Analysis
-
max time kernel
1781s -
max time network
1794s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
22-03-2023 23:11
General
-
Target
XClient.exe
-
Size
67KB
-
MD5
404dee8c8fe0b8c25ac39f60960dcbf0
-
SHA1
078b5427a3c29a2f410f0e09f667389ad630ed60
-
SHA256
90d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
-
SHA512
9d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
SSDEEP
768:I9Zqr1TeXYQI9WFFTLmxVm2LXT8fbKQCQ/bm1f5Nc0Mrufk+NY1DT4sMOcPhoRcp:1r1g+wrXFfsybmtlMi2asMOasUbj
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
UAC bypass 3 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1380 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {71494B19-82D8-43D3-B0A9-AB6503E130B0} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b2ff91fbcd6658a16f88329a28879937
SHA1b7c6aae816f8bf2396bf3f70692069ab84ed4bfb
SHA256c09828ee617837f0bf86cec1c815b83c564916c398f9b54ef0996f4a39f4c4d5
SHA512b41502937af2b340147eba340414c871825b7178a504566d0a809fdb9012881e4118c05ccf7a10ef537c1fcff1ddc5a03a271e188f83a54b8f01a02a8010640c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5070bce231fe617b18a67926f142ac9ad
SHA131953039931096ce10f533b8bacfeb9eb893ab11
SHA25607d6af575e288c1ab82ec8d0df031b1487963d4054b3cdd0714f51b266362a36
SHA5121cce83e6f3648bdb8dcd59743197b3068e0ad123326b83ecf52b6fe3da6c816fb8745694ce15290e815b2712333d2a45e8dd4eda6ab807cb4c776f96bc35695c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bfead9c06e2e432397f654fb4cc6a9e7
SHA1c2b179c3d613755fd08a4c4914b21d5b83f7feb8
SHA2562f9db57049af25358a14ee0f8064ac3d6ef51e41013082b48e9fbba4ec55696f
SHA512b24b9ee03d09359e3494fdb03d2ab2e16cada3f1711206c8ab510a64ae8ada805bd8bf7b8a7b9e54ac506eb18980267541946d82b49ba1c9a4d22aebf5552b5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5709937bad3a819aaf6542d6a717cfe07
SHA1b5db520b46d8f6af881b621ca8a6a99522679f73
SHA256545b42a279297d52832d39762659c7154f4b53e5fc8b2518d2036ac753294371
SHA51233ecccbfe27621c81b4a58ef7fe9a36adc5e0275903ee0b867c6b15aaf1fce30db111d24c5e6e01f6d57a312dbfbe5521b0ad6b3af7a58b1a78120c3694fc050
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54a6b1c2a79398b194974717e7f06a9fc
SHA127572322620ba5f3a2f177045347bbf703a35d7b
SHA256a4d615a7b0dc12f48f078279594646106da4f8186bc1079c8e6308d4c3013f34
SHA512692c663d65b20d4fec19ea2bd5b3004090ee962023ee8308916e0dd0a915f5db931361f8513af9187dabc2a483c0c5c8c5eb14183c20647b1c068a3ffd9f2c0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50df3a3c74a77cc80beca8e3ca4fad06c
SHA1c398aa52013398ddb200f67ba6eba1fa208bba40
SHA2569513975362c4e15cc358a1a5dfd89d7040f1da9a237e140dadddbb7af00ea792
SHA5129d26088c93440be827c2e2a5f13f1685a4593853110d46135e4ce825d60a10815586602c69097536361e79d36f1653e46b2f8f95581f1005c3c7dd3cf5afcee9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58dd9efbf259a6daf5ca7023753c5ecd2
SHA10233892a56c41a65d055a765e14b7761c38ffcf3
SHA2568fecf2ede32471f7844c78e56bce6d4a6b340f3a96a7a79c2daf14a62ec844f3
SHA512b7b79a132f82610d3e8fd8d9fb2f6af7fc8488555dbbecd91582e33c5b4e2faf8f1e0312ea76a763e0eb0b5cd75c3a4181346038ef8d12ef4bd99f7d8d2a1f7b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5503468bc942a8adf6fa267b976408a46
SHA166deddfc41de1fddf93974ea8f4fb8e01c9c03b2
SHA2561fd92506ae37f3665a9e85b932f32b6f1048be6be788dcbd837ff2ec4226857e
SHA5126afb1a91cb22b55c84bd8a988be33108e5a5ac3332b5a3e7dd77f48f09c91145c3a517b9643c3a569f012336fa37e10852663cb8193e3fa8c1f0bcc1828907df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD53a57244fc01656614955c8e16ccef125
SHA14a2e39cc60b9e45417f470372a76d135e71c2043
SHA256fb02cce8cb220895e3108326ddea348ee563564c6f1529321427cf61b5845382
SHA512bcb92bc8c0468904d3be87f829ae3b4e0d762153bf6a3e92f1a20093fe91e86eb21473690a0c1d7077cc8c38f8e103eaaf221d3b9855dbbd7854cafb5bfd15de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a9db48b988cdbc60cc0e8a5e984a1ace
SHA128cdcd1cf6a7a7b478c1a8c6a2da0d4bc712d760
SHA2560ad91edd64f4d90d8d8585af9d8151cd690b2cb0291f1fc07ab23c2366d4458b
SHA51267074d680a6574ad165ec7bbf2522dac804639ed8bf0671d08fb9a0fa4bd796e4a3a8396090e95243a99ee54e1d97d012fa46e028b512f1130d1c937fc3c1b20
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\Cab2197.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\Tar22A9.tmpFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6WI15071.txtFilesize
604B
MD579cda2e54ccad6baf04a2d5a47159558
SHA1205d244be66331d05d4cd4014f60458df7efd5ca
SHA256f7f1c966eec5403972bb1270a47da0b0df9c4e14d79f6b33870b6b2f70de53fa
SHA512c5387cda7e8010669ad05782990ea648972d648b17eed323d7cf7bd63d31cccc3607d9a11de987f184f58d57c399f86a26c2c3f499b01f37465db51370acc81c
-
C:\Users\Admin\Desktop\How To Decrypt My Files.htmlFilesize
723B
MD5553cf6c7e10d1c701098d7e1d0a01839
SHA13cbdf41c6d02de51754a2696a382485be5175771
SHA256bfbb59fa451071b37088b6286c3e5941f2536c4d9a1b77c1c6e987da9545b6ae
SHA512591ace58027c743e663598f29857e3fa52e47e5a015dfb5e46570fcc563b623306b6e9de5df0aed2f5242c7ae88178aced6c909ec3b8c075b5d7239922d3183c
-
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENCFilesize
16B
MD524b6c0f49c7b8093b45cfe896e243169
SHA18de53659db01736f5b6b8d0eb5f90f497d409823
SHA256a5cc4c7d7eec0f11d4555b5fa93dce571574d34cf5ee0bbede4509e890f7940a
SHA512bd2140f6c627a43c5ff0df43a993aaee42befdf1698460ff614b432dc5cd83996cab9d8d505375cea563cc37cbdf1a27b3ba7ef70ae02812795619acb16227ae
-
memory/924-55-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/924-54-0x00000000013E0000-0x00000000013F8000-memory.dmpFilesize
96KB
-
memory/924-59-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/924-61-0x0000000001240000-0x000000000124E000-memory.dmpFilesize
56KB
-
memory/924-719-0x00000000013D0000-0x00000000013D1000-memory.dmpFilesize
4KB
-
memory/924-720-0x000000001B0B0000-0x000000001B0BA000-memory.dmpFilesize
40KB
-
memory/924-62-0x0000000000DE0000-0x0000000000DEC000-memory.dmpFilesize
48KB
-
memory/924-63-0x0000000000E00000-0x0000000000E0C000-memory.dmpFilesize
48KB