Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 17:10

General

  • Target

    XWorm RAT V2.1.exe

  • Size

    2.2MB

  • MD5

    835f081566e31c989b525bccb943569c

  • SHA1

    71d04e0a86ce9585e5b7a058beb0a43cf156a332

  • SHA256

    ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579

  • SHA512

    9ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c

  • SSDEEP

    49152:LdYJMfC7koydmRzCxWO8e89khof23mKijV6WvFw3BAz2tIm0U:qc3vdUEWFySfdw3rtIm

Score
10/10

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 4 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe"
    1⤵
      PID:3208
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdf7e59758,0x7ffdf7e59768,0x7ffdf7e59778
        2⤵
          PID:4588
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:2
          2⤵
            PID:4580
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:8
            2⤵
              PID:3680
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:8
              2⤵
                PID:1968
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:1
                2⤵
                  PID:3620
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:1
                  2⤵
                    PID:3052
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3772 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:1
                    2⤵
                      PID:2052
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4936 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:1
                      2⤵
                        PID:2152
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5284 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:8
                        2⤵
                          PID:3916
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:8
                          2⤵
                            PID:2564
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:8
                            2⤵
                              PID:4152
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5440 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:1
                              2⤵
                                PID:2236
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3068 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:1
                                2⤵
                                  PID:3784
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:8
                                  2⤵
                                    PID:1304
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 --field-trial-handle=1888,i,337860584794958395,13513662759833986609,131072 /prefetch:8
                                    2⤵
                                      PID:4048
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                    1⤵
                                      PID:3640
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                      1⤵
                                        PID:2572
                                      • C:\Users\Admin\Downloads\XWorm-v5-Remote-Access-Tool-main\XWorm-v5-Remote-Access-Tool-main\XWorm.exe
                                        "C:\Users\Admin\Downloads\XWorm-v5-Remote-Access-Tool-main\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"
                                        1⤵
                                        • Checks SCSI registry key(s)
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:2924

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

                                              Filesize

                                              194KB

                                              MD5

                                              36104d04a9994182ba78be74c7ac3b0e

                                              SHA1

                                              0c049d44cd22468abb1d0711ec844e68297a7b3d

                                              SHA256

                                              ccde155056cdce86d7e51dfd4e8fb603e8d816224b1257adfcf9503139dd28f1

                                              SHA512

                                              8c115e3e5925fb01efd8dda889f4d5e890f6daaf40b10d5b8e3d9b19e15dadcb9dcf344f40c43f59a1f5428b3ee49e24e492cf0cb6826add1c03d21efdec52ba

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                              Filesize

                                              2KB

                                              MD5

                                              2a42f345df365a5b4659864c681a6aa6

                                              SHA1

                                              904299be8e20d247aa9f1043e8a35000af805a06

                                              SHA256

                                              188a5d5e6b3507f65b2f853ce93b2051d95156c2f341d5e30b802f488e335bb1

                                              SHA512

                                              6eecc333dd414ceff733724f09120aed484f71ef04bbd2a5f5d7668de12fdbc897161c1acdb8fd5fa0cda66216b276c76fefe391be892f3c06805b683723a9e3

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                              Filesize

                                              369B

                                              MD5

                                              26e1e14f5f2a0bbfd12924e2e27cf526

                                              SHA1

                                              13d16dc5554dee78714877aa9b67cc4fe5cc30c5

                                              SHA256

                                              364449bf014e4a16c0975e361d1937d84d96c0769e5df25ab32b7d6f780399bb

                                              SHA512

                                              09ef3578274ca12c7f98dbaca42c634104dc65c3e0bc61c053c3722ee086f840b2f8654a0633881c4eec5cba7d34e345a2ffe3ee8848b98a79d3ad80105512c7

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              8e5c6d592ce81833f2a7d1feab9d2c04

                                              SHA1

                                              e4420beb488e1991c9312379fd0c439a8654df2c

                                              SHA256

                                              9e2421f4676cecfeb0947867f91ff32f57ad01a63bbd3f6b045ce0b2296c8d47

                                              SHA512

                                              b9f826a90c7ac8c91e2a99e44e10e42aaa5179aed8d02b78053119637e61e2409f9fcbe5d387b6d31b6156e4164d06f402890c7e3c3b5bc1907e625ddfc28658

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              beff66d9d60846444b3363b394563d28

                                              SHA1

                                              754e6238966842c977bb21c3f63a227591294548

                                              SHA256

                                              2350f0b94485de219033ac97baa65f1c1e878ab8b80dc51528f33109a62653bc

                                              SHA512

                                              b2c441f47dc44dc5b46a921d51c48b0eb316bcef49732ce215b6817a23068920d1cf2a3af55f0a71212660bdc33bcbf9bb3e1ed4ce718cee6bc043aa4202df42

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                              Filesize

                                              7KB

                                              MD5

                                              988b53025f16d01bfa88a87051ac28ee

                                              SHA1

                                              f2a2ac63699617dd1ee851ea0a9374d4a0a675d8

                                              SHA256

                                              cb440544b2335f2304b9b8162c9306a8410c566c38fb591d7a6492774cea0bd8

                                              SHA512

                                              10e96ade806c1d1e82b98ef506f19c4e75dffe95e19848aa16e63f5da1c9d97458c425a28a763ea8650920fda0e09650a5fce3b4091349fef6d0f6e426c95cc5

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                              Filesize

                                              7KB

                                              MD5

                                              838d018218e4d5c135b282506dfc78ba

                                              SHA1

                                              6a46d44259bb04c7912ddf981396f84bee7570f2

                                              SHA256

                                              b1ccdf8b59d81904fd42ad136babe07f07559a272989cc683b6105ffbc8268e8

                                              SHA512

                                              0d54a805ffc5ee4167bd2689e501f4ff3a49cfeae907449db40e3490f4ba4ea8d8761a4a4335321fae1ca08f78955b5b41062ae5c85541a906c357b9b89443af

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              d32ce34bf249f7e1bf1a374eedb205ba

                                              SHA1

                                              9cf359d6cf9b70818a2140250b79fb50470ec0b2

                                              SHA256

                                              1fe814e32d1da6cb293973ac4ebf3cd111ac77f041fbb32fa99c1b77fda16d87

                                              SHA512

                                              0c792b1f34b086939c7405b83cc9018c1de2a6515d2daf3d173c72ccc1d6e6a868d440a0f30ff58a3d0d0ec204e66aaae959488f29762fdcc3321597858c49a0

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              932f0166d766ee7249ccc671a2a1661b

                                              SHA1

                                              6e591f00bca0bb578b85ce36a6dd6bd53cddc693

                                              SHA256

                                              2cc66de26d683e69fe5d3d7da37286aa556fba1bd30ea7152b6bec4f34cb57b5

                                              SHA512

                                              616ef03d64956f5a67830e9f6f4a9a4dc8b6cf9cc1e3e60346daec0b148d5153690c204a9c1d2a3ca82245eae23d976d8f09d11f351612bd1e1f6f7ce91e9e4c

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                              Filesize

                                              15KB

                                              MD5

                                              91a6a666d5c4db02ca8478f4a893ffda

                                              SHA1

                                              fe6ed774a89eaa0a5fb87e85812f52ca799df75b

                                              SHA256

                                              1720703f6e2087fd1c3bf4560b8e58438eca918ac52d7ec3191c2bbc80d0d17b

                                              SHA512

                                              6a3452df07b50acb26b388233581981b5c7f9046ff0dc981f19dec19c887fa76a0163d199424cd1ec1fa419c10a91c0e35d579ca172b0bd1a05646d347521c2e

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                              Filesize

                                              238KB

                                              MD5

                                              365cad75c77068e0e8de8643bcbaa18a

                                              SHA1

                                              2acb87abb50acaa2701c1b3e32edf1eb971a521e

                                              SHA256

                                              2494f5acc6c5991b7112402d6238a29c38f255a588c46ecfdad4acf6f2d75354

                                              SHA512

                                              2aa4bd6b8ae5faa72eec325625ac1805c387c6684a1440bde7e3a7992bfd9737883bfbe124c43da4815b19e74d06e62a0d05d0b6414f6e09b1fc68f9a6a81223

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                              Filesize

                                              105KB

                                              MD5

                                              3e97c0d677ad4f355e80c7b79fafa3af

                                              SHA1

                                              9efabba54c3b7db1cb7fa8bbb51582f21e68cb28

                                              SHA256

                                              e7c91dad2888aa4a664cf2ca27f4e290e956e6b5d7dea5088758f8608e7030db

                                              SHA512

                                              f09184437387a665c5fb8e801ae97dd7cd010e6be0593bd4935cb0e537f81bedd11a479947031a3dc7a8716f20e98b4c08c4c35926d7d4bd28471e35d6449ce2

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe598812.TMP

                                              Filesize

                                              97KB

                                              MD5

                                              20b2ea3642c3b92d79ff5852ecf95ca7

                                              SHA1

                                              21432c7d403091bf17c2af77f4edaa9cecc934ae

                                              SHA256

                                              4fa1afef101da7467449be5b44ab2a20133c5df0cf4584630b5a7a8d40986350

                                              SHA512

                                              5814f35e310bbd1860d5483b34711dca6af0dd5a6f84dce4588dfadd41e44ad74fa6ce8362e8282c7e32f79feb97c2732d59df8a15cd65783716f50a7a40d716

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                              Filesize

                                              2B

                                              MD5

                                              99914b932bd37a50b983c5e7c90ae93b

                                              SHA1

                                              bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                              SHA256

                                              44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                              SHA512

                                              27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                            • C:\Users\Admin\Downloads\XWorm-v5-Remote-Access-Tool-main.zip.crdownload

                                              Filesize

                                              5.0MB

                                              MD5

                                              4009932a7e44d607b529598df00ff375

                                              SHA1

                                              ff8bff1c6f707101215aee8d7ff315cba991001d

                                              SHA256

                                              50505aa9a36faa076b8a6894297bc8fed02269938e6592b7b7be7c9c809897dd

                                              SHA512

                                              b77816e1aaaf9a09155f91aa91070a099fcd09acec92c28ac6afa4bdf2abcec3d4e1eaa028efc4ff9b0999fc6b90ceaa71146d9023aaecc074a49945364c38de

                                            • memory/2924-402-0x00000000020A0000-0x00000000020A7000-memory.dmp

                                              Filesize

                                              28KB

                                            • memory/2924-403-0x00000000021E0000-0x00000000025E0000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/2924-404-0x00000000021E0000-0x00000000025E0000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/2924-405-0x00000000021E0000-0x00000000025E0000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/2924-406-0x00000000021E0000-0x00000000025E0000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/3208-2-0x00000000054A0000-0x0000000005A44000-memory.dmp

                                              Filesize

                                              5.6MB

                                            • memory/3208-3-0x0000000004EF0000-0x0000000004F82000-memory.dmp

                                              Filesize

                                              584KB

                                            • memory/3208-5-0x0000000074C30000-0x00000000753E0000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/3208-1-0x0000000000240000-0x0000000000482000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/3208-0-0x0000000074C30000-0x00000000753E0000-memory.dmp

                                              Filesize

                                              7.7MB