Malware Analysis Report

2024-11-16 13:30

Sample ID 240621-zcl5asvfpp
Target XWormLоader 5.6 x64.exe
SHA256 60ddff3747cec6439d564d036b7a0f15ac22de87fe3d41dc3f6eca9292ca1cee
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60ddff3747cec6439d564d036b7a0f15ac22de87fe3d41dc3f6eca9292ca1cee

Threat Level: Known bad

The file XWormLоader 5.6 x64.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 20:34

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 20:34

Reported

2024-06-21 20:35

Platform

win10v2004-20240611-en

Max time kernel

41s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Serrvice Executable.lnk C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Serrvice Executable.lnk C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Serrvice Executable = "C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Serrvice Executable.exe" C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4616 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe C:\Windows\System32\schtasks.exe
PID 4616 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe

"C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe'

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLоader 5.6 x64.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Antimalware Serrvice Executable.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Antimalware Serrvice Executable" /tr "C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe"

C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe

"C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 min-clusters.gl.at.ply.gg udp
US 147.185.221.20:12082 min-clusters.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 feb-victorian.gl.at.ply.gg udp
US 147.185.221.20:12082 feb-victorian.gl.at.ply.gg tcp

Files

memory/4616-0-0x00007FFDAABB3000-0x00007FFDAABB5000-memory.dmp

memory/4616-1-0x0000000000D80000-0x0000000000D96000-memory.dmp

memory/4616-2-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp

memory/4724-3-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp

memory/4724-13-0x0000014EFA220000-0x0000014EFA242000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lkudcqvs.w1a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4724-14-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp

memory/4724-15-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp

memory/4724-18-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

memory/3300-32-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp

memory/3300-30-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp

memory/3300-31-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp

memory/3300-42-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp

memory/3300-41-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp

memory/3300-40-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp

memory/3300-39-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp

memory/3300-38-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp

memory/3300-37-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp

memory/3300-36-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 73d375b957e6a571723660974cc79bef
SHA1 dde4d7c074f345a25610bc2d0f85dfe16ec9855c
SHA256 9e10486480c7d54577b7290fc129284d7fcc435f93cbee4e07a9cabc681cb485
SHA512 f2d4e3e50736889b721493bb458238f48ce05fc2e0ec4fae87983d26d9876abb7be53d9eac65a42c12a4cd88b1aec884f5a89f34b3f2ccdbe03ad383ce47b781

C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe

MD5 e166dd45fd4a6d4e228f0a89fa3730c1
SHA1 98b15dc0ca3fde498d3ad1f53d542ee0b5024075
SHA256 60ddff3747cec6439d564d036b7a0f15ac22de87fe3d41dc3f6eca9292ca1cee
SHA512 beb7db6cb84ff8953d2892e710832b84d08cbc9daf68f0297ed169612fc30d9cc5ee9d7dda5a4cb4b19b407a34e94a26b117de0b7d4b831c348ff8a4715cd624

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Serrvice Executable.lnk

MD5 be947da1f0084c0ecbd18f9cc1d73d95
SHA1 898fecf25ca7412661951b636df0acbfb4a52efb
SHA256 257f8a7df9c264b35a2fef997cbe32787edd8cf1e3fa40675097fc04e3424450
SHA512 e2182b67b4961e782d256bc8f51630f947916faa5e0d6532ac512eb5eb3f8e9c8962aa0c555c0373d1ec312dfb946724585425db828b8fb0aa5b1413ffad70c0

memory/4616-73-0x0000000002E60000-0x0000000002E95000-memory.dmp

memory/4616-72-0x000000001BF40000-0x000000001C042000-memory.dmp

memory/4616-76-0x00007FFDAABB3000-0x00007FFDAABB5000-memory.dmp

memory/4616-77-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp