Analysis

  • max time kernel
    38s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2023, 06:41

General

  • Target

    XClient.exe

  • Size

    7.0MB

  • MD5

    e0d3b7e8c9c6357edc34512e2981b702

  • SHA1

    165a0daa8d0b35c71d43e28e24db2b72a1f6a878

  • SHA256

    6c0ef09359aab484f1fa5f37f298aa99849bca0f9a64f46cb0f85a0d3fbc8e75

  • SHA512

    db10fe870d6719d38e04367500336fb7b6a5adb62e1b09acb2f6dd473ace567b830db80a1d63e6c09a6984ebc47f742c4076c7b22d12949a17a2aa1b51ddbe19

  • SSDEEP

    196608:GKcUG4raKu24YY7HVT4hV0AD6QgqKRgX:dmKr4YYH+EUWpgX

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Themida packer 13 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3984
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4988
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
      2⤵
        PID:4088
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE8B.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:2896
    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      C:\Users\Admin\AppData\Local\Temp\XClient.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      PID:1352

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

            Filesize

            1KB

            MD5

            3982d6d16fd43ae609fd495bb33433a2

            SHA1

            6c33cd681fdfd9a844a3128602455a768e348765

            SHA256

            9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9

            SHA512

            4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            944B

            MD5

            62623d22bd9e037191765d5083ce16a3

            SHA1

            4a07da6872672f715a4780513d95ed8ddeefd259

            SHA256

            95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

            SHA512

            9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            944B

            MD5

            50d3033f2bc3a3774c469d03e71a79a9

            SHA1

            22027b1d52085de99b3bffa276530fea5d961471

            SHA256

            2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

            SHA512

            ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

          • C:\Users\Admin\AppData\Local\Temp\21157425-258a-4e44-99e0-d77dd2de4666\AgileDotNetRT64.dll

            Filesize

            4.2MB

            MD5

            05b012457488a95a05d0541e0470d392

            SHA1

            74f541d6a8365508c794ef7b4ac7c297457f9ce3

            SHA256

            1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

            SHA512

            6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

          • C:\Users\Admin\AppData\Local\Temp\21157425-258a-4e44-99e0-d77dd2de4666\AgileDotNetRT64.dll

            Filesize

            4.2MB

            MD5

            05b012457488a95a05d0541e0470d392

            SHA1

            74f541d6a8365508c794ef7b4ac7c297457f9ce3

            SHA256

            1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

            SHA512

            6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

          • C:\Users\Admin\AppData\Local\Temp\21157425-258a-4e44-99e0-d77dd2de4666\AgileDotNetRT64.dll

            Filesize

            4.2MB

            MD5

            05b012457488a95a05d0541e0470d392

            SHA1

            74f541d6a8365508c794ef7b4ac7c297457f9ce3

            SHA256

            1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

            SHA512

            6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

          • C:\Users\Admin\AppData\Local\Temp\21157425-258a-4e44-99e0-d77dd2de4666\AgileDotNetRT64.dll

            Filesize

            4.2MB

            MD5

            05b012457488a95a05d0541e0470d392

            SHA1

            74f541d6a8365508c794ef7b4ac7c297457f9ce3

            SHA256

            1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

            SHA512

            6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmn4eo4q.nml.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\tmpAE8B.tmp.bat

            Filesize

            159B

            MD5

            91ddce02d16d4df46e801bd5696376f7

            SHA1

            528f84dd6b471ba57fb95b722d543abe4b4fdb44

            SHA256

            ef61dd4c1272be3cb62e1481e3c412e276a09bd896cf621f3ac02cec73e8f19d

            SHA512

            80460492840be2ad8094526fb2400b0ce7144de6e1a4cc4ca5ec51bbe34d7b12ba9daf41f986523aa8972a4634dfe2775655fc9e560c464ffd865958ce750b63

          • memory/1352-200-0x00007FFCBE9E0000-0x00007FFCBEB2E000-memory.dmp

            Filesize

            1.3MB

          • memory/1352-197-0x000000001BB70000-0x000000001BB80000-memory.dmp

            Filesize

            64KB

          • memory/1352-198-0x00007FFCAFEE0000-0x00007FFCB0A64000-memory.dmp

            Filesize

            11.5MB

          • memory/1352-199-0x00007FFCAFEE0000-0x00007FFCB0A64000-memory.dmp

            Filesize

            11.5MB

          • memory/1352-203-0x00007FFCAFEE0000-0x00007FFCB0A64000-memory.dmp

            Filesize

            11.5MB

          • memory/2520-175-0x0000026120260000-0x0000026120270000-memory.dmp

            Filesize

            64KB

          • memory/2520-174-0x0000026120260000-0x0000026120270000-memory.dmp

            Filesize

            64KB

          • memory/3116-141-0x00007FFCAFEE0000-0x00007FFCB0A64000-memory.dmp

            Filesize

            11.5MB

          • memory/3116-133-0x00000000005D0000-0x0000000000CD8000-memory.dmp

            Filesize

            7.0MB

          • memory/3116-136-0x000000001BA90000-0x000000001BAA0000-memory.dmp

            Filesize

            64KB

          • memory/3116-210-0x00007FFCAFEE0000-0x00007FFCB0A64000-memory.dmp

            Filesize

            11.5MB

          • memory/3116-173-0x000000001BA90000-0x000000001BAA0000-memory.dmp

            Filesize

            64KB

          • memory/3116-155-0x00007FFCAFEE0000-0x00007FFCB0A64000-memory.dmp

            Filesize

            11.5MB

          • memory/3116-204-0x00007FFCAFEE0000-0x00007FFCB0A64000-memory.dmp

            Filesize

            11.5MB

          • memory/3116-193-0x000000001BA90000-0x000000001BAA0000-memory.dmp

            Filesize

            64KB

          • memory/3116-194-0x00007FFCAFEE0000-0x00007FFCB0A64000-memory.dmp

            Filesize

            11.5MB

          • memory/3116-143-0x00007FFCAFEE0000-0x00007FFCB0A64000-memory.dmp

            Filesize

            11.5MB

          • memory/3116-201-0x000000001BA90000-0x000000001BAA0000-memory.dmp

            Filesize

            64KB

          • memory/3116-144-0x00007FFCBE9E0000-0x00007FFCBEB2E000-memory.dmp

            Filesize

            1.3MB

          • memory/3984-189-0x0000024132DD0000-0x0000024132DE0000-memory.dmp

            Filesize

            64KB

          • memory/3984-190-0x0000024132DD0000-0x0000024132DE0000-memory.dmp

            Filesize

            64KB

          • memory/3984-188-0x0000024132DD0000-0x0000024132DE0000-memory.dmp

            Filesize

            64KB

          • memory/3984-187-0x0000024132DD0000-0x0000024132DE0000-memory.dmp

            Filesize

            64KB

          • memory/4080-150-0x000002306EBD0000-0x000002306EBF2000-memory.dmp

            Filesize

            136KB

          • memory/4080-156-0x000002306EC70000-0x000002306EC80000-memory.dmp

            Filesize

            64KB

          • memory/4080-157-0x000002306EC70000-0x000002306EC80000-memory.dmp

            Filesize

            64KB

          • memory/4080-158-0x000002306EC70000-0x000002306EC80000-memory.dmp

            Filesize

            64KB

          • memory/4080-161-0x000002306EC70000-0x000002306EC80000-memory.dmp

            Filesize

            64KB