Overview

overview

10

Static

static

10

ratka.exe

windows7-x64

10

ratka.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2025, 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ratka.exe

  • Size

    80KB

  • MD5

    39ffa7b287f2d822703a6deea560dcbd

  • SHA1

    34ae6406ec73ad02955cb7676b37489fdab1695b

  • SHA256

    9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05

  • SHA512

    7efa49f3c9ba846d6382e7683d64a5b00232c459028a177b07c0e4f28f06682bd3a219421a355515766007bee9e0dfcce5e243afba73290487057542a644cc40

  • SSDEEP

    1536:GeKbbG1+cDVWr5hLbwWV5hcEW07Z4E+bCXsEN9qtgq6rLs4ORpmcG1h:GeKbb60r5hLbwWVcPk1+b8JY4ORpmth

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

cause-indexes.gl.at.ply.gg:17210

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ratka.exe
    "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ratka.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    b1a49f10be5074272cee72c9f3c3b8df

    SHA1

    2a9afa76e0ca8dfbc1c7d073c3823cc57a778568

    SHA256

    56dd947c9be14128a1d5d0ba16a8912e60cc380e7731a19650a3faa2dad840b3

    SHA512

    272d2ad54cd6e087419cc5f3fe6f8688cf215a627182acb18ae5058fa09c2e9f739d47bce3f5bc9b105ea0cc063a626e9ac5491221270684c6ca40e68142fe70

    Download Submit

  • memory/316-6-0x0000000002AE0000-0x0000000002B60000-memory.dmp

    Filesize

    512KB

    Download

  • memory/316-7-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/316-8-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2316-15-0x00000000029F0000-0x00000000029F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2316-14-0x000000001B550000-0x000000001B832000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2972-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2972-1-0x0000000000D30000-0x0000000000D4A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2972-31-0x000000001B2F0000-0x000000001B370000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2972-32-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2972-33-0x000000001B2F0000-0x000000001B370000-memory.dmp

    Filesize

    512KB

    Download