Malware Analysis Report

2024-11-16 13:37

Sample ID 240529-qzd8jagb7z
Target AimwareInjector.exe
SHA256 6ed1039a3fa7c5359cbb492f4aeb3ce9093666d27adb24b277719ae53e9a3c41
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ed1039a3fa7c5359cbb492f4aeb3ce9093666d27adb24b277719ae53e9a3c41

Threat Level: Known bad

The file AimwareInjector.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 13:41

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 13:41

Reported

2024-05-29 13:42

Platform

win10v2004-20240226-en

Max time kernel

34s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe C:\Windows\System32\schtasks.exe
PID 1312 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe

"C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\AimwareInjector.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AimwareInjector.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 every-progressive.gl.at.ply.gg udp
US 147.185.221.19:63869 every-progressive.gl.at.ply.gg tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 40.127.169.103:443 tcp
N/A 13.107.253.64:443 tcp

Files

memory/1312-0-0x00007FFC4E983000-0x00007FFC4E985000-memory.dmp

memory/1312-1-0x00000000009E0000-0x00000000009F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txo5ijzk.whj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4380-11-0x00000272C9770000-0x00000272C9792000-memory.dmp

memory/4380-12-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

memory/4380-13-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

memory/4380-14-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

memory/4380-15-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

memory/4380-16-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

memory/4380-19-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8f659389c6e21eb0c627fbae833500c7
SHA1 ae632f1e4af08587934ff168155b30e2b28d7475
SHA256 a12763453f79453dd8f25f0c90d001ffb5d409ec698491666c9f076c6bc60d8c
SHA512 f4849e0b1d6ab3d4dd054f590a359af8dd1b9d3df2ad78033ad1a59ebafb1ca96aa76fa9061a466d74e8e3266dc882818d79db47908b21ca3ef8be20e427d327

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fe9b96bc4e29457b2d225a5412322a52
SHA1 551e29903e926b5d6c52a8f57cf10475ba790bd0
SHA256 e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997
SHA512 ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80

memory/1312-61-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

memory/3596-60-0x0000023B4B630000-0x0000023B4B631000-memory.dmp

memory/3596-59-0x0000023B4B630000-0x0000023B4B631000-memory.dmp

memory/3596-58-0x0000023B4B630000-0x0000023B4B631000-memory.dmp

memory/3596-71-0x0000023B4B630000-0x0000023B4B631000-memory.dmp

memory/3596-70-0x0000023B4B630000-0x0000023B4B631000-memory.dmp

memory/3596-69-0x0000023B4B630000-0x0000023B4B631000-memory.dmp

memory/3596-68-0x0000023B4B630000-0x0000023B4B631000-memory.dmp

memory/3596-67-0x0000023B4B630000-0x0000023B4B631000-memory.dmp

memory/3596-66-0x0000023B4B630000-0x0000023B4B631000-memory.dmp

memory/3596-65-0x0000023B4B630000-0x0000023B4B631000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

MD5 bca751b51b52ad913c083389f2925d70
SHA1 ee980b7ebaeb2df53285232d53c2726a53e7c5b5
SHA256 c6fd32fdd3e82ce386fff78321440bc82ae8fe457f36b5b30a1db077b9c25f3f
SHA512 c593ebeed2d0dd2c42388307ed84bfce52e5f13c5906f0d0648a2ecb03bb3f3e4763f12e30203ee83e2760f89764743f86f520d498e9536f06a9899db1a57b9b

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 e2b5948ba536abaf586931d8c7bf9c54
SHA1 36e5cb12308a44210a1489565c6bd3c587c2bec7
SHA256 6ed1039a3fa7c5359cbb492f4aeb3ce9093666d27adb24b277719ae53e9a3c41
SHA512 a4d183970f6d0886e8786af1c55697667923d1ba52dbdf3c43f454638e42c80e2bdb2db216b3a023e836a9b25122366d4fe870700410930f1ce553cf0bc5f897

memory/1312-74-0x00007FFC4E983000-0x00007FFC4E985000-memory.dmp