Malware Analysis Report

2024-09-11 13:54

Sample ID 240615-ev5ddayeme
Target SMB.exe
SHA256 552592d99b784facfde5350402c69c5158c239bd147acbd75b43b5e9f40dcdfc
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

552592d99b784facfde5350402c69c5158c239bd147acbd75b43b5e9f40dcdfc

Threat Level: Known bad

The file SMB.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Detect Xworm Payload

Xworm family

Xworm

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 04:16

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 04:16

Reported

2024-06-15 04:19

Platform

win11-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SMB.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\rundll64.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\rundll64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\rundll64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe C:\Windows\System32\schtasks.exe
PID 2244 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\SMB.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SMB.exe

"C:\Users\Admin\AppData\Local\Temp\SMB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SMB.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SMB.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\rundll64.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rundll64.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rundll64" /tr "C:\Users\Admin\AppData\Local\rundll64.exe"

C:\Users\Admin\AppData\Local\rundll64.exe

C:\Users\Admin\AppData\Local\rundll64.exe

C:\Users\Admin\AppData\Local\rundll64.exe

C:\Users\Admin\AppData\Local\rundll64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/2244-0-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

memory/2244-1-0x0000000000410000-0x0000000000422000-memory.dmp

memory/2244-2-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/3340-3-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/3340-4-0x00000224E48A0000-0x00000224E48C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vppkwju1.h4w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3340-13-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/2244-16-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/3340-17-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1b97141c46911b9a87daafdbe0ee275b
SHA1 538f0853fdf5ea6ad37b98154d9ffc5a95f35574
SHA256 24102236f494233a28e48151a96cf8a34630f68904451f532aa44d4232c29d68
SHA512 a1d2d51b47d5ea51e3db17d697dbe9ad768d32ebea1127efaed5c533e5c4a111b4f5b9f3519de7e195e236e16a88f6d7f23acc4ac7e7d5a8d643fcf4b55834b9

C:\Users\Admin\AppData\Local\rundll64.exe

MD5 f10ea365fc4809c4ebad7e2d2decbc2c
SHA1 898aad62ced8330304665477b71a5167b7e6e4d9
SHA256 552592d99b784facfde5350402c69c5158c239bd147acbd75b43b5e9f40dcdfc
SHA512 0e3dd29ab398e4c3d409e156dde14a48d028994c02b71a86a3ac3db29b5af8f3a9b4eaf332c48329462292a883399f56679b12c9df495768c71121be407f5c52

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll64.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9