Analysis
-
max time kernel
1191s -
max time network
1204s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
24/02/2024, 19:35
General
-
Target
x.exe
-
Size
63KB
-
MD5
78e0d6b85721aec5404971862734be82
-
SHA1
b0f490a2d377670c62c294b9bb163cacf80c256c
-
SHA256
6906f0586af2064fb11cd0e81fc09e6f87fa4e77580b43e79ead6242d6cc7469
-
SHA512
e03ae3b43aee97ee21053c1174195b19388cc1fe403813afe63aa0da4c9418b47a0e2eb846082d5180264820572028085ded744bdd28e1e1cf9e090838020666
-
SSDEEP
1536:+Ed0d4ayDZpxSAb+hXSBni3dWY6AxtNOu65x+/kuC:+Bd4aYbAAba9WOPOr5iC
Malware Config
Extracted
xworm
18.ip.gl.ply.gg:33725
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/5092-0-0x0000000000CA0000-0x0000000000CB6000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk x.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk x.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3980 powershell.exe 3980 powershell.exe 3980 powershell.exe 3608 powershell.exe 3608 powershell.exe 3608 powershell.exe 924 powershell.exe 924 powershell.exe 924 powershell.exe 2464 powershell.exe 2464 powershell.exe 2464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5092 x.exe Token: SeDebugPrivilege 3980 powershell.exe Token: SeIncreaseQuotaPrivilege 3980 powershell.exe Token: SeSecurityPrivilege 3980 powershell.exe Token: SeTakeOwnershipPrivilege 3980 powershell.exe Token: SeLoadDriverPrivilege 3980 powershell.exe Token: SeSystemProfilePrivilege 3980 powershell.exe Token: SeSystemtimePrivilege 3980 powershell.exe Token: SeProfSingleProcessPrivilege 3980 powershell.exe Token: SeIncBasePriorityPrivilege 3980 powershell.exe Token: SeCreatePagefilePrivilege 3980 powershell.exe Token: SeBackupPrivilege 3980 powershell.exe Token: SeRestorePrivilege 3980 powershell.exe Token: SeShutdownPrivilege 3980 powershell.exe Token: SeDebugPrivilege 3980 powershell.exe Token: SeSystemEnvironmentPrivilege 3980 powershell.exe Token: SeRemoteShutdownPrivilege 3980 powershell.exe Token: SeUndockPrivilege 3980 powershell.exe Token: SeManageVolumePrivilege 3980 powershell.exe Token: 33 3980 powershell.exe Token: 34 3980 powershell.exe Token: 35 3980 powershell.exe Token: 36 3980 powershell.exe Token: SeDebugPrivilege 3608 powershell.exe Token: SeIncreaseQuotaPrivilege 3608 powershell.exe Token: SeSecurityPrivilege 3608 powershell.exe Token: SeTakeOwnershipPrivilege 3608 powershell.exe Token: SeLoadDriverPrivilege 3608 powershell.exe Token: SeSystemProfilePrivilege 3608 powershell.exe Token: SeSystemtimePrivilege 3608 powershell.exe Token: SeProfSingleProcessPrivilege 3608 powershell.exe Token: SeIncBasePriorityPrivilege 3608 powershell.exe Token: SeCreatePagefilePrivilege 3608 powershell.exe Token: SeBackupPrivilege 3608 powershell.exe Token: SeRestorePrivilege 3608 powershell.exe Token: SeShutdownPrivilege 3608 powershell.exe Token: SeDebugPrivilege 3608 powershell.exe Token: SeSystemEnvironmentPrivilege 3608 powershell.exe Token: SeRemoteShutdownPrivilege 3608 powershell.exe Token: SeUndockPrivilege 3608 powershell.exe Token: SeManageVolumePrivilege 3608 powershell.exe Token: 33 3608 powershell.exe Token: 34 3608 powershell.exe Token: 35 3608 powershell.exe Token: 36 3608 powershell.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeIncreaseQuotaPrivilege 924 powershell.exe Token: SeSecurityPrivilege 924 powershell.exe Token: SeTakeOwnershipPrivilege 924 powershell.exe Token: SeLoadDriverPrivilege 924 powershell.exe Token: SeSystemProfilePrivilege 924 powershell.exe Token: SeSystemtimePrivilege 924 powershell.exe Token: SeProfSingleProcessPrivilege 924 powershell.exe Token: SeIncBasePriorityPrivilege 924 powershell.exe Token: SeCreatePagefilePrivilege 924 powershell.exe Token: SeBackupPrivilege 924 powershell.exe Token: SeRestorePrivilege 924 powershell.exe Token: SeShutdownPrivilege 924 powershell.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeSystemEnvironmentPrivilege 924 powershell.exe Token: SeRemoteShutdownPrivilege 924 powershell.exe Token: SeUndockPrivilege 924 powershell.exe Token: SeManageVolumePrivilege 924 powershell.exe Token: 33 924 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5092 wrote to memory of 3980 5092 x.exe 74 PID 5092 wrote to memory of 3980 5092 x.exe 74 PID 5092 wrote to memory of 3608 5092 x.exe 77 PID 5092 wrote to memory of 3608 5092 x.exe 77 PID 5092 wrote to memory of 924 5092 x.exe 79 PID 5092 wrote to memory of 924 5092 x.exe 79 PID 5092 wrote to memory of 2464 5092 x.exe 81 PID 5092 wrote to memory of 2464 5092 x.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\x.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD58a40bab0004dff7dd8ce5833572e28b3
SHA1756d4d6a8334e19e43e4e7a43c7982c72ea6af61
SHA2564cec6f7123df12bd15b7c6407ccf555564ade3c1e47c1840565323365258efb9
SHA512aa7a05086dafea32ce15cdaa4a05bf9099047bcac4068eb99dc54f7162714df3d7e7632c235250062ffdfed469eacfbb956bec258d8a89b9160e9b1b99c15234
-
Filesize
1KB
MD5d574bf7f249d8dc2ee796bcb64157292
SHA19b63ad64d11399a97cb7bfbeba52da511fd223c6
SHA256deb103a856fd2138a228b3bdc28526e48239e37342c1e2718a332e6921ff4043
SHA5122c94a4d785a743602da452115ec38160fc995cb6e387b7ea1d55f2ce6a592c4ccd9a9ce5fb4f0f2a3988328b88ad7915c40f4973869fe9c3057f5084de328f9c
-
Filesize
1KB
MD5375a5136f25eb83f51334a04f76f143c
SHA1d1efcdd72378d759f9ed2f31f6928cdbe07b3c29
SHA256588e1772f8d3498d868c584e49e917074ad84d167309fa8c631853caa222c949
SHA512d84ccc20958f00d10d9816922c24cebfb75f6c0d19bfd9728a5234e8a9cc1c106a2ef730db5d8ec9d117abf03d002943339f1ea6df670590bdda88e210c18c59
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a