Analysis
-
max time kernel
15s -
max time network
28s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
22-03-2023 22:43
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10-20230220-en
8 signatures
30 seconds
General
-
Target
XClient.exe
-
Size
69KB
-
MD5
1b6c19ea6b874a27d9cb23e8c722320b
-
SHA1
9c01c24bd4a23cd6ad1f83701d58e09d81800321
-
SHA256
ec984efbcc8915ef4e2f9decbd844b9a75a1443b78616d750d1e6a4f5a405cec
-
SHA512
75a81d34bc2b63d5251b2e40f1cbd1d4ae1cb63ef7f7204a9d1213aef9104dd2c22704d7e7e3bcce00313a99047337a8ba972f5de171622f68c6212801ccbcfd
-
SSDEEP
1536:Yz0yMVnhj0hmwxGz2bp/XUkgev6nLE4TOOcqwH0p:YzqYhO6b5krev+E4TOOLwUp
Score
10/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
XClient.exepid process 2004 XClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
XClient.exedescription pid process Token: SeDebugPrivilege 2004 XClient.exe Token: SeDebugPrivilege 2004 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2004 XClient.exe