Malware Analysis Report

2024-09-22 07:30

Sample ID 240531-ny5b8agb6y
Target feather.exe
SHA256 f4cbcc2254e8b74d272b7148322a08159d4e4293fa825cb7547e319fff13ca8d
Tags
asyncrat xworm default execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4cbcc2254e8b74d272b7148322a08159d4e4293fa825cb7547e319fff13ca8d

Threat Level: Known bad

The file feather.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat xworm default execution persistence rat trojan

Xworm

Detect Xworm Payload

AsyncRat

Async RAT payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-31 11:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 11:49

Reported

2024-05-31 11:50

Platform

win11-20240426-en

Max time kernel

37s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\feather.exe"

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\Runtime Broker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Runtime Broker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 4248 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 4248 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4248 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1696 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 1696 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\feather.exe

"C:\Users\Admin\AppData\Local\Temp\feather.exe"

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"

C:\Users\Admin\Runtime Broker.exe

"C:\Users\Admin\Runtime Broker.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:38173 tcp
N/A 127.0.0.1:38173 tcp
N/A 127.0.0.1:38173 tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:38173 tcp
N/A 127.0.0.1:38173 tcp
N/A 127.0.0.1:38173 tcp
N/A 127.0.0.1:38173 tcp
N/A 127.0.0.1:38173 tcp

Files

memory/4248-0-0x00007FF9A4513000-0x00007FF9A4515000-memory.dmp

memory/4248-1-0x0000000000310000-0x0000000000340000-memory.dmp

C:\Users\Admin\AppData\Roaming\Client.exe

MD5 f8ec02f0ad41f3e984037b398641f3bb
SHA1 88d64ad9840e65bcd5d27323a0fe2214d00d7346
SHA256 12cdd3df8d582bc30a49c2b4f8cf96d522e0f01d64f2e7df17276dc89fdb1a75
SHA512 31d177cceba0a3698f696c5daa0265ebe3fecf8a2a2934290e574789811a68c7313c1b0b40b1bae88666088c87fc9336941e10f26952a442c9cc3ca9637f5322

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 74fcef65a288af74b2a36dd6895264f8
SHA1 d5d73bb877f0aee6962f49c87603eec9d5b4846b
SHA256 ed308d6d8768d98145916f4529e0b444058105f401acf1e01bdacadf39a637b1
SHA512 c342445070326c126ae5841cc88a3cdcd2ae6bd995a37903ca6cacb517dc3ed7ada4c9fb7c020ad814824d2a5a29fd909da895c40475aec5ec6499778e25772a

memory/1696-25-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

memory/4852-26-0x00000000002C0000-0x00000000002D8000-memory.dmp

memory/4852-28-0x00007FF9A4510000-0x00007FF9A4FD2000-memory.dmp

memory/1696-29-0x00007FF9A4510000-0x00007FF9A4FD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0eyamyn.v11.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3608-38-0x00000210F2570000-0x00000210F2592000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 437395ef86850fbff98c12dff89eb621
SHA1 9cec41e230fa9839de1e5c42b7dbc8b31df0d69c
SHA256 9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6
SHA512 bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 25fdee90fce7b0b96dc2ee97ec66834a
SHA1 c32a6f1e3b1033bec69a5a41de255c98944dcdc9
SHA256 c433a9b0345ba06be0b2acc2fcb9d689f81837ada86b6fee2fb2b4b838d1ea6c
SHA512 b76230cb1cee4dc3e434bc49b239525f4ea51f449b0587b828a8888c6ff54d26c5cd16219934dbe44d4f84057d8e77bbc458d71e55b10d79ef8d0eda74e7399d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f372e88c6a7876c1aafd5b110a9d60f1
SHA1 6689e55c7b83ec1e624ba8d4c41529e3ad59bd23
SHA256 086e479d6115b2cb829f25830db2f767fb51960f7978cb64206d06924652deac
SHA512 1346a52ec8abdaf307425810bf71b8731e3e47c4a564da6649c483249a531807fb4c0431e5ca42b0a3f62333c911bf0ec0b10c4daa2da7f791a32b85196f6e2b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8c40f7624e23fa92ae2f41e34cfca77
SHA1 20e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256 c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512 f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

memory/4852-76-0x00007FF9A4510000-0x00007FF9A4FD2000-memory.dmp

memory/1696-77-0x00007FF9A4510000-0x00007FF9A4FD2000-memory.dmp