Malware Analysis Report

2024-11-16 13:30

Sample ID 240621-edqhws1gmk
Target ffe9b9de145969a32320dbbfa6dd5fe6.bin
SHA256 d4bbab55c9a16739abf7b2b722788c3386a5a6fdc2cc017d8a86629b92c55210
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4bbab55c9a16739abf7b2b722788c3386a5a6fdc2cc017d8a86629b92c55210

Threat Level: Known bad

The file ffe9b9de145969a32320dbbfa6dd5fe6.bin was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Xworm

Detect Xworm Payload

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 03:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 03:49

Reported

2024-06-21 03:52

Platform

win7-20240611-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8.vbe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2988 set thread context of 2816 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2988 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 2764 wrote to memory of 2988 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 2764 wrote to memory of 2988 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 2764 wrote to memory of 2988 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 2988 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8.vbe"

C:\Users\Admin\AppData\Local\Temp\x.exe

"C:\Users\Admin\AppData\Local\Temp\x.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

Network

Country Destination Domain Proto
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp

Files

C:\Users\Admin\AppData\Local\Temp\x.exe

MD5 457eb489d5963eaeaae9c822dccaa34e
SHA1 c29da6a29955ea363d2084cf374ad35e225dea28
SHA256 8af889d616db6a411b4cbb7729acd8d2e64b96841e44e9dd9760302f5c1e878f
SHA512 f5dc88d6a8efd33fc280945a39f64055de251b902396ea2ee3b92c26695666147c1cd4136af68fe7bdc20300cd2d17ceea535617f9f398774d76fa9ab7ad957d

memory/2988-6-0x000000007498E000-0x000000007498F000-memory.dmp

memory/2988-7-0x0000000000FB0000-0x0000000000FEA000-memory.dmp

memory/2816-9-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2816-11-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2816-10-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2816-17-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2816-15-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2816-13-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2816-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2816-8-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2816-18-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2816-19-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2816-20-0x0000000074980000-0x000000007506E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 03:49

Reported

2024-06-21 03:52

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8.vbe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2588 set thread context of 1712 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 2588 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 1596 wrote to memory of 2588 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 1596 wrote to memory of 2588 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 2588 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2588 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2588 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2588 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2588 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2588 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2588 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2588 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2588 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2588 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2588 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8.vbe"

C:\Users\Admin\AppData\Local\Temp\x.exe

"C:\Users\Admin\AppData\Local\Temp\x.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
DE 193.161.193.99:22849 tcp
US 8.8.8.8:53 udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
DE 193.161.193.99:22849 tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
DE 193.161.193.99:22849 tcp

Files

C:\Users\Admin\AppData\Local\Temp\x.exe

MD5 457eb489d5963eaeaae9c822dccaa34e
SHA1 c29da6a29955ea363d2084cf374ad35e225dea28
SHA256 8af889d616db6a411b4cbb7729acd8d2e64b96841e44e9dd9760302f5c1e878f
SHA512 f5dc88d6a8efd33fc280945a39f64055de251b902396ea2ee3b92c26695666147c1cd4136af68fe7bdc20300cd2d17ceea535617f9f398774d76fa9ab7ad957d

memory/2588-11-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/2588-12-0x0000000000560000-0x000000000059A000-memory.dmp

memory/1712-13-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1712-15-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/1712-16-0x0000000005240000-0x00000000052DC000-memory.dmp

memory/1712-17-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/1712-18-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/1712-19-0x00000000744B0000-0x0000000074C60000-memory.dmp