Malware Analysis Report

2024-11-16 13:37

Sample ID 240530-r67dbscb3s
Target читы.exe
SHA256 1e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171

Threat Level: Known bad

The file читы.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm family

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 14:49

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 14:49

Reported

2024-05-30 14:51

Platform

win7-20231129-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\читы.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2328 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2328 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 320 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 320 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 320 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 320 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 320 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 320 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\читы.exe

"C:\Users\Admin\AppData\Local\Temp\читы.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2F6C944B-2357-476A-8200-1473CADF52DC} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:65468 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 speed-wheat.gl.at.ply.gg udp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp

Files

memory/2328-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

memory/2328-1-0x00000000009C0000-0x00000000009E0000-memory.dmp

memory/1672-6-0x0000000002C70000-0x0000000002CF0000-memory.dmp

memory/1672-7-0x000000001B660000-0x000000001B942000-memory.dmp

memory/1672-8-0x0000000002220000-0x0000000002228000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 4a00b4ff3694143cbf99205e78f93336
SHA1 86ce97577352a19a9fa67a08c0dcece5b0f0104b
SHA256 4e47ac0e20472d4452eb8c6ace90649e73d0af2ba1df7787c68390496b065741
SHA512 646b83267b4f04213ca978f301deea1daf6e7f2a388452837724497644ac1421a5762f9f42ff50ec348b23b8f03e406420185f2594b320ff99e56353ba0c688b

memory/2268-14-0x000000001B820000-0x000000001BB02000-memory.dmp

memory/2268-15-0x0000000002720000-0x0000000002728000-memory.dmp

memory/2328-30-0x000000001AE60000-0x000000001AEE0000-memory.dmp

memory/2328-31-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

memory/2328-32-0x000000001AE60000-0x000000001AEE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delta.exe

MD5 58174445e23753c941d39dc0453ac348
SHA1 40e3a9047c49cbae6818297adcd03896d28364c2
SHA256 1e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
SHA512 523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072

memory/2512-36-0x0000000001210000-0x0000000001230000-memory.dmp

memory/2732-39-0x00000000001F0000-0x0000000000210000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 14:49

Reported

2024-05-30 14:52

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\читы.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\читы.exe

"C:\Users\Admin\AppData\Local\Temp\читы.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:65468 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 speed-wheat.gl.at.ply.gg udp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp

Files

memory/512-0-0x00007FFD06B13000-0x00007FFD06B15000-memory.dmp

memory/512-1-0x0000000000E60000-0x0000000000E80000-memory.dmp

memory/4628-7-0x000001CD77A70000-0x000001CD77A92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dx1r3drp.5iy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4628-12-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

memory/4628-13-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

memory/4628-16-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e4da474e1133bf2e122229b6b94c7658
SHA1 c4f87563a1f7017dcc7ca17860766b28947a3366
SHA256 7d9634e065c5cba387da5badc02177b8476d209f9be6885f2fe85e24db57ba49
SHA512 06c6e4e9ea93655c5a61393acd7ab37563087d3bd472eb80233b884c6667986606cdd800add2f376e41543ba90d711dd5d3b33f83d775c0955f121899cab3752

memory/1840-40-0x0000013B3DEF0000-0x0000013B3E10C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a3f9743fa50ec677498adad4b7802f9c
SHA1 709b0cdc7059f3c40f9aef863637ff603b3db1b4
SHA256 f45dbe2db0cdddd39b09ec716f52c13544ca43e3e1d512379b6528df235ad4dd
SHA512 45f78834b159833511cbf8a2fb141d6374aaa9b9b58574c55a7b3958a1c0a933258045174786a2a0768a18a2aa6804ab37e685a58c155850054a8a134bfe3a4f

memory/512-56-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

memory/512-57-0x00007FFD06B13000-0x00007FFD06B15000-memory.dmp

memory/512-58-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delta.exe

MD5 58174445e23753c941d39dc0453ac348
SHA1 40e3a9047c49cbae6818297adcd03896d28364c2
SHA256 1e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
SHA512 523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Delta.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1