Analysis
-
max time kernel
200s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 23:07
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
XClient.exe
-
Size
68KB
-
MD5
dea0e75dc3142c29ace4526228f8e47c
-
SHA1
304b5fe2863e63c231bd7d0d833334a030cf65e2
-
SHA256
dd68bd8d2da4ba41c11af01920eb6a89a5b7d96bfcf326ca0be04e886eebcaef
-
SHA512
28001cf9650bf0df86033c84d85d890f37c351819da949debba9bef1433c81d99f39a091eb378548939514cdf5decdb042bd0a3fe427d5a80f2689c80b274787
-
SSDEEP
1536:URkFtXMDh+0BT51gYgd3Gu+bXnVtBMN28qhH1KOgnHGBQi1:UmUM0fundWu+bXnntVKOAGqi1
Malware Config
Extracted
xworm
86.173.127.81:7000
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/1676-0-0x0000000000620000-0x0000000000638000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Drops desktop.ini file(s) 17 IoCs
description ioc Process File opened for modification C:\Users\Admin\3D Objects\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini XClient.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Searches\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Videos\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Documents\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Links\desktop.ini XClient.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Music\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini XClient.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "109" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1676 XClient.exe 572 msedge.exe 572 msedge.exe 4172 msedge.exe 4172 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4172 msedge.exe 4172 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1676 XClient.exe Token: SeDebugPrivilege 1676 XClient.exe Token: SeManageVolumePrivilege 4540 svchost.exe Token: SeShutdownPrivilege 2368 shutdown.exe Token: SeRemoteShutdownPrivilege 2368 shutdown.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1676 XClient.exe 456 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1676 wrote to memory of 4172 1676 XClient.exe 98 PID 1676 wrote to memory of 4172 1676 XClient.exe 98 PID 4172 wrote to memory of 2996 4172 msedge.exe 99 PID 4172 wrote to memory of 2996 4172 msedge.exe 99 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 4684 4172 msedge.exe 100 PID 4172 wrote to memory of 572 4172 msedge.exe 101 PID 4172 wrote to memory of 572 4172 msedge.exe 101 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102 PID 4172 wrote to memory of 2780 4172 msedge.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfd7c46f8,0x7ffcfd7c4708,0x7ffcfd7c47183⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17742771224129272755,1163879962782628284,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,17742771224129272755,1163879962782628284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,17742771224129272755,1163879962782628284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:83⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17742771224129272755,1163879962782628284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:13⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17742771224129272755,1163879962782628284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:13⤵PID:3468
-
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3999055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5dadb22ad1dea7317694522751468b22c
SHA1227020cb4b33f889c992bdb90b10f90d597bc3ee
SHA25683da9c397baff71069d7921de0d28afe423e1391e51adb1c6854347ba6835ca1
SHA512994ecbfc8ade5001642ffc3cc6c48bdf779c8d51f3f116b7605d5f3ef097e426ce9991ca9cc960e68ea99de59a9379273a85c62bc3d0aaaebf44e374c218dd72
-
Filesize
152B
MD50764f5481d3c05f5d391a36463484b49
SHA12c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224
-
Filesize
152B
MD5e494d16e4b331d7fc483b3ae3b2e0973
SHA1d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737
-
Filesize
6KB
MD5741e8deadcab6f80e636243841e22f9e
SHA1692464f949fc52cae7bd2941bdccba21effee008
SHA2564473d271c7dd54b3a2c68ecae01d9464754d51a6846d925ff0e2cb671cb244bb
SHA5128fe0015660283943993d428cb7c92ee261c5c8055f5055b763ccaca763885b05b2a54a2ca241271211c3d0748ab3a8bc21e77a9454a230e95370a7a6694938e6
-
Filesize
6KB
MD51892cb725cffdc2bee06b7e891155d89
SHA14af5b5e6cbed03b015803d173b269c76b1b296ca
SHA2563917ae9a844189867cf25fd7694cde2c3627bbc23a2e03738fdf5d6c1b7c1fea
SHA5128553f63221c6dadaa84a529a72861fdf71dc1e46e55869c4b57ce1e7947933c5b729c34f83c4cc17cf97308f6d545d5c2471c23ba39579c00236080b22691e09
-
Filesize
11KB
MD5c55cf53a22a24e9c7405df631fe2fa00
SHA172fa78f8ccf752a90de4cb628649f370ef8f9916
SHA256ba077969296a0f5c10c653960d5d10d7296e9f3e810f00b536f0179cb5b1f415
SHA51298fb84b46efcb7f8b0f6065723122bda3638e1f62cbf8bd2e2acc1ffa94cde6f732e0f04059ffe113b4392a0dbc6fce98581c33db1fa07e8084f8a9ba64ba34b
-
Filesize
11KB
MD5851c4a12f7ce8d227a91f091b939ba25
SHA12684cef64ee080c2555ff2167e6ac1e2e3ba3678
SHA256ed56702861dcc10a91bc6bb40a23e0d9020f5d987733cf625c77fb8b2a59db02
SHA512f55dd36666db16eaea7d69fd9ceabf78435903c1dc40f2dbf46c9cd7cc00659cf7526eeff4593ec6590a6976d97ea5e9a031d0a6300309c62f59c0cfdd09c7aa
-
Filesize
672B
MD5aa9ae29759db840e03aeb6bc5f8a8ab4
SHA10992c647006c1ee6698ff1b56083858d5e69f9ba
SHA2569663818672eb277bbdb605926338db8560b174020f1bd38374c5aa7e857b43aa
SHA5124532d996c2aaab518e84e8c3d784b830183a595419a739593b7fb68e2c84092dbf356d3d062137b494b3543d8132293a101ed06f8cea24977494511010d5ba40
-
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize16B
MD5ea4118fd2d78736c35363890f44e07cf
SHA190da966a6c60e5dc2b661d5fc3c66db73a51e352
SHA256489acd011c5f277a48ff62588b59479a10d6a6cd37472583bd3c6eb0d97a3dac
SHA51225b2adec7b3b116c27f148f29f2e861a65ffcdf93dac189a314b9740edfcd2af7d421fbc2795b07db133b2a6971c865f9646c424481f40d6d9d82900a8e5bc33