Malware Analysis Report

2024-11-16 13:34

Sample ID 240526-rtdkgsac76
Target DarkLoader.exe
SHA256 00850425582a22c868e727fbb72c188db08232313902f13b59473f7d46dc722a
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00850425582a22c868e727fbb72c188db08232313902f13b59473f7d46dc722a

Threat Level: Known bad

The file DarkLoader.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Xworm family

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 14:28

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 14:28

Reported

2024-05-26 14:31

Platform

win11-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DarkLoader.lnk C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DarkLoader.lnk C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkLoader = "C:\\ProgramData\\DarkLoader.exe" C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 5.tcp.eu.ngrok.io N/A N/A
N/A 5.tcp.eu.ngrok.io N/A N/A
N/A 5.tcp.eu.ngrok.io N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe

"C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DarkLoader.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\DarkLoader.exe'

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 i.ibb.co udp
FR 162.19.58.160:443 i.ibb.co tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 3.67.62.142:19444 5.tcp.eu.ngrok.io tcp
US 145.14.144.151:443 wiznon.000webhostapp.com tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
DE 3.67.62.142:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.62.142:19444 5.tcp.eu.ngrok.io tcp
GB 184.25.204.17:443 tcp
US 20.42.65.94:443 browser.pipe.aria.microsoft.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.129:443 r.bing.com tcp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
DE 3.67.62.142:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.62.142:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.62.142:19444 5.tcp.eu.ngrok.io tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
DE 3.67.62.142:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:19444 5.tcp.eu.ngrok.io tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
DE 3.67.112.102:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:19444 5.tcp.eu.ngrok.io tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
DE 3.67.112.102:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:19444 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:19444 5.tcp.eu.ngrok.io tcp
DE 3.64.4.198:19444 5.tcp.eu.ngrok.io tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
DE 3.64.4.198:19444 5.tcp.eu.ngrok.io tcp
DE 3.64.4.198:19444 5.tcp.eu.ngrok.io tcp

Files

memory/1340-0-0x00007FFD97EF3000-0x00007FFD97EF5000-memory.dmp

memory/1340-1-0x0000000000960000-0x0000000000974000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dzrgx2a3.fmm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1696-10-0x0000021BA1410000-0x0000021BA1432000-memory.dmp

memory/1696-11-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/1696-12-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/1696-13-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/1696-14-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/1696-17-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/1696-18-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 437395ef86850fbff98c12dff89eb621
SHA1 9cec41e230fa9839de1e5c42b7dbc8b31df0d69c
SHA256 9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6
SHA512 bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5a229813bb19961125dd054b7137e8a7
SHA1 467c80909ebdfac7d0d9da24528fcb23ac052548
SHA256 9681554aa5cc22dd2b54fe5089f6417341c2c32915a3feadc61fc864f0742177
SHA512 37a408318d49bbe01acb04e57e5222e3cec89cd063ea26e18f20095955a85324bdccd036cb6efd4705a158b327041e66d4724ba3c87d6f8fa4428a99a93d87cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8c40f7624e23fa92ae2f41e34cfca77
SHA1 20e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256 c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512 f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

memory/1340-46-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/1340-47-0x000000001C3A0000-0x000000001C3AE000-memory.dmp

memory/1340-48-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp