Malware Analysis Report

2024-11-16 13:28

Sample ID 240620-zcl5asweqf
Target Feather Nowy.exe
SHA256 66116a575982dc2aafaa6dda428fd3b3f273b9a9b1d7e0ed789983a1c16d4c47
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66116a575982dc2aafaa6dda428fd3b3f273b9a9b1d7e0ed789983a1c16d4c47

Threat Level: Known bad

The file Feather Nowy.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:34

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:34

Reported

2024-06-20 20:36

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nowy Feather.lnk C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nowy Feather.lnk C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nowy Feather = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nowy Feather.exe" C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Feather Nowy.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nowy Feather.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Nowy Feather" /tr "C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe"

C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe

"C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe"

C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe

"C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 lake-french.gl.at.ply.gg udp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
N/A 127.0.0.1:33694 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:33694 tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:33694 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp

Files

memory/3968-0-0x00007FFCC2FB3000-0x00007FFCC2FB5000-memory.dmp

memory/3968-1-0x0000000000C40000-0x0000000000C72000-memory.dmp

memory/3968-2-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

memory/4832-3-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

memory/4832-4-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

memory/4832-10-0x0000013B29E00000-0x0000013B29E22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w12jwqyg.nka.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4832-17-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 35967cf5ed9a95ec4fe527dd96567a02
SHA1 6a7439c241a30ec540d5d204e02a4cbb2a464737
SHA256 4394552922777081d43fb523126cf176d5a676602a5435713320942034f6b3cf
SHA512 419b3c336a67ef964bc166d1267cea146ed5878f98304d6e39fb9a3c0394d75693810a9ddc101cdda5e3196ad7d603df01a3260705cf9ef7cf8d4b252df01f45

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 20ccd8eee8fb63b0f660c38299f815d4
SHA1 5882e3b12448a5cd6ab57008c1be852ac84cade1
SHA256 cad714968818e2c4fec544ad7aa0faf5da04809f8efd1a8699d2861d0c0809e3
SHA512 28b87bd117a752ce699bd00c651c095dcfdb2a6cf71687177862c9062c3f73243ac32ac1b709804f940eef8c1f3e233593c73c4831449742c931d8c845c9fd8f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b3c3db201c6e1fc54f0e17762fe03246
SHA1 249bfcef33cdd2d6c13a7cc7c9c1d73905fb51d6
SHA256 6771a83a83da5d6ce23e9cfa5567eb70084dffd51a7c07130ba3379cff78a59f
SHA512 2945c6f4e05b86e161b9753fca74cc9daf76e8ef535cdff0e9d83cca706eabd6e1ca3aba55005b2d16c2023f6604ee6886837336a63f421fa25f73120cfc00a1

memory/3968-56-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nowy Feather.exe

MD5 cc40307c984c4da5778486f9f8e490d0
SHA1 e0d09dd90cd8e6f2ac21bd91e7003c9bc0a15355
SHA256 66116a575982dc2aafaa6dda428fd3b3f273b9a9b1d7e0ed789983a1c16d4c47
SHA512 ec50078cb9d4cbbf29242a567b1b39e679676cead105e3babb73d20f3d09acf0a83f10e2ba73208dada2e34dea13f16df7ff1c919cee40fe9c1fc3b3cb4d81e4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nowy Feather.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1