5ff7fba234e4dcca3d0807ebad17b68f13d3ef838f401e9f293597b86683215f

General

Target

XClient.exe
Size

67KB
MD5

b37d08f9a7714dcf386c768ff73827ff
SHA1

85b2f077a91db819014d41c10f131f1c9a7c514f
SHA256

5ff7fba234e4dcca3d0807ebad17b68f13d3ef838f401e9f293597b86683215f
SHA512

d13856b31e1191501f3df8f55abfa2aa9348f662ff67bd23f5cbb36b656033ee0ebeba8d68ef2ed8c31da459be8a15694d593ab337eb8c93f21067dadb2ecd02
SSDEEP

1536:UDyYN/k7PO4EAZ4ZaT5ba/SGAr26+nOCK5Sf:U/yPO4tZzba0qnOCKQ

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
3028	XClient.exe
1408	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2208	powershell.exe
1304	powershell.exe
2456	powershell.exe
1580	XClient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	XClient.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	3028	XClient.exe
Token: SeDebugPrivilege	1408	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1580	XClient.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2208	1580	XClient.exe	30
PID 1580 wrote to memory of 2208	1580	XClient.exe	30
PID 1580 wrote to memory of 2208	1580	XClient.exe	30
PID 1580 wrote to memory of 1304	1580	XClient.exe	31
PID 1580 wrote to memory of 1304	1580	XClient.exe	31
PID 1580 wrote to memory of 1304	1580	XClient.exe	31
PID 1580 wrote to memory of 2456	1580	XClient.exe	33
PID 1580 wrote to memory of 2456	1580	XClient.exe	33
PID 1580 wrote to memory of 2456	1580	XClient.exe	33
PID 1580 wrote to memory of 1544	1580	XClient.exe	35
PID 1580 wrote to memory of 1544	1580	XClient.exe	35
PID 1580 wrote to memory of 1544	1580	XClient.exe	35
PID 2700 wrote to memory of 3028	2700	taskeng.exe	40
PID 2700 wrote to memory of 3028	2700	taskeng.exe	40
PID 2700 wrote to memory of 3028	2700	taskeng.exe	40
PID 2700 wrote to memory of 1408	2700	taskeng.exe	41
PID 2700 wrote to memory of 1408	2700	taskeng.exe	41
PID 2700 wrote to memory of 1408	2700	taskeng.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1544

C:\Windows\system32\taskeng.exe
taskeng.exe {5C0D0C22-2D64-4248-89B0-7E184A7C08BB} S-1-5-21-4159544280-4273523227-683900707-1000:UMAXQRGK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c03cc1fbab56a71c93c9b7b51f4928c1

SHA1
0d30982052e0e096e6839d6e2fb137bbf73d27bc

SHA256
7514df9fc3be52eeb015091c8b42af31ad019bc8656a8c2c6cae7330e28a9b47

SHA512
6e055203c901c0d89d33e54607c373bfd0be4f0f932e329f88d92d2a8ab9ffd74637f8baf3c73c0aeb1f63e28e27f24ba5854a8f298bbf0fcf3bdd13cba2899d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c03cc1fbab56a71c93c9b7b51f4928c1

SHA1
0d30982052e0e096e6839d6e2fb137bbf73d27bc

SHA256
7514df9fc3be52eeb015091c8b42af31ad019bc8656a8c2c6cae7330e28a9b47

SHA512
6e055203c901c0d89d33e54607c373bfd0be4f0f932e329f88d92d2a8ab9ffd74637f8baf3c73c0aeb1f63e28e27f24ba5854a8f298bbf0fcf3bdd13cba2899d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G984GQ69VBF497K9V6DW.temp

Filesize
7KB

MD5
c03cc1fbab56a71c93c9b7b51f4928c1

SHA1
0d30982052e0e096e6839d6e2fb137bbf73d27bc

SHA256
7514df9fc3be52eeb015091c8b42af31ad019bc8656a8c2c6cae7330e28a9b47

SHA512
6e055203c901c0d89d33e54607c373bfd0be4f0f932e329f88d92d2a8ab9ffd74637f8baf3c73c0aeb1f63e28e27f24ba5854a8f298bbf0fcf3bdd13cba2899d

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
67KB

MD5
b37d08f9a7714dcf386c768ff73827ff

SHA1
85b2f077a91db819014d41c10f131f1c9a7c514f

SHA256
5ff7fba234e4dcca3d0807ebad17b68f13d3ef838f401e9f293597b86683215f

SHA512
d13856b31e1191501f3df8f55abfa2aa9348f662ff67bd23f5cbb36b656033ee0ebeba8d68ef2ed8c31da459be8a15694d593ab337eb8c93f21067dadb2ecd02

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
67KB

MD5
b37d08f9a7714dcf386c768ff73827ff

SHA1
85b2f077a91db819014d41c10f131f1c9a7c514f

SHA256
5ff7fba234e4dcca3d0807ebad17b68f13d3ef838f401e9f293597b86683215f

SHA512
d13856b31e1191501f3df8f55abfa2aa9348f662ff67bd23f5cbb36b656033ee0ebeba8d68ef2ed8c31da459be8a15694d593ab337eb8c93f21067dadb2ecd02

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
67KB

MD5
b37d08f9a7714dcf386c768ff73827ff

SHA1
85b2f077a91db819014d41c10f131f1c9a7c514f

SHA256
5ff7fba234e4dcca3d0807ebad17b68f13d3ef838f401e9f293597b86683215f

SHA512
d13856b31e1191501f3df8f55abfa2aa9348f662ff67bd23f5cbb36b656033ee0ebeba8d68ef2ed8c31da459be8a15694d593ab337eb8c93f21067dadb2ecd02

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
67KB

MD5
b37d08f9a7714dcf386c768ff73827ff

SHA1
85b2f077a91db819014d41c10f131f1c9a7c514f

SHA256
5ff7fba234e4dcca3d0807ebad17b68f13d3ef838f401e9f293597b86683215f

SHA512
d13856b31e1191501f3df8f55abfa2aa9348f662ff67bd23f5cbb36b656033ee0ebeba8d68ef2ed8c31da459be8a15694d593ab337eb8c93f21067dadb2ecd02

Download Submit
memory/1304-85-0x000007FEEE3C0000-0x000007FEEED5D000-memory.dmp

Filesize
9.6MB

Download
memory/1304-78-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1304-84-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1304-82-0x000007FEEE3C0000-0x000007FEEED5D000-memory.dmp

Filesize
9.6MB

Download
memory/1304-77-0x000007FEEE3C0000-0x000007FEEED5D000-memory.dmp

Filesize
9.6MB

Download
memory/1304-76-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/1304-79-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1304-80-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1304-81-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1408-115-0x0000000001260000-0x0000000001278000-memory.dmp

Filesize
96KB

Download
memory/1408-116-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1408-117-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1580-83-0x0000000000470000-0x00000000004F0000-memory.dmp

Filesize
512KB

Download
memory/1580-55-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1580-54-0x0000000000EB0000-0x0000000000EC8000-memory.dmp

Filesize
96KB

Download
memory/1580-64-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1580-56-0x0000000000470000-0x00000000004F0000-memory.dmp

Filesize
512KB

Download
memory/2208-68-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2208-70-0x000007FEEED60000-0x000007FEEF6FD000-memory.dmp

Filesize
9.6MB

Download
memory/2208-67-0x000007FEEED60000-0x000007FEEF6FD000-memory.dmp

Filesize
9.6MB

Download
memory/2208-66-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/2208-61-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/2208-62-0x000007FEEED60000-0x000007FEEF6FD000-memory.dmp

Filesize
9.6MB

Download
memory/2208-63-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2208-69-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2208-65-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2456-91-0x000007FEEED60000-0x000007FEEF6FD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-97-0x000007FEEED60000-0x000007FEEF6FD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-95-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2456-96-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2456-93-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2456-94-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2456-92-0x000007FEEED60000-0x000007FEEF6FD000-memory.dmp

Filesize
9.6MB

Download
memory/3028-110-0x0000000000200000-0x0000000000218000-memory.dmp

Filesize
96KB

Download
memory/3028-111-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-113-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads