Malware Analysis Report

2024-11-16 13:36

Sample ID 240527-s92spaae45
Target XClient.exe
SHA256 aead2b72fe8b76ed08c3282ff0d66623bc3f8de7547fd6b2f14a04f12cefb356
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aead2b72fe8b76ed08c3282ff0d66623bc3f8de7547fd6b2f14a04f12cefb356

Threat Level: Known bad

The file XClient.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Xworm family

Detect Xworm Payload

Contains code to disable Windows Defender

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 15:50

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 15:50

Reported

2024-05-27 15:51

Platform

win10v2004-20240508-en

Max time kernel

55s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.124.142.205:16306 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 205.142.124.3.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1532-0-0x00007FFCA8693000-0x00007FFCA8695000-memory.dmp

memory/1532-1-0x0000000000120000-0x0000000000160000-memory.dmp

memory/1532-2-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ta5gbkwm.ptm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1028-12-0x0000029D365A0000-0x0000029D365C2000-memory.dmp

memory/1028-13-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp

memory/1028-14-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp

memory/1028-15-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp

memory/1028-18-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 750e4be22a6fdadd7778a388198a9ee3
SHA1 8feb2054d8a3767833dd972535df54f0c3ab6648
SHA256 26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1
SHA512 b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 767e7cbd24fce31b6f1f1c51df98febe
SHA1 30ae8c628bb178790ad8e9fedaa5a7109994d6ba
SHA256 c03cd4157c9fd27eca1a43b346259c49dc1cec080087dbf16206ea3c3433f510
SHA512 8567bc5684bb74e795952de2e59c120fac547da12100bc893e2d204dc6f887c16b679e14e847d36188b9aea98323c05bf25471113dfb018b13b10c63880716b8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b7c6ca50d3c951e736f4f4f94c047289
SHA1 6540b72784d47329711a5a61473fe72d243d68b3
SHA256 780e28c409efcc417854cb9dba5d793353faeb83b1135850f68ab06edce7f974
SHA512 0913de27eb231db4c3b7ba7afefe827ebb15a22962a62af46770e6771087f591a3de013dbaaabaceaf248d94c0ed4b5a32eaabc36cf1177ae1132a833b432b7c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb1ad317bd25b55b2bbdce8a28a74a94
SHA1 98a3978be4d10d62e7411946474579ee5bdc5ea6
SHA256 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512 d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

memory/1532-57-0x00007FFCA8693000-0x00007FFCA8695000-memory.dmp

memory/1532-58-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 02f76419f80b44d1b8b1b98992f1c198
SHA1 54dd1585153a6ac5d88626a08154e87f2db25a46
SHA256 aead2b72fe8b76ed08c3282ff0d66623bc3f8de7547fd6b2f14a04f12cefb356
SHA512 9a9fbb453a9f635e2286ed88f591ff28aadd7887163166c0c9869d2069b6149ae48d7f5d6d6d8672e7a7160d1d405ba9a643380bbc836da787bc04331b9375cc

memory/1532-62-0x00000000020D0000-0x00000000020DE000-memory.dmp