Overview

overview

10

Static

static

10

XClient.exe

windows10-2004-x64

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 17:37

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    86KB

  • MD5

    2473c3e8b3d22cbfaa9b5d8115f6166b

  • SHA1

    71e87a094f3e4686839bcc073ae9b0ac7a371ebf

  • SHA256

    3d812652bff62c3321446e5591acb27f2b40e4d42872c3629588bfc2ac31151b

  • SHA512

    51ea5719bfac698f029cd02f74384ec2d88cd7bec858c4fcb5887cb31488f9aea387ee5d057dc6efb2940ef56bd0bc423d9771d6ddb7436644ada94a35f556d2

  • SSDEEP

    1536:M5EkmroQStrBcx9B4YD8yto0En9bBAbFAJxxo96uODf6JT+zo:0ErqWR4k8ytoLn9b8ASO7WUo

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

story-pl.gl.at.ply.gg:13978

Attributes
  • Install_directory

    %Temp%

  • install_file

    MicrosoftAudioDriver.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MicrosoftAudioDriver.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftAudioDriver.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftAudioDriver" /tr "C:\Users\Admin\AppData\Local\Temp\MicrosoftAudioDriver.exe"
      2⤵
      • Creates scheduled task(s)
      PID:876
    • C:\Windows\SYSTEM32\shutdown.exe
      shutdown.exe /f /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4472
  • C:\Users\Admin\AppData\Local\Temp\MicrosoftAudioDriver.exe
    C:\Users\Admin\AppData\Local\Temp\MicrosoftAudioDriver.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4584
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3907855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2848

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          440cb38dbee06645cc8b74d51f6e5f71

          SHA1

          d7e61da91dc4502e9ae83281b88c1e48584edb7c

          SHA256

          8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

          SHA512

          3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          42cc9ff3509672894beabcd392a00c43

          SHA1

          c12dc74a6c8a8e1f8f4033d31495ebb09d70e9ab

          SHA256

          352d90b619218e7bf297219c1468e9ea487c9002e28984ec70a963088dff3579

          SHA512

          c876de012d1b237463b2c2a4195e050c2ddbdf5725aa2553313525ecb6a4a3f0cda9a289f257b886395da6407b5173451e95df89665ae1c727c6be3753a89271

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          15dde0683cd1ca19785d7262f554ba93

          SHA1

          d039c577e438546d10ac64837b05da480d06bf69

          SHA256

          d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

          SHA512

          57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          a7cc007980e419d553568a106210549a

          SHA1

          c03099706b75071f36c3962fcc60a22f197711e0

          SHA256

          a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

          SHA512

          b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MicrosoftAudioDriver.exe
          Filesize

          86KB

          MD5

          2473c3e8b3d22cbfaa9b5d8115f6166b

          SHA1

          71e87a094f3e4686839bcc073ae9b0ac7a371ebf

          SHA256

          3d812652bff62c3321446e5591acb27f2b40e4d42872c3629588bfc2ac31151b

          SHA512

          51ea5719bfac698f029cd02f74384ec2d88cd7bec858c4fcb5887cb31488f9aea387ee5d057dc6efb2940ef56bd0bc423d9771d6ddb7436644ada94a35f556d2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1owzl45h.t50.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/1180-65-0x0000000001530000-0x0000000001540000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1180-66-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1180-72-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1180-1-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1180-0-0x0000000000D40000-0x0000000000D5C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1644-63-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1644-50-0x0000010BC8470000-0x0000010BC8480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1644-49-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1644-51-0x0000010BC8470000-0x0000010BC8480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3600-34-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3600-36-0x000001EED2AB0000-0x000001EED2AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3600-35-0x000001EED2AB0000-0x000001EED2AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3600-48-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3768-30-0x000001BAF40B0000-0x000001BAF40C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3768-29-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3768-31-0x000001BAF40B0000-0x000001BAF40C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3768-33-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4584-69-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4584-71-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4884-17-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4884-7-0x00000251AD880000-0x00000251AD8A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4884-4-0x00000251AD8B0000-0x00000251AD8C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4884-3-0x00000251AD8B0000-0x00000251AD8C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4884-2-0x00007FFABEF30000-0x00007FFABF9F1000-memory.dmp

          Filesize

          10.8MB

          Download