Malware Analysis Report

2024-09-11 13:52

Sample ID 240615-gcclratflj
Target Xkezr.exe
SHA256 3a16591b64920fda9ac2651df05629cc2b18c02cd52150a90bcc760126f879fd
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a16591b64920fda9ac2651df05629cc2b18c02cd52150a90bcc760126f879fd

Threat Level: Known bad

The file Xkezr.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 05:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 05:39

Reported

2024-06-15 05:40

Platform

win11-20240611-en

Max time kernel

60s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xkezr.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ilvrcqkyi = "C:\\Users\\Admin\\AppData\\Roaming\\Ilvrcqkyi.exe" C:\Users\Admin\AppData\Local\Temp\Xkezr.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 764 set thread context of 860 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Users\Admin\AppData\Local\Temp\Xkezr.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Users\Admin\AppData\Local\Temp\Xkezr.exe
PID 764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Users\Admin\AppData\Local\Temp\Xkezr.exe
PID 764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Users\Admin\AppData\Local\Temp\Xkezr.exe
PID 764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Users\Admin\AppData\Local\Temp\Xkezr.exe
PID 764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Users\Admin\AppData\Local\Temp\Xkezr.exe
PID 764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Users\Admin\AppData\Local\Temp\Xkezr.exe
PID 764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Users\Admin\AppData\Local\Temp\Xkezr.exe
PID 764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Users\Admin\AppData\Local\Temp\Xkezr.exe
PID 860 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\Xkezr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Xkezr.exe

"C:\Users\Admin\AppData\Local\Temp\Xkezr.exe"

C:\Users\Admin\AppData\Local\Temp\Xkezr.exe

"C:\Users\Admin\AppData\Local\Temp\Xkezr.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xkezr.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xkezr.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 64.188.16.134:7861 tcp

Files

memory/764-0-0x000000007501E000-0x000000007501F000-memory.dmp

memory/764-1-0x0000000000080000-0x00000000004F0000-memory.dmp

memory/764-2-0x00000000061E0000-0x0000000006400000-memory.dmp

memory/764-3-0x00000000069B0000-0x0000000006F56000-memory.dmp

memory/764-4-0x00000000064A0000-0x0000000006532000-memory.dmp

memory/764-5-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-20-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-48-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-60-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-68-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-66-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-64-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-63-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-58-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-56-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-54-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-52-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-50-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-46-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-42-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-44-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-36-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-34-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-32-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-30-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-26-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-22-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-18-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-16-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-14-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-12-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-10-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-8-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-6-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-40-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-38-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-28-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-24-0x00000000061E0000-0x00000000063FB000-memory.dmp

memory/764-4891-0x0000000075010000-0x00000000757C1000-memory.dmp

memory/764-4892-0x00000000065D0000-0x000000000662C000-memory.dmp

memory/764-4893-0x0000000006630000-0x000000000667C000-memory.dmp

memory/764-4894-0x0000000075010000-0x00000000757C1000-memory.dmp

memory/764-4895-0x00000000066E0000-0x0000000006734000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xkezr.exe.log

MD5 9d0cacca373731660e8268a162d9d4ff
SHA1 a82111d00132cdf7ef46af5681601d55c6a0e17c
SHA256 95932f81206717ff86f0974ee37dc40d5d914f730f00a08344b4c1765d663394
SHA512 8c971ab501fc322b13f53b03325b2295e1eedb12b6d50a4225e6e3b4bf5128665b1a3d8b560a8b04f14bfa6f5cba41058e4f546139101fc303f3b8393f5ca485

memory/764-4900-0x0000000075010000-0x00000000757C1000-memory.dmp

memory/860-4902-0x0000000000400000-0x0000000000412000-memory.dmp

memory/860-4901-0x0000000075010000-0x00000000757C1000-memory.dmp

memory/860-4903-0x0000000005C80000-0x0000000005D1C000-memory.dmp

memory/860-4904-0x0000000005D20000-0x0000000005D86000-memory.dmp

memory/860-4905-0x0000000075010000-0x00000000757C1000-memory.dmp

memory/3432-4906-0x0000000003070000-0x00000000030A6000-memory.dmp

memory/3432-4908-0x0000000005A90000-0x00000000060BA000-memory.dmp

memory/3432-4907-0x0000000075010000-0x00000000757C1000-memory.dmp

memory/3432-4910-0x0000000006290000-0x00000000062F6000-memory.dmp

memory/3432-4909-0x00000000061F0000-0x0000000006212000-memory.dmp

memory/3432-4916-0x0000000075010000-0x00000000757C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n2al2lox.ohd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3432-4920-0x0000000006370000-0x00000000066C7000-memory.dmp

memory/3432-4921-0x0000000006860000-0x000000000687E000-memory.dmp

memory/3432-4922-0x00000000068A0000-0x00000000068EC000-memory.dmp

memory/3432-4923-0x0000000007A20000-0x0000000007A54000-memory.dmp

memory/3432-4924-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/3432-4933-0x0000000007A80000-0x0000000007A9E000-memory.dmp

memory/3432-4934-0x0000000007AA0000-0x0000000007B44000-memory.dmp

memory/3432-4935-0x0000000008200000-0x000000000887A000-memory.dmp

memory/3432-4936-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

memory/3432-4937-0x0000000007C30000-0x0000000007C3A000-memory.dmp

memory/3432-4938-0x0000000007E60000-0x0000000007EF6000-memory.dmp

memory/3432-4939-0x0000000007DD0000-0x0000000007DE1000-memory.dmp

memory/3432-4940-0x0000000007E00000-0x0000000007E0E000-memory.dmp

memory/3432-4941-0x0000000007E10000-0x0000000007E25000-memory.dmp

memory/3432-4942-0x0000000007F20000-0x0000000007F3A000-memory.dmp

memory/3432-4943-0x0000000007F00000-0x0000000007F08000-memory.dmp

memory/3432-4946-0x0000000075010000-0x00000000757C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 099cf247a27e0c512c29225080270dc1
SHA1 ba96dd3c81e3c6293f04420ed355c5463844e464
SHA256 5a6acc6cda30fb0a1a5fbc30f6b6067452eaa579c50d053841bfa8cc8ec17f0b
SHA512 b140136d9d6cf7c7e01ec10edada82f5914a45513a42775617fa9a2bd2e7a3a7c73337b6d44337636239575962f685a8346ef3dd09dfc09cf6037be59297d944

memory/1312-4957-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/860-4967-0x00000000076C0000-0x00000000076CA000-memory.dmp

memory/860-4968-0x0000000075010000-0x00000000757C1000-memory.dmp

memory/860-4969-0x0000000075010000-0x00000000757C1000-memory.dmp