Malware Analysis Report

2024-11-16 13:39

Sample ID 240530-l3xrtseg26
Target Xclient.exe
SHA256 910229c0f5c8f1ca57c12055824f9df22435f5031744850cd3d46d196aa5d41e
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

910229c0f5c8f1ca57c12055824f9df22435f5031744850cd3d46d196aa5d41e

Threat Level: Known bad

The file Xclient.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Xworm family

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 10:04

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 10:04

Reported

2024-05-30 10:05

Platform

win11-20240426-en

Max time kernel

52s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xclient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Xclient.exe

"C:\Users\Admin\AppData\Local\Temp\Xclient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xclient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xclient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:1048 tcp
N/A 127.0.0.1:1048 tcp
N/A 127.0.0.1:1048 tcp
N/A 127.0.0.1:1048 tcp
N/A 127.0.0.1:1048 tcp

Files

memory/2480-0-0x00007FFFE77F3000-0x00007FFFE77F5000-memory.dmp

memory/2480-1-0x0000000000C70000-0x0000000000C84000-memory.dmp

memory/2480-2-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/1492-3-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/1492-4-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/1492-5-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hjpgxwkw.2xx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1492-14-0x00000243FFAD0000-0x00000243FFAF2000-memory.dmp

memory/1492-15-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/1492-16-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/1492-19-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5ba388a6597d5e09191c2c88d2fdf598
SHA1 13516f8ec5a99298f6952438055c39330feae5d8
SHA256 e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca
SHA512 ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 687b3558d687becb30ad8f90997723cc
SHA1 fb326d7d105aba4d26e1764e73fd124cad23f298
SHA256 5283507c63132fdaf5d64bb0a09bcd6ae6d412a4df0be934268bf8e774207ece
SHA512 f827d61fad06764cefbca1688b8b2df7c07a1080be42f524de9765650382db84151ee90dd74b6568ea6f5bc582399695ec2c1c598256076f2dc91ff250450abd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 781da0576417bf414dc558e5a315e2be
SHA1 215451c1e370be595f1c389f587efeaa93108b4c
SHA256 41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA512 24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 050567a067ffea4eb40fe2eefebdc1ee
SHA1 6e1fb2c7a7976e0724c532449e97722787a00fec
SHA256 3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512 341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

memory/2480-55-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp