Malware Analysis Report

2024-11-16 13:40

Sample ID 240531-m8a1pafd4z
Target XClient.exe
SHA256 0c336bb9258f45ded239bfd2a721a779c3a467cfd177d9ab75841d6eb61d2a8a
Tags
xworm persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c336bb9258f45ded239bfd2a721a779c3a467cfd177d9ab75841d6eb61d2a8a

Threat Level: Known bad

The file XClient.exe was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat spyware stealer trojan

Detect Xworm Payload

Xworm

Xworm family

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 11:07

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 11:07

Reported

2024-05-31 12:12

Platform

win10v2004-20240426-en

Max time kernel

49s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AMD Graphics Manager = "C:\\Users\\Admin\\AppData\\Roaming\\AMD Graphics Manager" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 4664 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AMD Graphics Manager" /tr "C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"

Network

Country Destination Domain Proto
US 8.8.8.8:53 160.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 91.92.241.69:5555 tcp
US 8.8.8.8:53 69.241.92.91.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

memory/4664-0-0x00007FFF0F373000-0x00007FFF0F375000-memory.dmp

memory/4664-1-0x00000000004C0000-0x00000000004D6000-memory.dmp

memory/4664-5-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

memory/4664-6-0x000000001C990000-0x000000001CCE0000-memory.dmp

memory/4664-7-0x00007FFF0F373000-0x00007FFF0F375000-memory.dmp

memory/4664-8-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

C:\Users\Admin\Desktop\ConvertRedo.ps1xml

MD5 13daae583e2fe64ececed044df32def7
SHA1 156cc09516932c67a74a7b50543ed0e379d9d49f
SHA256 f9191596b5ad32609bd9a9f384fe9352b772708c6ec9e097359bdf2070541dca
SHA512 ad07f3494fd743c6216ca359a7b3a67290b6f911fc8834dea606d99e0c2ac69914136f5b62e441490b564b152b6fcc46dcbcf6f1b4aacc15d13ecd2fbfbc665a

C:\Users\Admin\Desktop\ConvertToInstall.midi

MD5 011e27a735e2dce6cafa12cb122ef336
SHA1 f43d4cafc415524344949bc6c80ff486f7a5b038
SHA256 cab9399cf8727bb3c1d96d68def6e606b37dff0d42d36c68ca329cd96b9a8dd5
SHA512 6616782564ec78cacc17b401ecad03e57176f14ea560474eb26e41a2572b590a1da8dcbc246f0147d42482554aa99fb1351c79e284d95a6327495dbf952acf8d

C:\Users\Admin\Desktop\DebugRemove.mp4v

MD5 7fe219c0a48434151981a6cb5445763e
SHA1 68068dd0777e2a9073950de9055878d0eb050334
SHA256 be62bc14f014915ce2486b7f40d2399717d49741ca81c57caf2d3987830bf5b5
SHA512 983f76bf034da19a0b282f2380138abf84154a0c00e6e3bb75c46b3b617cb62d81e42f6da54d2dc83dac9669db33afb335f7f1599e6ee076caea7114a598f7e7

C:\Users\Admin\Desktop\EnableOptimize.svg

MD5 ef786e6b01fe700a0383ceb0cbba8ab0
SHA1 e41bddbeaa6ba3d009f88b1af99e641153ed6636
SHA256 08f94ae3fc496775983310b2c15386845bdb7e66bc02c4ba51f95eff1e9520cc
SHA512 c5193b0ec3cd26cc49fc34f77d1e2d689ae5926cd65cdf81b830332e580d04efc9ff3bb7403cc68c72d42beea97bed66b1be651f71fa7bec0e9904ed9ff2484f

C:\Users\Admin\Desktop\EnableInvoke.search-ms

MD5 db8360e76d053ab9656c3ccf4a053cbd
SHA1 2f5af1bb69a4bb96ec42290c6a9ce517afee3953
SHA256 d65b707a15b28f15c25769e99dfb763037cf81cb45273a23b116a1f7bbe96aeb
SHA512 295da8381b39a76fce7275c8e7d7a55f347dacc9da0af1015111e03867fd141ab1b5137413516763d13ce282fc748a807517b4aeb88f2e964a831eadd7f1e7b5

C:\Users\Admin\Desktop\DisableExit.vstm

MD5 43e39f8bcede388cb8166e9179fbb71a
SHA1 d27f7397a75ff85b23374ec01f71d53ca622f2c0
SHA256 3fef85837c11df00389945e23a8e5d21ed8164760a4f24d88468f2a012d871d6
SHA512 2545e4bea2c4c202f8dc87bcf152c37d4657b4ac4ce7ca74daa3598a82463788ca315d24e13dcfa3a5a4b16c757bd3c6ec1972e3f2d9b708791a1265fa0fd0b8

C:\Users\Admin\Desktop\DisableConnect.ram

MD5 56a07b258dab2208b9814fa70d5e2586
SHA1 c46c21af0e74167e996e53aa0c3d2686ea87de96
SHA256 bc46e7b72936400a397bb5bf26dbb5d8c872aa46ec08c9ba85a190c4a474653d
SHA512 8e760305dffa60d4d96b34b3c95346b0554ba254633d701e240fd715743885654879cf79558556a73d3f7ff29afa97d4983bd5d4470d262ee03242f79c9d3232

C:\Users\Admin\Desktop\GroupEnable.edrwx

MD5 9c6018eb022f8db4a01dff92f2904493
SHA1 8012e593408b6449e6a273ae794ce0636dd140d4
SHA256 559f3200314c11efe517b13746913ad0f51347f4bd0cf4028149e69c4d6370ef
SHA512 f976b8d053d13d47552575ef9c6b93ff6b1fa48f984e785f4c72b24dec83aa3e1b0c99ef8d611f2dc6dec5d180b2a982a4ce2d224c77a9ea013394b91449fc0c

C:\Users\Admin\Desktop\HideRedo.exe

MD5 b526c7ab83e008c61e5ff61ad0d083ee
SHA1 4fb80a81f47187d96f73ef860cdc4bf309d30fa9
SHA256 ca2b100f84ce72b506abce33f69d95b1b1c06c81f2272d965e23d8929db68a94
SHA512 0e68e3d26ebfaa772e6cd2d381ef88b3a3a97ee89c2d0c1f780d633664e2f1d8c5118b3ff53a2635a9d2dbab862af88aff0bd9ac317532018d5fd71c3c5eea55

C:\Users\Admin\Desktop\RegisterRevoke.avi

MD5 dd37ba32ba123c1275d7b1ca522603af
SHA1 7d18fb57788eedc86107e6f0ade432f41f82843f
SHA256 a4effcb67215e5ca3c032be18125c42373ec22d1ee886a2e2ecb71d0d1506c1c
SHA512 2f31788691fa5f8f630fb115f0f782c98f0b45ac84d07483b6001791c7812095f29b29eba96851c9ba941f96491b4924d5a12245c79c954adb8b35d32a4388f7

C:\Users\Admin\Desktop\RedoMeasure.m1v

MD5 4905e7d4a1c12366e4535695a936cdc0
SHA1 cd6a3ac5757134a5e197f8203dbf5f14cc0d2c4e
SHA256 c112f59cc9066d8bf2dd9246186ce390bb3d1653556e6e3b3ea4760ce2f076aa
SHA512 4b77c6363ee9448e18273e81365143818bffbd17e71e6351761cb284c8c9c059d6db05ed7dfd36dc9a5b3ae41ca241bda8f5eaf886932d11ac41f31a5458ab22

C:\Users\Admin\Desktop\RepairCompress.mp4

MD5 ce27f762b22f82646224ca917c0609c9
SHA1 432426491711977c1291a036afd13097e2261991
SHA256 dd71788e2169573797f0c1f137e77857dd23a4f0d81f48eec898ce6118a17fc6
SHA512 13b842faeb25c94e1a58a902de47cf1d935fc9ee652a2fe7c087be49a7327b0f6dc0ccbe6ff60ebab54043c6c35c97fc0ed42318ba491ab1d29b140e04c8ecb5

C:\Users\Admin\Desktop\OpenBlock.M2V

MD5 63b1ae3cc5b45806ca2614c48beaf2ff
SHA1 c08e6679c379bf8f42dfb252e44f4c4499494635
SHA256 7fe4d55c02deb1130669c01720de4fc1208a88c8f210278408fe9de08829df1e
SHA512 8d49d2c7379e1fab7de8453b2ff3508c699c61026b82801682003a143438311e9e81a90c3d496c4b4630eb2a4ab5436221d3d655b39e0de80134be7bda657445

C:\Users\Admin\Desktop\JoinTest.bmp

MD5 8d4e7c7fccaec523b2c2a028db1ae72c
SHA1 f6838997f44a05731493695012af1adc6df42675
SHA256 d4239200acea76100af25441ca60d9097927819e392e61aca58e79797fbcf955
SHA512 af2908cec589b15a46e45721ff3c5499d4408ab710edcd7bc046109444bfb6c337eb3e8d589717c048b7351c15df3841960b2f8713172a1b71f2e046305c3340

C:\Users\Admin\Desktop\UnpublishRegister.rtf

MD5 f42f79db66b8bcc199d80c7b80248e9b
SHA1 c07bbdbf503e6f533c7a8f245710b491c30e7d5d
SHA256 c0483e1d02a870dd5cb797d4db7098947e67af536b2527bec678f7679b734fbc
SHA512 a090f60f336ed3e7a2e1d9d35f46e4b5fbe85db6467432d3401dddf9b522508a3f529683954e02a3e94c55a6f7ed52de8b84179f924c8cb89cee2b159828a440

C:\Users\Admin\Desktop\UnregisterOut.xhtml

MD5 2960bd37980b8e3f6be10b907b1bad28
SHA1 510ea032688cfdd2ef15b85872796cce3b3e6e4b
SHA256 0bc531b6624382f793a215ba2556a5c2d1592b3a996c671ac5a277045ab94385
SHA512 3b77bc85df531ea98389c4ba566b5c5a3b585579c27963b0d11b40a080e7ec73a19cc4988830dbf38141047b8a5d6bf344ffc5d02aec8bf01490582c1e634f3d

C:\Users\Admin\Desktop\StartEnable.xla

MD5 03d3229fdd728c38c98564f180e59b7d
SHA1 8080eaac01f61d991c0d3ceb075bd8e1939197f4
SHA256 b783b6d6048d2afe1166e4131e0833f3eda9dd2b9589a470124e2f49395c1830
SHA512 99a4f0034c615f78e66a29cd520d9ea0450b0e61f36ee4e567b2bcd871bb47be46ffbf631b18aad23bd9af63379717ae5b33ca72249a96ed5764611289e8625a

C:\Users\Admin\Desktop\SplitResume.xlsb

MD5 3d5c692b17169e3e7452b1498d9dc9d1
SHA1 c5cf29c5fc38af06951d368434356485e5d4d885
SHA256 b8dae58ff3fd3dd27ee036d8856c3796e60688ff4555fb031c6f16d1d4671bb0
SHA512 631b73b60f9c2c9ca2cebe0bb758ac12007c461673d9ff9f2eb13bbfb2685d5c3eb44b9dda890fad3dd1eaeb9799bdd0b99efa090ea4220700e248acc074619d

C:\Users\Admin\Desktop\SaveUnpublish.pptm

MD5 04b4c6f58e79429a389b5fa2dff7327e
SHA1 2142454a3812e2f6eb94db3ab17a76919ac805ea
SHA256 7e605915c8e740624d72b43758337558fcb122e3469af9a76d0ee56b409c0526
SHA512 ab3bb4593f4834a34324981021bb7680c128ac84084af57ffad327181b80b0fb9bbf1a68f36029f818362c403e9623263e17c423b598761b39bd01bd21ed1134

C:\Users\Admin\Desktop\WriteBackup.sys

MD5 071a784c0218e5797f33e089cb73df12
SHA1 408c61221db6c2288e68afcf3e1821a10324b08e
SHA256 d4b473dab850188de65ebd3f6474cdc261d22fe1c548261c2df6f99cf21fe02f
SHA512 ed6b481d6a7f343e25363b7af07911933d67d3d19f98bb0ed7d846ce3328fe62602be936c6aacac0c5d563d664c5d90cdd2741fe182b7ae526f2b03cfa381cd0

C:\Users\Admin\Desktop\CloseSubmit.xml

MD5 0355f1bce4ff09872c95fdbd917308ef
SHA1 3e59965a635a6a90470c72531ca0c58d3eee0150
SHA256 7db497d4a400e6ae03f52ae04c790897b4cb7f39b969994c30f88e015befac2f
SHA512 8dd3bfb5d12d63621607febec356fd6b1a57012a2bd9e707583c0cb9a03e5bdc77ee4d7ce6711a3c9148fde1783f7d6ac506c25ab8f9dc90bfe4e5f6bc36fd08

C:\Users\Admin\Desktop\ApproveSearch.vsw

MD5 ccfc02fb9d15327232037daf7e71c83c
SHA1 19dcd73715035b6f7a68356cf3c28a5411b8dd91
SHA256 e70675a05005f2167480e201f7db4ec3923afc383275a4a2fe48af8530f0af83
SHA512 4ee99a6d0d4c2771c14c1bc9c4bc514fbd96e58d58f277f447e5149f407876f6d66caa82b079ffb5f7752356f7ad2020a991d632370d4b6f35efa9f025e06dbf

C:\Users\Admin\Desktop\ConfirmStart.cr2

MD5 dbf07c66680e1aec829703ae1b1371dd
SHA1 17217def413ed8685b5163e4e8cf414ba86a8576
SHA256 44bbd6b54c023d896923437066cff3f51f497db369de3cc926c2a2c3e80308c9
SHA512 846aa32f2c0c6b0984d6bf1befcc8d78fff47f7479e7d83118f385c7fab58d6797cd7a366c844c6eb98818d4f1b8028a9040f91ee822fe21c8d7437459fa6d28

C:\Users\Admin\Desktop\ExitCopy.gif

MD5 c16e59999345a206a4ecf71449a7495e
SHA1 49d8a76c0d80cdce5e41381a12fde978a707f82d
SHA256 1816d0c8f0142386fe99dbd4cce608ac6b457971bef2a816569b8bd2c4c7ffc6
SHA512 1c172bd95452a2bf237e4c37b0e41a48ce6d349196aa9d243f524ff1158a7481869f4c7b2e70582fbb1a53a5932bbc28917b848157b7deca4d47117d9d8f572a

C:\Users\Admin\Desktop\MoveInvoke.cfg

MD5 ed0f27e010cb15bb2d671e69f92e90ae
SHA1 89b66b31423842018b577d0bbed0131853654205
SHA256 66af501897f25b3338cc1b9df2fba2fa4102d7fa51d1249e4527ec50d0994396
SHA512 39b8e550f46ca2725e9f25d3e3ef09d5ac03ab9989a68775accb177bd3fd2cec4c27acd016491d74ae144c09d93812632bbc1f0d6e6615d0d6774b20b68c04b3

C:\Users\Admin\Desktop\SetUninstall.midi

MD5 19e6ac0c825cd5729d59b0b49bc4eacb
SHA1 cbaf4f6cadb5557988645a2d542bce715e016b0a
SHA256 7384a0fc1c8b67d88d3ecbb698cb36b8bc2a18bb632411b126192f64a7271fe4
SHA512 98f7368f9a66ad044850cf515c3bf44811edec2ef3f697353c8792d7f67af36c5231f2a21234314067cc9358c8ebb4c4e234beceedf02937da8c6aefc33969f5

C:\Users\Admin\Desktop\SwitchWatch.xsl

MD5 98400ef5a5ae00de992ca91ae39e508f
SHA1 65aa18d289983532f55cb5e150735f6e826a2f7c
SHA256 3f4992b833b2593a5d246f1324ef202c8ceef3263d192aa813e59001ff883b16
SHA512 92f6edc21e0ea904895f3beddfe0b23cb8340723edb846798a6323009b9712fb6eea13d253aa4c886bd6ecdc66e45b39cbb35254ac1e10aff4a11b5bf7eb4e73

C:\Users\Admin\Desktop\PopLock.mht

MD5 de2db85b12821f63cdd8137f6e9c6384
SHA1 4d30396365663681d102d25e4394cd9eb1b7c755
SHA256 43b952b5580e1fdbbd33bce83d028e08a92cdd7cd461737e396c020683b14424
SHA512 edaccdf54776aebd1785633671c800ef0ec61ec830aa1c955b45b74afee837a9651eaa7abeb41d3243ca18ebddd123e3adefeaace49ff4d7c1e724bcbe1c5f68

C:\Users\Public\Desktop\Microsoft Edge.lnk

MD5 5e3a30e37211dc112d71db9ce256aa91
SHA1 9e445a33e5b380161803895c03fbc14c255b1cf2
SHA256 07594c10497d5ac5d30c14d5145852e9968fd1db9697d2bbbfd3168a650443d8
SHA512 fa3480cd370b922ca2424bcc27de7cb412a0279e414341e4f43a7e0f0a6c9fca38fd7cf9efb38073e71003fc1a9e2ecf48605ea80adcbdd0a47457fe6b5564ad

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 248891795954a5044110d8a8ffcc47c0
SHA1 6a689619d173927e7cd9d68fe82c4488a8e48fd7
SHA256 f8c95cfbfb7212fa48f0ab9954ba8866524a2ababd73b05781a8e5d8110afe40
SHA512 9b6ceffc55b4d9fbcf3ce9deb0a2f7b711c5d11fe2426077da8265560c8ec4af10d8f0acb10ab5b8628c1564d847dfd7e3d73d0f268761e7c620f710777c9c6f

C:\Users\Public\Desktop\VLC media player.lnk

MD5 dfa804ee98966419e5e7b317c173e318
SHA1 06a25fd8eea568f548faac07b447f0e9088fa2de
SHA256 2a04d769c5da8ac9966237207d9e1ea04601484bc29e27cb075f93720f49b2d8
SHA512 53264478963ef31705813e76a45771c3321036defeff8e6f6d9e4ab951b0027727787d21a1b6dadc92c69bdaf36200ca04835fb2210c99b7251e8a904730a9cb

C:\Users\Public\Desktop\Firefox.lnk

MD5 7313a00b87207b6bcbbff5f194100ab1
SHA1 1f73f56a1f4aa0b42c918ab3aeecb94ccd455972
SHA256 c78509048450c9889ef9c8de63243d92c7592654698a9a1d1a12d3060abd168b
SHA512 8a53cd306d7eaeca1026bea54e5f4848b5af7f3b302027776d274c1611ffbd66cbb03beb26522a0c6ad34b21c94e9f7939de68e323b49690c7c6d8b4d62010b7

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 20ab116fcbdf4080137353e62641da2a
SHA1 a84091901e19ad4aa2abd98e2c4b9cad30075730
SHA256 0a1c5ea0a34c8d12d3d03990179bb491134c4f8be12da52517f26e032f54ffcd
SHA512 c50c964bf5fd6b757c81dbd204d68f88007380c1a224b3e80b0074e6586b1ba19b664e73b2eadcdd30a3ada9d94aa515751420b7b818f160d67234724c3dd241