Malware Analysis Report

2024-11-16 13:40

Sample ID 240601-ed8dpshe74
Target Stand.Launchpad.exe
SHA256 a83142b28be6ce5e81cd2fa3bdf2e8679d2d1b79de2eaa0df59fde1a0e2ee032
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a83142b28be6ce5e81cd2fa3bdf2e8679d2d1b79de2eaa0df59fde1a0e2ee032

Threat Level: Known bad

The file Stand.Launchpad.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Contains code to disable Windows Defender

Xworm family

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:50

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:50

Reported

2024-06-01 03:53

Platform

win11-20240508-en

Max time kernel

100s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe" C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stand.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stand.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3660 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe C:\Windows\System32\schtasks.exe
PID 3660 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe

"C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.Launchpad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"

C:\Users\Admin\AppData\Local\Temp\Stand.exe

C:\Users\Admin\AppData\Local\Temp\Stand.exe

C:\Users\Admin\AppData\Local\Temp\Stand.exe

C:\Users\Admin\AppData\Local\Temp\Stand.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
DE 193.161.193.99:43107 Name1442-43107.portmap.host tcp

Files

memory/3660-0-0x00007FFD4C3B3000-0x00007FFD4C3B5000-memory.dmp

memory/3660-1-0x0000000000E70000-0x0000000000E8E000-memory.dmp

memory/3660-2-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/1612-9-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/1612-8-0x0000019DBA4B0000-0x0000019DBA4D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mhrt1sad.aoh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1612-13-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/1612-14-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/1612-15-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/1612-16-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/1612-19-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e0391d00f5bfbc34be70790f14d5edf
SHA1 fcb04d8599c23967de4f154a101be480933ab0d0
SHA256 1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136
SHA512 231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb9070f7a07a5d3fc17121852bff6953
SHA1 1932f99c2039a98cf0d65bca0f882dde0686fc11
SHA256 6c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac
SHA512 97b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8

memory/3660-55-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Stand.exe

MD5 1876cff7742d4df6149e00b4abf78425
SHA1 5e81c297afedde245a5e4f3835021659cf541f65
SHA256 a83142b28be6ce5e81cd2fa3bdf2e8679d2d1b79de2eaa0df59fde1a0e2ee032
SHA512 a6dfabf8ba1a7ffbe20fabb12cf964ea3eca04f2115a1f312c7e02daef0c3824947c15e53cab2cf91a01b6945d689d8ce8bb47eee4f39a4e0d8b62292c47722c

memory/3660-60-0x0000000003050000-0x000000000305A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Stand.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

memory/3660-63-0x000000001BF30000-0x000000001BF3E000-memory.dmp