Malware Analysis Report

2024-11-16 13:28

Sample ID 240621-qmrm4avglq
Target XClient.exe
SHA256 34b9641ff8a9253a24746b274a5f74507c6dc6df509b084bba2533eb90402e39
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34b9641ff8a9253a24746b274a5f74507c6dc6df509b084bba2533eb90402e39

Threat Level: Known bad

The file XClient.exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Xworm

Detect Xworm Payload

Xworm family

Loads dropped DLL

Unsigned PE

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 13:23

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 13:23

Reported

2024-06-21 13:24

Platform

win11-20240611-en

Max time kernel

77s

Max time network

79s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SYSTEM32\CMD.EXE

"CMD.EXE"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp997D.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 147.185.221.20:33360 tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 147.185.221.20:33360 tcp
US 147.185.221.20:33360 tcp
US 147.185.221.20:33360 tcp

Files

memory/852-0-0x00007FF9A5473000-0x00007FF9A5475000-memory.dmp

memory/852-1-0x0000000000960000-0x000000000096E000-memory.dmp

memory/852-2-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp

memory/852-3-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp

memory/852-4-0x0000000002BB0000-0x0000000002BBA000-memory.dmp

memory/852-5-0x000000001C580000-0x000000001C5BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2296.tmp

MD5 1b942faa8e8b1008a8c3c1004ba57349
SHA1 cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256 555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA512 5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

memory/852-10-0x000000001BD90000-0x000000001BD9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp997D.tmp.bat

MD5 81fd49c94c17192925857e1602d3b251
SHA1 9db958438cf876ab091a718e4df6127b15b13686
SHA256 d19495b077eea49a1f226099d93412c1c76e5bf7d98d0ec6926c8def99df2cc2
SHA512 31dc1c9919918b58028c59b7d41cbe7d296327294865f095b0373cfb2f284e71904d97a106ff2bf056a602145dbec1e7b53a668dc95d57e19a393b119ceeedf0

memory/852-15-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp