Malware Analysis Report

2024-12-07 03:21

Sample ID 241112-1s5r1svqdp
Target 4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f
SHA256 4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f

Threat Level: Known bad

The file 4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Xworm family

Detect Xworm Payload

Xworm

Drops startup file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 21:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 21:55

Reported

2024-11-12 21:58

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\Dearquiz.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f.exe

"C:\Users\Admin\AppData\Local\Temp\4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Users\Admin\Dearquiz.exe

"C:\Users\Admin\Dearquiz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
TH 85.203.4.77:7000 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.208.201.84.in-addr.arpa udp
TH 85.203.4.77:7000 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
TH 85.203.4.77:7000 tcp
TH 85.203.4.77:7000 tcp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
TH 85.203.4.77:7000 tcp
TH 85.203.4.77:7000 tcp

Files

memory/876-0-0x00007FFF17D33000-0x00007FFF17D35000-memory.dmp

memory/876-1-0x0000000000610000-0x00000000008C0000-memory.dmp

C:\Users\Admin\svchost.exe

MD5 5b77ac5d1b88f4e69b3485b65048810c
SHA1 5159298eba8bb888806d43381c2afe91574a13ff
SHA256 031264d45baafa3302be48ffcecc8c27261f1f34b21556889d76dbb34c1f7f78
SHA512 1bc510af0b94557e9b7e217178d4028320a2cf793bc61d643410572875a4d604268fd24937a5e04399b58430de3078d014ecd9acdd4aee48a27a0476cafdb024

memory/2008-31-0x0000000000B80000-0x0000000000B98000-memory.dmp

C:\Users\Admin\Dearquiz.exe

MD5 68268f230cf98d8c9494a955384e9448
SHA1 3c4c1dd67819c62f81aff206ff080084cc086196
SHA256 bbc1310c8b98f4b052e78f695abdf15113911d10d8e1db4a7a351b2957d8570e
SHA512 cf4508b363a6f3ed4caeea0a3af2719f997aab765d17389103315cdba842d852f93f6bef18bb6c9a6d15675fc2c54d485bfa6007170c5d5fff6bd9705688db41

memory/2008-50-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

memory/2008-55-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 21:55

Reported

2024-11-12 21:58

Platform

win7-20240708-en

Max time kernel

128s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\Dearquiz.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f.exe

"C:\Users\Admin\AppData\Local\Temp\4badc43e761b7a46c9aed5a91a47605ce590b21f2a2126203cd1f264ea6eb81f.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Users\Admin\Dearquiz.exe

"C:\Users\Admin\Dearquiz.exe"

Network

Country Destination Domain Proto
TH 85.203.4.77:7000 tcp
TH 85.203.4.77:7000 tcp
TH 85.203.4.77:7000 tcp
TH 85.203.4.77:7000 tcp
TH 85.203.4.77:7000 tcp

Files

memory/2000-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

memory/2000-1-0x0000000000B40000-0x0000000000DF0000-memory.dmp

C:\Users\Admin\svchost.exe

MD5 5b77ac5d1b88f4e69b3485b65048810c
SHA1 5159298eba8bb888806d43381c2afe91574a13ff
SHA256 031264d45baafa3302be48ffcecc8c27261f1f34b21556889d76dbb34c1f7f78
SHA512 1bc510af0b94557e9b7e217178d4028320a2cf793bc61d643410572875a4d604268fd24937a5e04399b58430de3078d014ecd9acdd4aee48a27a0476cafdb024

memory/2108-7-0x00000000013E0000-0x00000000013F8000-memory.dmp

\Users\Admin\Dearquiz.exe

MD5 68268f230cf98d8c9494a955384e9448
SHA1 3c4c1dd67819c62f81aff206ff080084cc086196
SHA256 bbc1310c8b98f4b052e78f695abdf15113911d10d8e1db4a7a351b2957d8570e
SHA512 cf4508b363a6f3ed4caeea0a3af2719f997aab765d17389103315cdba842d852f93f6bef18bb6c9a6d15675fc2c54d485bfa6007170c5d5fff6bd9705688db41

memory/2108-13-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/2108-18-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/2108-19-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/2108-20-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp