Malware Analysis Report

2024-11-16 13:39

Sample ID 240530-b59t3aaa7v
Target XClient.exe
SHA256 e03842270991c28c9dc59f1a3fd4bba0883fc03d51fd8e64e02c47a324ea6db9
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e03842270991c28c9dc59f1a3fd4bba0883fc03d51fd8e64e02c47a324ea6db9

Threat Level: Known bad

The file XClient.exe was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Xworm

Detect Xworm Payload

Xworm family

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 01:44

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 01:44

Reported

2024-05-30 01:50

Platform

win10v2004-20240426-en

Max time kernel

299s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\byiitd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\byiitd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Курсор - писюн.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Roaming\\discord.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\byiitd.exe

"C:\Users\Admin\AppData\Local\Temp\byiitd.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Курсор - писюн.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Курсор - писюн.exe"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\esycdv.mp3"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x300 0x34c

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 tel-form.gl.at.ply.gg udp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp

Files

memory/996-0-0x00007FF950993000-0x00007FF950995000-memory.dmp

memory/996-1-0x00000000001C0000-0x00000000001D8000-memory.dmp

memory/996-6-0x00007FF950990000-0x00007FF951451000-memory.dmp

memory/996-7-0x00007FF950993000-0x00007FF950995000-memory.dmp

memory/996-8-0x00007FF950990000-0x00007FF951451000-memory.dmp

memory/996-9-0x0000000002280000-0x000000000228C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\byiitd.exe

MD5 00e82a1db301ab77338b0a4863e2e1ad
SHA1 7a4a23a285eb1c4ef1b39124ff125eb095c73bc4
SHA256 507895a5170319193ced89311753529812a26b344213d44c92a988e3b4c99c06
SHA512 745c1f07f194c48938a77c3879b05eec566f8a1a15a75099e31782faeea087a4c488ef3693de08f66735f464784b22b3c14ff0ac85284e412c35e4e0741ce8ef

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Курсор - писюн.exe

MD5 17b935ed6066732a76bed69867702e4b
SHA1 23f28e3374f9d0e03d45843b28468aace138e71c
SHA256 e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0
SHA512 774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

memory/776-33-0x00000000001C0000-0x00000000001C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xui2.cur

MD5 c1fd2feb9e2b56be00082dd06c2b9658
SHA1 6e9272d5d53272f901ebb75ea556e250d4fc54aa
SHA256 de7c8bd93cc576d719805835099ae0f2cb88d797fe71585e2f7eb56b67a8fb72
SHA512 7530ad40f0adc93d5166b2b4741ba66bc5792ca1882be658b86b290feaa3ccf08f15ef0d55cc40494c6f3fedb78ecc5dab2a5342e0bdc85a068a3a0ffdc6e79a

C:\Users\Admin\AppData\Local\Temp\esycdv.mp3

MD5 d2b247c97d062f9b481c20a2e785fcdc
SHA1 3701f483c83318bec044c01f5c48a29a244af3a2
SHA256 db25c4b7003bf451da19c9e2609c5e8b1a2315d0dac35d9d2195a02750460f81
SHA512 b86691126dc8d0e603dc7643e1d90a37c138644670c02641df06535fb9f3f4b8629037af94a1c37020d2ec34ebab4da9a314dcc2832b8f8f745f04f428aac2c3

memory/4524-47-0x00007FF60F9B0000-0x00007FF60FAA8000-memory.dmp

memory/4524-48-0x00007FF9651B0000-0x00007FF9651E4000-memory.dmp

memory/4524-52-0x00007FF965170000-0x00007FF965181000-memory.dmp

memory/4524-56-0x00007FF960C50000-0x00007FF960C61000-memory.dmp

memory/4524-57-0x00007FF94CEE0000-0x00007FF94D0EB000-memory.dmp

memory/4524-55-0x00007FF961250000-0x00007FF96126D000-memory.dmp

memory/4524-64-0x00007FF960990000-0x00007FF9609A1000-memory.dmp

memory/4524-63-0x00007FF9609B0000-0x00007FF9609C1000-memory.dmp

memory/4524-61-0x00007FF960BB0000-0x00007FF960BC8000-memory.dmp

memory/4524-60-0x00007FF960BD0000-0x00007FF960BF1000-memory.dmp

memory/4524-59-0x00007FF960C00000-0x00007FF960C41000-memory.dmp

memory/4524-62-0x00007FF960B70000-0x00007FF960B81000-memory.dmp

memory/4524-54-0x00007FF9650F0000-0x00007FF965101000-memory.dmp

memory/4524-49-0x00007FF94D580000-0x00007FF94D836000-memory.dmp

memory/4524-53-0x00007FF965110000-0x00007FF965127000-memory.dmp

memory/4524-51-0x00007FF965190000-0x00007FF9651A7000-memory.dmp

memory/4524-50-0x00007FF967B90000-0x00007FF967BA8000-memory.dmp

memory/4524-58-0x00007FF946760000-0x00007FF947810000-memory.dmp

memory/4524-65-0x00007FF944690000-0x00007FF945EFF000-memory.dmp

memory/4524-77-0x00007FF946760000-0x00007FF947810000-memory.dmp

memory/4524-96-0x00007FF946760000-0x00007FF947810000-memory.dmp