160a009cb381e044ba4c63e4435da6bfeb9dc6d
SHA256 ded3aeb5856a11db0b654a785574490cab55839ebfb17efe9e39b89618fc5b91
SHA512 efd4bbba1baec0b47003831510e3aa539db9ef468e0f06ba9d7ba6d0b3800035f7c818d7d90171bfd377ec97d08c4617555bcff635dd83efceb412b1a9cca820

C:\Users\Admin\Desktop\Builder.deps.json

MD5 d41bff259e1ebb625fc788fa681377ad
SHA1 b5c8b7725d6f885db30e9237682abfec72aa65be
SHA256 d6a04809c3737f76818082a2caf9b80ac7f0e14bc73b2fabdea2df46d9e25a52
SHA512 8aaed8b1b2e40c5a631753789fcf34dadf95a4aab29f852a98ecb3dc30dc5c1df11d69081fb17282c78e0310e65567ab7339bc58efba6fc7b6f729f31fc040e3

memory/4448-74-0x00007FF9C9FB0000-0x00007FF9CA4AE000-memory.dmp

C:\Users\Admin\Desktop\Builder.dll

MD5 41dd506cd0525197e69d9c8592aed2a7
SHA1 5d04b134c8f1800fbcd664898d34dee8d10d8fa8
SHA256 dcd0162524ce4ae11f5c5e9b496e35ce6a096e5dea8e63b45fa835069737f87c
SHA512 16ba073d871eb9a244b8e733c101e9fec98699d881440e0dfa661e9f331fda0789f232e4abd70dcff3649a5428049590461da83ab7f0078e3ed9c7fc2fbfb28b

C:\Users\Admin\Desktop\Spectre.Console.dll

MD5 46684228e7c345a3368e8a475ec573b7
SHA1 aef278fbd7b3f6a65227c7b6b64eb6d88f6cc433
SHA256 b9617847d85b8efe32d07c4c28f1d16cadd4bfe45a09fd1e24eb82505f913257
SHA512 ce3ca4c8250bca3e97713d4047d0d874b3b6430014fbc3078b34a9f701a9eaa4b5e990ff99864c19b41eba1dfad74e0f6f1a464bef7b3d5ad825dfcb91b3da31

C:\Users\Admin\Desktop\Spectre.Console.ImageSharp.dll

MD5 099edbe28aaacada8a7a12a414a1d68b
SHA1 0cc1b8ed4448f4c7246dc859a6359fda20c2d927
SHA256 52fef316879f90a3897ec33b8a6ca955bd720c8fe53b4479be01b70fcb7d26ee
SHA512 07995720bc9e5d3b253b5cbe3f2700978950a81819d5064c25fbb6fe860c1cd1b32379136a390ab85f4612d82d4b256ba2d8c46cccdf9de04aab16135c2d6fe5

C:\Users\Admin\Desktop\SixLabors.ImageSharp.dll

MD5 523dced95fcb0120698fc194b159a5cd
SHA1 9f6e4c7269caaf2e09b6961551102b1ec16e60a0
SHA256 0d19e3bc90153b7d0360360422355daa569209180dd1e4337f2431148d1d7219
SHA512 325c9c3a316852ea6156a07317a64e369048dc7cfea21e9ea87f8723cf37515f0dfc0a31ab3bf07155ea27938d426c9832c1fcba1ab6c96573cc44eacfa05255

memory/4448-79-0x00007FF9C9FB0000-0x00007FF9CA4AE000-memory.dmp

memory/2192-80-0x0000000000950000-0x000000000095C000-memory.dmp

C:\Users\Admin\Desktop\New Text Document.txt

MD5 4f10bf483c9fe7cb6834229399b10573
SHA1 21665c74392b32fda4931d621c84530046f0d624
SHA256 e8f023aa53cd2f329d30b87a1a4b255b4fcec776d58b9399edffb28370f04105
SHA512 60d2042b9131a22c355f683733cfba008a69cdf96ae89473e7452eb1a88cf5a44e96973b365ef2b5c7f75c2fe172498e620ea76010b0bfd20f0e675177d66048

memory/4448-83-0x00007FF9C9FB0000-0x00007FF9CA4AE000-memory.dmp

memory/4756-85-0x00007FF9C9FB0000-0x00007FF9CA4AE000-memory.dmp

memory/4756-86-0x00007FF9C9FB0000-0x00007FF9CA4AE000-memory.dmp

C:\Users\Admin\Desktop\Mono.Cecil.dll

MD5 6d8d43c5d7dbe36ec01ff8b951cf1e0a
SHA1 d6b8214419870770e1ce398ca06a6a9f0e9e62a3
SHA256 9c2908709da6761e9b5b9d4d46102d65851145bac987787d6c5a05ffe5689487
SHA512 221955b05d83513fadcb79721c96fd467ea871cfa401b279dc8ade426c88df4cadc884dae7a9c418c1012af202263f31ce8b63ca919e1f725eb7c7e8008c3a57

C:\Users\Admin\Desktop\Stub\stub.exe

MD5 6627adf7167ee571e8fd6c8b1a0e8ae3
SHA1 03b9112660ee73c59d84e219f15bf24ae9df48db
SHA256 6c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f
SHA512 e05896a6e0d09d4dafeb2467395ca06ae1e728a4aa079041dea82940caeb71646984604fdeea482748423b10257b8462db4f573682f9f719939143fdb5691c60

memory/2192-90-0x000000001A700000-0x000000001A70E000-memory.dmp