Malware Analysis Report

2024-11-16 13:28

Sample ID 240620-zlmr7awhre
Target XClient.exe
SHA256 83143ddff14dbef9e359c8c0d9fd1154af35af459e0bd4c130bf730d8ff8595c
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83143ddff14dbef9e359c8c0d9fd1154af35af459e0bd4c130bf730d8ff8595c

Threat Level: Known bad

The file XClient.exe was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Detect Xworm Payload

Xworm family

Xworm

Executes dropped EXE

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:48

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:48

Reported

2024-06-20 20:53

Platform

win11-20240508-en

Max time kernel

266s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 4908 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 outside-springs.gl.at.ply.gg udp

Files

memory/4908-0-0x00007FFCAB3B3000-0x00007FFCAB3B5000-memory.dmp

memory/4908-1-0x0000000000530000-0x0000000000540000-memory.dmp

memory/4908-2-0x00007FFCAB3B0000-0x00007FFCABE72000-memory.dmp

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 4defb547b876f1f5b3ead82cc198d14c
SHA1 35cfaaa592fd825f329bfdb19d9a34923624420f
SHA256 83143ddff14dbef9e359c8c0d9fd1154af35af459e0bd4c130bf730d8ff8595c
SHA512 7bc6437ab51f8f14939cd5449d44e6ba12c6dca25b9613c18f26015534393495f621cbe1f9b92cef5973b36047d31948ef17ac30204578679f0645ad54d2a488

memory/3076-9-0x00007FFCAB3B0000-0x00007FFCABE72000-memory.dmp

memory/4908-10-0x00007FFCAB3B0000-0x00007FFCABE72000-memory.dmp

memory/3076-12-0x00007FFCAB3B0000-0x00007FFCABE72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9