Analysis
-
max time kernel
298s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
28/03/2024, 22:32
General
-
Target
NET.exe
-
Size
73KB
-
MD5
3720095282b6f508a178a2af3fca48bc
-
SHA1
44d82c8f7fd6d78f1596f0cb3a3c016870488f82
-
SHA256
941eae71fe72f8e0ffea737b2e7fd557064f9677d042e12e0f894e69c49c2c5a
-
SHA512
41df99880f65d3458116adbe5b1bde6beadeae76ff46b69081b3940646e629a64da27780d02c0fa8e828f6ce06170399874802ee472b22d858bef372a1c0af87
-
SSDEEP
1536:erACqe4rxKD6QDlgvp/6o9k+bKvUJ/JdVtOBLypOi2VI3i3:Y/axKDFDQSoy+bKoKBAOi2Vki3
Malware Config
Extracted
Family
xworm
C2
172.23.112.1:7000:7000
Attributes
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4432-0-0x0000000000E20000-0x0000000000E38000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk NET.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk NET.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4432 NET.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4432 NET.exe Token: SeDebugPrivilege 4432 NET.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4432 NET.exe