Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-03-2024 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    172KB

  • MD5

    e2b11b7d99f97bc6eab303a220d23a7f

  • SHA1

    f9c57bcb12309522470ecb4b99e6a082d0093a07

  • SHA256

    751fdf0d29d347f8454a19ae33f50c5904c6a4033cb2be0fd1772b55a0860655

  • SHA512

    449ad8b26c1194d701c01b48307d43eb89fdd7e8f42cf634325d637e0bd456ab1ff325aefdc9b60f17fdbe45541f562990d2251e6b119cf74ebad7864b01f957

  • SSDEEP

    3072:JDgJrpZbm078BeyAOwK8MzFfe295liNgTddwY0JwsR4TbswYqkX5bEdGDOjESHhy:CBbF79yyoH95D

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:5050

character-acquisitions.gl.at.ply.gg:5050
Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2260
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\System32'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:952
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System32" /tr "C:\Users\Public\System32"
      2⤵
      • Creates scheduled task(s)
      PID:1004
  • C:\Users\Public\System32
    C:\Users\Public\System32
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2460
  • C:\Users\Public\System32
    C:\Users\Public\System32
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System32.log
    Filesize

    654B

    MD5

    2cbbb74b7da1f720b48ed31085cbd5b8

    SHA1

    79caa9a3ea8abe1b9c4326c3633da64a5f724964

    SHA256

    e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

    SHA512

    ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    e3840d9bcedfe7017e49ee5d05bd1c46

    SHA1

    272620fb2605bd196df471d62db4b2d280a363c6

    SHA256

    3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

    SHA512

    76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    051a74485331f9d9f5014e58ec71566c

    SHA1

    4ed0256a84f2e95609a0b4d5c249bca624db8fe4

    SHA256

    3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

    SHA512

    1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    aa6b748cd8f3e3c0e41549529b919e21

    SHA1

    5a4b9721f9fb5042f6ef7afd698d5ac5216a88bb

    SHA256

    d7d665a42f940443efb28eb231dfe1c4062394e71fba145d6eea9ec075b0f0e8

    SHA512

    361c523f49428a7e430279099e669a1a8af8764653f42e83105c0da3f8e8dd3be6c1719ea8c158d8f2e8425d74457147a4683190eb4a67019b9d02be44c13534

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxcp1e2v.4pq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Public\System32
    Filesize

    4KB

    MD5

    8a9621a0646e17fd0265be86bc4d2112

    SHA1

    923f815138689c9885ea729cb650a56e7a12284d

    SHA256

    357924e473e4a895f643b3434a6b1bc4fd6f3c70aba58c008dc8d96d768aff75

    SHA512

    6302bd24c90c2e7927f5fe0329220edb168c0205f33725f453501225ad1d87d37413aa4ff2379421df4f37db4364419d66fad5dab58933c8ff0a828f7ddbf8f4

    Download Submit

  • C:\Users\Public\System32
    Filesize

    172KB

    MD5

    e2b11b7d99f97bc6eab303a220d23a7f

    SHA1

    f9c57bcb12309522470ecb4b99e6a082d0093a07

    SHA256

    751fdf0d29d347f8454a19ae33f50c5904c6a4033cb2be0fd1772b55a0860655

    SHA512

    449ad8b26c1194d701c01b48307d43eb89fdd7e8f42cf634325d637e0bd456ab1ff325aefdc9b60f17fdbe45541f562990d2251e6b119cf74ebad7864b01f957

    Download Submit

  • C:\Users\Public\System32
    Filesize

    37KB

    MD5

    4dd5ef750ff5dc0e7f5e513614dce54a

    SHA1

    1a5b8503e919aa5daf1ffc05961f6ded80981a74

    SHA256

    f2198e50f3e5e03cec21c9bd33c2b9bf4a80c161ab67c2e666e91e9712d74b1a

    SHA512

    9842fc6763f0306a11adac8b6727e79940d3f1dc7073baa1613f05615fe10ebd70fa16d0cb5da0af6c2b34be74b804ac6b9bfc4bff3b51efd1d7419c29cd280d

    Download Submit

  • memory/952-65-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/952-62-0x0000026E4B0E0000-0x0000026E4B0F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/952-61-0x0000026E4B0E0000-0x0000026E4B0F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/952-56-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/952-63-0x0000026E4B0E0000-0x0000026E4B0F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1620-44-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1620-45-0x0000029E12470000-0x0000029E12480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1620-50-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1620-46-0x0000029E12470000-0x0000029E12480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2260-12-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2260-8-0x000002BEAE160000-0x000002BEAE182000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2260-14-0x000002BEAE1A0000-0x000002BEAE1B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2260-13-0x000002BEAE1A0000-0x000002BEAE1B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2260-15-0x000002BEAE1A0000-0x000002BEAE1B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2260-18-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2312-0-0x0000000000380000-0x00000000003B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2312-1-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2312-2-0x000000001B110000-0x000000001B120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2312-48-0x000000001B110000-0x000000001B120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2312-40-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2460-74-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2460-72-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3436-22-0x000002866AEB0000-0x000002866AEC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-32-0x000002866AEB0000-0x000002866AEC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-21-0x000002866AEB0000-0x000002866AEC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-34-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3436-20-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3656-77-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3656-78-0x00007FFA96D90000-0x00007FFA97852000-memory.dmp

    Filesize

    10.8MB

    Download