Malware Analysis Report

2024-11-16 13:42

Sample ID 240531-xv9xzaah22
Target Minecraft.exe
SHA256 bdb400432a963d7557a75735f5ece80ec87720f49d074bbfc9b29b67a454c0b8
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdb400432a963d7557a75735f5ece80ec87720f49d074bbfc9b29b67a454c0b8

Threat Level: Known bad

The file Minecraft.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Detect Xworm Payload

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 19:11

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 19:11

Reported

2024-05-31 19:16

Platform

win10-20240404-en

Max time kernel

299s

Max time network

305s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtkAudUService64.lnk C:\Users\Admin\AppData\Local\Temp\Minecraft.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtkAudUService64.lnk C:\Users\Admin\AppData\Local\Temp\Minecraft.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\RtkAudUService64.exe N/A
N/A N/A C:\ProgramData\RtkAudUService64.exe N/A
N/A N/A C:\ProgramData\RtkAudUService64.exe N/A
N/A N/A C:\ProgramData\RtkAudUService64.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A 5.tcp.eu.ngrok.io N/A N/A
N/A 5.tcp.eu.ngrok.io N/A N/A
N/A 5.tcp.eu.ngrok.io N/A N/A
N/A 5.tcp.eu.ngrok.io N/A N/A
N/A 5.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Minecraft.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Minecraft.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Minecraft.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RtkAudUService64.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RtkAudUService64" /tr "C:\ProgramData\RtkAudUService64.exe"

C:\ProgramData\RtkAudUService64.exe

C:\ProgramData\RtkAudUService64.exe

C:\ProgramData\RtkAudUService64.exe

C:\ProgramData\RtkAudUService64.exe

C:\ProgramData\RtkAudUService64.exe

C:\ProgramData\RtkAudUService64.exe

C:\ProgramData\RtkAudUService64.exe

C:\ProgramData\RtkAudUService64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.67.112.102:14188 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 102.112.67.3.in-addr.arpa udp
DE 3.67.112.102:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.112.102:14188 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.64.4.198:14188 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 198.4.64.3.in-addr.arpa udp
DE 3.64.4.198:14188 5.tcp.eu.ngrok.io tcp
DE 3.64.4.198:14188 5.tcp.eu.ngrok.io tcp
DE 3.64.4.198:14188 5.tcp.eu.ngrok.io tcp
DE 3.64.4.198:14188 5.tcp.eu.ngrok.io tcp
DE 3.64.4.198:14188 5.tcp.eu.ngrok.io tcp
DE 3.64.4.198:14188 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
DE 3.64.4.198:14188 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 133.161.67.3.in-addr.arpa udp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.127.181.115:14188 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 115.181.127.3.in-addr.arpa udp
DE 3.127.181.115:14188 5.tcp.eu.ngrok.io tcp
DE 3.127.181.115:14188 5.tcp.eu.ngrok.io tcp
DE 3.127.181.115:14188 5.tcp.eu.ngrok.io tcp
DE 3.127.181.115:14188 5.tcp.eu.ngrok.io tcp
DE 3.127.181.115:14188 5.tcp.eu.ngrok.io tcp
DE 3.127.181.115:14188 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:14188 5.tcp.eu.ngrok.io tcp

Files

memory/616-0-0x00007FFC5D583000-0x00007FFC5D584000-memory.dmp

memory/616-1-0x0000000000580000-0x0000000000596000-memory.dmp

memory/616-2-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

memory/5056-7-0x00000261D0990000-0x00000261D09B2000-memory.dmp

memory/5056-9-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

memory/5056-11-0x00000261D0B40000-0x00000261D0BB6000-memory.dmp

memory/5056-12-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wneelje3.wwz.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5056-21-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

memory/5056-51-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fa2fd96a0cefb3443e3d5d36dcf49bdb
SHA1 62f89c94f6ef4b9f4cc1ffccf4b9e87e36d81755
SHA256 9269962ccbd30f9caed70951584ae74b4a78fe7c949e7d6d174d80633dd16924
SHA512 1e36cb55b41512329cf3cc33ed84f80bb6eccc94f015ec5ee84f1dbb604f9ea18d4bc7144f07a406d24e02974fc04cf51181884f9df3285fcd9e8a36d36b06b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d5826f0fcf664cbbf2da87246cf318e
SHA1 81218593b57ce77c2706629cd9d8390861568553
SHA256 d904bc72243cde76b6e9861ad64637ae98e52beddbcc3449b4358e0fdcdd9b0e
SHA512 7e3f5b112987278e1555c38f5dd5ceb712947d21bdea779081b26bee827b6e989454ac469639367bbcbe28d9d90f01492dcfb405e9d6202108e017b48d29149d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8c695b100350f61a836fe82019fe5f8
SHA1 10a3ead9eca17c37a6133ae5ec771e07b19b49ef
SHA256 5f6a93dfa69caae1e126930d03bf0f0e2e339faed17cac038ef0454468ab4841
SHA512 3e8f8716aefbc59924928ab9957e0df352d0e9ea6275011269b2915303281dadfab4155c517090da5825e5b80cac953448369bc0047ed5b0a759f2863b6d89dc

memory/616-185-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

C:\ProgramData\RtkAudUService64.exe

MD5 ebaf38949ddaf75042b5680707117745
SHA1 b1e45ef043bd2dbf4d2c3511bc3a8b742f4f237e
SHA256 bdb400432a963d7557a75735f5ece80ec87720f49d074bbfc9b29b67a454c0b8
SHA512 34997d945013294d4c3fa42dc0ad99435fd6848184cf4a2dcdfa35b2c1aa849f4d4d96267663c38c7a805548b92bba973cb28bcb136377b06335cad2695ab3c1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RtkAudUService64.exe.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc