Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows10-1703-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows10-1703-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows10-1703-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows10-1703-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows10-1703-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows10-1703-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows10-1703-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows10-1703-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows10-1703-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows10-1703-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows10-1703-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows10-1703-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows10-1703-x64

10

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows10-1703-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows10-1703-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

12-05-2024 16:15

240512-tqd3ysdh3t 10

10-05-2024 18:05

240510-wpghssdd27 10

10-05-2024 17:48

240510-wdyypscg56 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-06-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RAT/XClient.exe

  • Size

    172KB

  • MD5

    75ba783757c5b61bd841afa136fc3eda

  • SHA1

    8db9cda9508471a23f9b743027fa115e01bc1fe1

  • SHA256

    75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a

  • SHA512

    9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1

  • SSDEEP

    1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/2jTT3Lnj

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    ad5cd538ca58cb28ede39c108acb5785

    SHA1

    1ae910026f3dbe90ed025e9e96ead2b5399be877

    SHA256

    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

    SHA512

    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c479b836b1f6e175a2b3ebb2493023be

    SHA1

    d89063add83b7ed1067b76048ca77073400c3734

    SHA256

    cf78729fbf60f9c2a9448af33022422eb241149f822a8e9b482a2daf48b23aa3

    SHA512

    f2d8bc2804eecc2f73b6b3dcefbfc1ba349068650f4eba758013e71fa4f38070989368c1a1132ba344ed1ee9767f4dd69d59c498ef019166fa82d8b67d935d51

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d26e61b05e1a82bc1ed5078b6f020fbb

    SHA1

    5a7b374a664e5975e3aacab00e30fb499bbc5dd8

    SHA256

    7788aceab7325c7eaeb0c7c6ef1def257f8ffe731874f9b9d3247590528b6011

    SHA512

    75bfdbfc5e79404951e82448f68cb14b70091ba5abf4119029c826b403ca30d0612d3ab8cdb8190f1c8269ccd5cea27e17736b123990c96557d1cbb61f1a5f1c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    9d3067fc9b8c5bd2c447abcb65069144

    SHA1

    ad5f4e09c9956c522db94a05453e997527cbb9ba

    SHA256

    4c76cad7e8040f33abe807e1c5072bcb1f187bdfa997b9b73737ceafaeb97d36

    SHA512

    59463fb53f2f626863b4c003a2a820201ff13c13aa4353397a43c36aceebe2e0d615171ecc6f4e9ad9d9e027675bfe06aca8429abdf1fb2efc19c1279877e620

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q24u0x33.key.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit
  • memory/3024-8-0x00007FFA94980000-0x00007FFA9536C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3024-11-0x0000024C62810000-0x0000024C62886000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3024-12-0x00007FFA94980000-0x00007FFA9536C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3024-23-0x00007FFA94980000-0x00007FFA9536C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3024-51-0x00007FFA94980000-0x00007FFA9536C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3024-7-0x0000024C62540000-0x0000024C62562000-memory.dmp
    Filesize

    136KB

    Download
  • memory/5052-1-0x00007FFA94983000-0x00007FFA94984000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5052-2-0x00007FFA94980000-0x00007FFA9536C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/5052-0-0x0000000000850000-0x0000000000880000-memory.dmp
    Filesize

    192KB

    Download
  • memory/5052-184-0x00007FFA94983000-0x00007FFA94984000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5052-185-0x00007FFA94980000-0x00007FFA9536C000-memory.dmp
    Filesize

    9.9MB

    Download