Malware Analysis Report

2024-11-16 13:37

Sample ID 240530-l5x6daeg75
Target Xclient.exe
SHA256 be1243dcd5cd64592aeb2c04d1dcb1a76c101aade618dbf6c33f96704741451e
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be1243dcd5cd64592aeb2c04d1dcb1a76c101aade618dbf6c33f96704741451e

Threat Level: Known bad

The file Xclient.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Detect Xworm Payload

Xworm family

Xworm

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 10:07

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 10:07

Reported

2024-05-30 10:10

Platform

win7-20240215-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xclient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Xclient.exe

"C:\Users\Admin\AppData\Local\Temp\Xclient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xclient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xclient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp

Files

memory/2980-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

memory/2980-1-0x00000000011A0000-0x00000000011B0000-memory.dmp

memory/3040-6-0x0000000002D90000-0x0000000002E10000-memory.dmp

memory/3040-7-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/3040-8-0x0000000001E80000-0x0000000001E88000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 68b8661d8a26c780d923f385a5e87cbf
SHA1 bf77a5d028c23005fadde21c2953b31851b8307d
SHA256 c5b8338ad3f3a1e904da0d9846a63c8551ed3436d161357996e84fad0a8d88fc
SHA512 3a5d8fdf05d545f144c6452ddacbee48d52a47c6bb5198167dbff4dea6e973abb1d00b99b5d5ea7a8586777eb405fd621fe6e07396a3b84e96450d343b9dc64d

memory/2568-14-0x000000001B770000-0x000000001BA52000-memory.dmp

memory/2568-15-0x0000000002870000-0x0000000002878000-memory.dmp

memory/2980-30-0x000000001B2F0000-0x000000001B370000-memory.dmp

memory/2980-31-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

memory/2980-32-0x000000001B2F0000-0x000000001B370000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 10:07

Reported

2024-05-30 10:10

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xclient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xclient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Xclient.exe

"C:\Users\Admin\AppData\Local\Temp\Xclient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xclient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xclient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.195:443 www.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.83.221.88.in-addr.arpa udp
N/A 127.0.0.1:4099 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:4099 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:4099 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp
N/A 127.0.0.1:4099 tcp

Files

memory/2280-0-0x00007FFAC0F23000-0x00007FFAC0F25000-memory.dmp

memory/2280-1-0x0000000000100000-0x0000000000110000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ardfu4mk.rwu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4600-11-0x000001B8C9830000-0x000001B8C9852000-memory.dmp

memory/4600-12-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp

memory/4600-13-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp

memory/4600-14-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp

memory/4600-15-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp

memory/4600-18-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 a7e7cfd43d30bcc61251a5a230d79a7c
SHA1 0d5c054cc7a8a11b102ba68635e306799897ce28
SHA256 063bb7675f043bb4c1d78d5dc04801560331b0e430e7579d3a535740c539590f
SHA512 1fd8d7924a249fb3200dad3d5d9eda04b33f01bbb25579e71d541d6be97b0467338a28b0a8948223e357d6bf6b851f9fd9a2c38026002307ccf7a973f7ecbe83

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b451bfff41491fbb65db7899b220e6e
SHA1 a80f200d4fa07d163f77edaf76ca88a13ae8b92e
SHA256 2460aaf397f756acea0d527e928a2633b6e947ce02a363cbb2288ec7dafd7e6b
SHA512 4e01c3bb07259f5e93ad6a98f97aaf20b32bc00d306bec76b235a0dbabc66cb29aebe568265dd3b44c9ad0fe31d2230029e88700498bb819b9ae22f2acd4b2f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 634cde2589934e07d99490d6d6b9feca
SHA1 c118bd53a94e9ce0bd970b354812131675c1269f
SHA256 518e9613183fe36f877d1ae225c4e8e96c53349b09025e1c91533bb696a3f2d8
SHA512 972035cd12a6ec63b7a827867a54700d91855b45825bf57f15d5985d9380d77308e1638a8490403ad13a5ae307dfdd5a868bd9bfc6b37d4ecf00a8b54b9deae5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c740b7699e2363ac4ecdf496520ca35
SHA1 aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256 be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA512 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

memory/2280-57-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp

memory/2280-58-0x00007FFAC0F23000-0x00007FFAC0F25000-memory.dmp

memory/2280-59-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp