Malware Analysis Report

2024-09-11 13:49

Sample ID 240614-zfdx4ayfjj
Target Nursultan.exe
SHA256 c4639039b7f1615e415e7e383e0e34f5f9d7c1e5ee382b7d87b03736d9458332
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4639039b7f1615e415e7e383e0e34f5f9d7c1e5ee382b7d87b03736d9458332

Threat Level: Known bad

The file Nursultan.exe was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Detect Xworm Payload

Xworm

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 20:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 20:39

Reported

2024-06-14 20:42

Platform

win7-20240221-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan (1).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1628 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1628 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Roaming\Nursultan (1).exe
PID 1628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Roaming\Nursultan (1).exe
PID 1628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Roaming\Nursultan (1).exe
PID 1852 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 1852 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 1852 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 1720 wrote to memory of 2680 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1720 wrote to memory of 2680 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1720 wrote to memory of 2680 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1720 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1720 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1720 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1720 wrote to memory of 2712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1720 wrote to memory of 2712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1720 wrote to memory of 2712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Nursultan (1).exe

"C:\Users\Admin\AppData\Roaming\Nursultan (1).exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {7C5CD34D-B893-4E8A-A971-B80E69EF6C9F} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 147.185.221.17:53476 decision-dollar.gl.at.ply.gg tcp
US 147.185.221.17:53476 decision-dollar.gl.at.ply.gg tcp
US 8.8.8.8:53 nursultan.fun udp
US 104.26.2.238:443 nursultan.fun tcp
US 147.185.221.17:53476 decision-dollar.gl.at.ply.gg tcp
US 147.185.221.17:53476 decision-dollar.gl.at.ply.gg tcp
US 147.185.221.17:53476 decision-dollar.gl.at.ply.gg tcp
US 147.185.221.17:53476 tcp

Files

memory/1628-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

memory/1628-1-0x00000000011C0000-0x000000000243E000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 cf9d63aded654283d5ef66882dd3c22f
SHA1 ff03ff84e5b38458bfac7c9c107925623ad7089f
SHA256 23ad7d74cd613157afa89c87536b67140656e17679228aae15b205e75e276732
SHA512 1b181884047ad4e41a4b3de99aa283ea73c107116636a0c112c09e7895f97ca240d6bbd3c1950fd31f6a8026bab51f74c24df0d058e7597d8836fac2d1e3f3d7

memory/1852-7-0x00000000008A0000-0x00000000008F4000-memory.dmp

memory/1852-8-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nursultan (1).exe

MD5 e504e3fc36fe4d6f182c98923979a779
SHA1 3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6
SHA256 70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0
SHA512 63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

memory/2588-17-0x00000000777D0000-0x00000000777D2000-memory.dmp

memory/2588-15-0x00000000777D0000-0x00000000777D2000-memory.dmp

memory/2588-19-0x00000000777D0000-0x00000000777D2000-memory.dmp

memory/2588-21-0x0000000140000000-0x0000000142153000-memory.dmp

memory/1852-24-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/1852-26-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 20:39

Reported

2024-06-14 20:43

Platform

win10v2004-20240508-en

Max time kernel

201s

Max time network

214s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan (1).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1332 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1332 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Roaming\Nursultan (1).exe
PID 1332 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Roaming\Nursultan (1).exe
PID 3928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 3928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Nursultan (1).exe

"C:\Users\Admin\AppData\Roaming\Nursultan (1).exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 8.8.8.8:53 nursultan.fun udp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp
US 8.8.8.8:53 decision-dollar.gl.at.ply.gg udp

Files

memory/1332-0-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp

memory/1332-1-0x0000000000F00000-0x000000000217E000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 cf9d63aded654283d5ef66882dd3c22f
SHA1 ff03ff84e5b38458bfac7c9c107925623ad7089f
SHA256 23ad7d74cd613157afa89c87536b67140656e17679228aae15b205e75e276732
SHA512 1b181884047ad4e41a4b3de99aa283ea73c107116636a0c112c09e7895f97ca240d6bbd3c1950fd31f6a8026bab51f74c24df0d058e7597d8836fac2d1e3f3d7

memory/3928-13-0x0000000000E50000-0x0000000000EA4000-memory.dmp

memory/3928-14-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nursultan (1).exe

MD5 e504e3fc36fe4d6f182c98923979a779
SHA1 3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6
SHA256 70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0
SHA512 63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

memory/1776-24-0x00007FF99F110000-0x00007FF99F112000-memory.dmp

memory/3928-25-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

memory/1776-26-0x0000000140000000-0x0000000142153000-memory.dmp

memory/3928-30-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

memory/3928-31-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1