Malware Analysis Report

2024-09-11 15:17

Sample ID 240611-wq6jbawckc
Target Google.exe
SHA256 adf74373a0c803bc81f69d756b3944d4b91268571ebb6a6764d146e368c61407
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adf74373a0c803bc81f69d756b3944d4b91268571ebb6a6764d146e368c61407

Threat Level: Known bad

The file Google.exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Detect Xworm Payload

Xworm

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 18:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 18:08

Reported

2024-06-11 18:11

Platform

win11-20240426-en

Max time kernel

92s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Google.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Google.exe

"C:\Users\Admin\AppData\Local\Temp\Google.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3344-0-0x00007FFDDAB73000-0x00007FFDDAB75000-memory.dmp

memory/3344-1-0x0000000000BD0000-0x0000000000C08000-memory.dmp

memory/3344-2-0x0000000001540000-0x0000000001574000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 2cb9e3f89741961748d38d15dfecc8fb
SHA1 11f89dfac73dfacb194fa01bf6e7fddb38c1f6d7
SHA256 e76dcf1390543fde2ae6fd8263e90df10923df9dfe78a5fb588a50654577fd13
SHA512 20557311d13320d2f7c8bfb99e49c8af30dbcbace0faaa5101f9ea893a017a55100bf2b3c466c9d9cfe4fa8a8affcef9223a870abbcf571492fa90abd0e748f2

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 0686dae63058f6ada4b1910e4e58af0b
SHA1 97cceff18989f3dc93af5aac086179438d259c10
SHA256 7c083610edda2497c1f8d3d1ddf5067031520da73f03e3da3fdff6be766766a3
SHA512 933ee0d0a467bc72b81fc0c0818e130cb1a7727f853c4e464a38f3ae4b4f5c4d7d32389f88f4895068dc6eee72ef6fd2f2f33560f7fc43b7d12bcb7032e91f81