Malware Analysis Report

2024-11-16 13:34

Sample ID 240526-v9jyzsec4x
Target Injector.exe
SHA256 015d90cb2d696c35b623c2f2283ae931a52fa06eabb162289b183f5bf6c5cafe
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

015d90cb2d696c35b623c2f2283ae931a52fa06eabb162289b183f5bf6c5cafe

Threat Level: Known bad

The file Injector.exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Detect Xworm Payload

Xworm

Xworm family

Deletes itself

Looks up external IP address via web service

Unsigned PE

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-26 17:41

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 17:41

Reported

2024-05-26 17:43

Platform

win7-20240215-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injector.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe C:\Windows\system32\cmd.exe
PID 2796 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2796 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2796 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injector.exe

"C:\Users\Admin\AppData\Local\Temp\Injector.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1FFF.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 said-webcam.gl.at.ply.gg udp
US 147.185.221.19:64349 said-webcam.gl.at.ply.gg tcp

Files

memory/2824-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

memory/2824-1-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

memory/2824-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2824-3-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

memory/2824-4-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1FFF.tmp.bat

MD5 d8dc004c8343981caa95d4bf509c6d05
SHA1 045e943bf7083060edffad0009251b1b2be3be97
SHA256 0f6ef40c96167e40cc98d81cf71976f14bef96211fb6fa33134f7986f961351d
SHA512 8de89c6110cb0cdf61ed6ae9fa351bf373550ed807d0dfcbdd833587ddd823c35e8214a4a69d25f1aa5fda5f37c5dac7643dbb7f7c01aaf0d05c6d6ac43d5f22

memory/2824-14-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 17:41

Reported

2024-05-26 17:44

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injector.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe C:\Windows\system32\cmd.exe
PID 3808 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3808 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injector.exe

"C:\Users\Admin\AppData\Local\Temp\Injector.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1AE.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 said-webcam.gl.at.ply.gg udp
US 147.185.221.19:64349 said-webcam.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

memory/2604-0-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp

memory/2604-1-0x0000000000530000-0x0000000000540000-memory.dmp

memory/2604-2-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

memory/2604-3-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp

memory/2604-4-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF1AE.tmp.bat

MD5 5514ff68cab0839bb0d24b01cbcc9ab3
SHA1 7efb192b3bf450724ceef96f3f22a3d7bf409e3a
SHA256 a291a80444885cf70fd44afd73d76f6b560cadf5bb18328d1327287967c1192c
SHA512 b21a04858630c7b087b4ab8a2be599602be4174f9ec77cc7aa04737cd3cad92b76b03dc1580c631af9f546b8d85dfe081998d18dd4e4f20892a96aa83667fe20

memory/2604-9-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp