Malware Analysis Report

2024-09-11 14:07

Sample ID 240615-bzpxpsvara
Target 79a3854fb0bddb26135bc0311f21ed76.bin
SHA256 87f9edf63f5ed75ec7f23f9837062a50b34ae7b60b53f93836c864eedf592055
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87f9edf63f5ed75ec7f23f9837062a50b34ae7b60b53f93836c864eedf592055

Threat Level: Known bad

The file 79a3854fb0bddb26135bc0311f21ed76.bin was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Drops startup file

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 01:35

Reported

2024-06-15 01:37

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1904 set thread context of 3680 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1904 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 3680 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

"C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe"

C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

"C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe"

C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

"C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe"

C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

"C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 104.250.180.178:7061 tcp
DE 104.250.180.178:7061 tcp
DE 104.250.180.178:7061 tcp
DE 104.250.180.178:7061 tcp
DE 104.250.180.178:7061 tcp

Files

memory/1904-0-0x000000007484E000-0x000000007484F000-memory.dmp

memory/1904-1-0x0000000000590000-0x0000000000612000-memory.dmp

memory/1904-2-0x00000000055B0000-0x0000000005B54000-memory.dmp

memory/1904-3-0x00000000050A0000-0x0000000005132000-memory.dmp

memory/1904-4-0x0000000005020000-0x000000000502A000-memory.dmp

memory/1904-5-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1904-6-0x0000000005480000-0x000000000549A000-memory.dmp

memory/1904-7-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/1904-8-0x0000000006570000-0x00000000065C6000-memory.dmp

memory/1904-9-0x000000000A230000-0x000000000A2CC000-memory.dmp

memory/3680-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3680-12-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1904-13-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1028-14-0x0000000004D30000-0x0000000004D66000-memory.dmp

memory/1028-16-0x0000000005510000-0x0000000005B38000-memory.dmp

memory/1028-15-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1028-17-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1028-18-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1028-19-0x0000000005B70000-0x0000000005B92000-memory.dmp

memory/1028-26-0x0000000005CF0000-0x0000000005D56000-memory.dmp

memory/1028-25-0x0000000005C10000-0x0000000005C76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_la2hmrkd.qin.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1028-31-0x0000000005D60000-0x00000000060B4000-memory.dmp

memory/1028-32-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/1028-33-0x0000000006330000-0x000000000637C000-memory.dmp

memory/1028-34-0x00000000072B0000-0x00000000072E2000-memory.dmp

memory/1028-35-0x0000000070AB0000-0x0000000070AFC000-memory.dmp

memory/1028-45-0x00000000068C0000-0x00000000068DE000-memory.dmp

memory/1028-46-0x00000000074F0000-0x0000000007593000-memory.dmp

memory/1028-47-0x0000000007C50000-0x00000000082CA000-memory.dmp

memory/1028-48-0x0000000007610000-0x000000000762A000-memory.dmp

memory/1028-49-0x0000000007680000-0x000000000768A000-memory.dmp

memory/1028-50-0x0000000007890000-0x0000000007926000-memory.dmp

memory/1028-51-0x0000000007810000-0x0000000007821000-memory.dmp

memory/1028-52-0x0000000007840000-0x000000000784E000-memory.dmp

memory/1028-53-0x0000000007850000-0x0000000007864000-memory.dmp

memory/1028-54-0x0000000007950000-0x000000000796A000-memory.dmp

memory/1028-55-0x0000000007930000-0x0000000007938000-memory.dmp

memory/1028-58-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 059a5fac84e1df9173c2ec9760257eb2
SHA1 f7f0ed9b8c85f7990b0631d736a2e7f5ce032f46
SHA256 594d769114b8184fed110e04489d11b95468ccdfbe49227019f6e64019aefaff
SHA512 31a4d61fc8b1705058d645e0611533d5993f9bce81affa419bf3a5c1b739b765a6678627a570f2cff811688ae98a505164649403ea2b7af4bb2e3e5802c23a9b

memory/1116-70-0x0000000070AB0000-0x0000000070AFC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2f546be52ba500cb775a6bff0f013ff5
SHA1 43f9675ab6a66594fc39132f05802da74c99f601
SHA256 230f0cbb7e39c48ed2229eb741159131c1da6a588afa3864510267decc9c748a
SHA512 2a8d347a0858a1e16f77db12c1f4ebcfd8d0d6d5ff043f1265929ac56cc3ef4dd58973704ec671718eb9657362bcdf6a6d1bb52604a934584546d5a78e549f8c

memory/2812-91-0x0000000070AB0000-0x0000000070AFC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e9a11684d84ac7d94ec346c058cbf046
SHA1 fb8c3340f2d9e96909b5d48ed559eaef8bb719c5
SHA256 7658e4eca97354ea15f03c054d124a818acfa47a4b32500674ec1637255a5377
SHA512 36415497516fc06e09cd51c220a9e0c7ddbc7dfb585196e3576735c589df83cde8e902d22bbb2c0a313af88bb6ae347df69b08eca5360387496b712934de9ed6

memory/2276-112-0x0000000005E60000-0x0000000005EAC000-memory.dmp

memory/2276-113-0x0000000070AA0000-0x0000000070AEC000-memory.dmp

memory/3680-128-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/3680-129-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/3680-130-0x0000000074840000-0x0000000074FF0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 01:35

Reported

2024-06-15 01:37

Platform

win7-20240221-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2512 set thread context of 1504 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 2512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
PID 1504 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

"C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe"

C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

"C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe"

C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

"C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
DE 104.250.180.178:7061 tcp

Files

memory/2512-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

memory/2512-1-0x0000000000F40000-0x0000000000FC2000-memory.dmp

memory/2512-2-0x0000000074B40000-0x000000007522E000-memory.dmp

memory/2512-3-0x0000000000910000-0x000000000092A000-memory.dmp

memory/2512-4-0x00000000004D0000-0x00000000004E0000-memory.dmp

memory/2512-5-0x00000000044B0000-0x0000000004506000-memory.dmp

memory/1504-6-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1504-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1504-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1504-12-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1504-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1504-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1504-18-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1504-20-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1504-21-0x0000000074B40000-0x000000007522E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 84f7e51fa84161e02f1fba5be082b0a3
SHA1 cfe716924f065753596b86a105d8967a30c50a0b
SHA256 130c3a9b3fa934e8005c82817f39bcae620abc4d3ef3e930c8857a5c7d7e4e71
SHA512 e2c7b3ae54b8d0494d1eb87e599c51ede524f0e62d4b445d0047dc4469efd81d67aca44fb832d1c4f2313ad5e0f3575e27c0b67a532e8b84a57e29d3791b5b21

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\XClient.exe

MD5 79a3854fb0bddb26135bc0311f21ed76
SHA1 8c352e1807c00bd32c7cde3e0ece9bf33b6db927
SHA256 bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76
SHA512 2386b686b351f793d86db09e4a9a9bf39ffd0c7ec74ecc7e36ad78beeb092c97d0213dc628332df73856527768d95f507bc19e4b195bd06eec5305ac06f8d896

memory/1504-45-0x0000000074B40000-0x000000007522E000-memory.dmp

memory/2512-46-0x0000000074B40000-0x000000007522E000-memory.dmp

memory/1504-47-0x0000000074B40000-0x000000007522E000-memory.dmp

memory/1504-48-0x0000000074B40000-0x000000007522E000-memory.dmp