Malware Analysis Report

2024-09-11 08:42

Sample ID 240427-n8w4laag2v
Target mstc.exe
SHA256 b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
Tags
xworm asyncrat redline sectoprat cheat default infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5

Threat Level: Known bad

The file mstc.exe was found to be: Known bad.

Malicious Activity Summary

xworm asyncrat redline sectoprat cheat default infostealer persistence rat trojan

AsyncRat

RedLine payload

RedLine

Detect Xworm Payload

SectopRAT

Xworm

Xworm family

SectopRAT payload

Async RAT payload

Executes dropped EXE

Drops startup file

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-27 12:04

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 12:04

Reported

2024-04-27 12:07

Platform

win7-20240220-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mstc.exe"

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Roaming\explorer.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mstc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\schtasks.exe
PID 1984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\schtasks.exe
PID 1984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\schtasks.exe
PID 1264 wrote to memory of 340 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1264 wrote to memory of 340 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1264 wrote to memory of 340 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1984 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\cmd.exe
PID 1984 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\cmd.exe
PID 1984 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\cmd.exe
PID 1984 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2888 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2888 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2000 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2000 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2000 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2888 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\mstc.exe
PID 2888 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\mstc.exe
PID 2888 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\mstc.exe
PID 340 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\schtasks.exe
PID 340 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\schtasks.exe
PID 340 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\mstc.exe

"C:\Users\Admin\AppData\Local\Temp\mstc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3E2F0744-3EAD-42E7-AA03-209F18C33EA5} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mstc" /tr '"C:\Users\Admin\AppData\Roaming\mstc.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E8B.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "mstc" /tr '"C:\Users\Admin\AppData\Roaming\mstc.exe"'

C:\Users\Admin\AppData\Roaming\mstc.exe

"C:\Users\Admin\AppData\Roaming\mstc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
NL 91.92.254.108:7000 saveclinetsforme68465454711991.publicvm.com tcp
NL 91.92.254.108:1111 saveclinetsforme68465454711991.publicvm.com tcp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:7000 tcp
N/A 127.0.0.1:7000 tcp
NL 91.92.254.108:7000 saveclinetsforme68465454711991.publicvm.com tcp

Files

memory/1984-0-0x00000000012C0000-0x00000000012D2000-memory.dmp

memory/1984-1-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/1984-2-0x000000001B120000-0x000000001B1A0000-memory.dmp

memory/2600-7-0x0000000002D10000-0x0000000002D90000-memory.dmp

memory/2600-8-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2600-9-0x0000000001E80000-0x0000000001E88000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I4NENQWYYV8LAUR6YEGG.temp

MD5 c45f350670d0827cd9b4c3390207abb9
SHA1 074db418a534482d4d08fc136cd8365391ed832e
SHA256 6aaee23c7beb49ba9c28dcd947355c86738170c8039c2095f1ca47e97cae1fb1
SHA512 b40ab1c2cef0e3277035fbde9f4344086a51610557bed34cad9f25762f0e2cc58f0c982d679df7d6531e8b5f2b59343746dfb523c97f54f01719c6daf78d8de9

memory/2680-15-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2680-16-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1984-32-0x000000001AF70000-0x000000001AF86000-memory.dmp

memory/1984-33-0x000000001AF90000-0x000000001AFAE000-memory.dmp

memory/1984-34-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/1984-35-0x000000001E070000-0x000000001E3C0000-memory.dmp

memory/340-39-0x00000000012A0000-0x00000000012B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\explorer.exe

MD5 17eefbaaa30123fa3091add80026aed4
SHA1 8e43d736ea03bd33de5434bda5e20aae121cd218
SHA256 b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512 e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09

C:\Users\Admin\AppData\Local\Temp\tmp6E8B.tmp.bat

MD5 922fa1eee2232a137081f0ef28158022
SHA1 2d1abd4d39165aa0fa37b27c89fabec5556809f4
SHA256 2f78b374555cbe69827908781f088b54ddf1dfefa447b9c4fa1630d8fb3f7c38
SHA512 919ab7b76e12a547ee1fb249d68a4cbd1d6d427d27a6f7eadce08e5d1654bed0346ed60ca47931b278b0375cf2a726e60ba4f035e83106542c8881f41359fd60

memory/1984-50-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/600-54-0x0000000001330000-0x0000000001342000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

MD5 17a581317396a3b401a7e6c9e9f481dc
SHA1 8ca984617273e4f6a77ab66d535414f437ef34ae
SHA256 0cf654b19a6dfb6c33e385e7e057f5e6ef1d923c8f5847868f8aa7e63a9fc588
SHA512 e2c1b38cc01fd1621cd20c6825d419d664b76b5a8266a2ba63e7e0a255fc2e035292ac73131fe7bb554ca9c6408809ff2a22a49ba471bf94e0f49d3b61ab7d6f

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 12:04

Reported

2024-04-27 12:07

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mstc.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\schtasks.exe
PID 3496 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\mstc.exe

"C:\Users\Admin\AppData\Local\Temp\mstc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 api.telegram.org udp
NL 91.92.252.220:7000 tcp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
EG 41.199.23.195:7000 tcp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp

Files

memory/3496-0-0x0000000000510000-0x0000000000522000-memory.dmp

memory/3496-1-0x00007FFFE41E0000-0x00007FFFE4CA1000-memory.dmp

memory/3496-2-0x00000000025D0000-0x00000000025E0000-memory.dmp

memory/4868-5-0x0000024C78760000-0x0000024C78770000-memory.dmp

memory/4868-4-0x0000024C78760000-0x0000024C78770000-memory.dmp

memory/4868-3-0x00007FFFE41E0000-0x00007FFFE4CA1000-memory.dmp

memory/4868-12-0x0000024C78B30000-0x0000024C78B52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rv5twsx1.2od.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3496-16-0x00007FFFE41E0000-0x00007FFFE4CA1000-memory.dmp

memory/4868-17-0x0000024C78760000-0x0000024C78770000-memory.dmp

memory/4868-20-0x00007FFFE41E0000-0x00007FFFE4CA1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5cfe303e798d1cc6c1dab341e7265c15
SHA1 cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256 c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512 ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a4825f4f95c5d3d72911c6e7eb902ca
SHA1 4c22133f24e77211313beb0831980029a53e7dde
SHA256 59eecad327a693c8b2e3a5932238cda2141c6a0afbba6a5587933c9f2c1025e0
SHA512 8e09a61c62a4b83f4f323b5b74f89cc26d708fd1fe646317f5f404af8d4d3fcf327f20f5e4a3b310786c0f639df2d17e1a51def08c95fa964928ad6c08c81386

memory/3496-59-0x00000000025D0000-0x00000000025E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\explorer.exe

MD5 17eefbaaa30123fa3091add80026aed4
SHA1 8e43d736ea03bd33de5434bda5e20aae121cd218
SHA256 b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512 e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1