Analysis
-
max time kernel
299s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
28/03/2024, 23:01
General
-
Target
XClient.exe
-
Size
68KB
-
MD5
dea0e75dc3142c29ace4526228f8e47c
-
SHA1
304b5fe2863e63c231bd7d0d833334a030cf65e2
-
SHA256
dd68bd8d2da4ba41c11af01920eb6a89a5b7d96bfcf326ca0be04e886eebcaef
-
SHA512
28001cf9650bf0df86033c84d85d890f37c351819da949debba9bef1433c81d99f39a091eb378548939514cdf5decdb042bd0a3fe427d5a80f2689c80b274787
-
SSDEEP
1536:URkFtXMDh+0BT51gYgd3Gu+bXnVtBMN28qhH1KOgnHGBQi1:UmUM0fundWu+bXnntVKOAGqi1
Malware Config
Extracted
xworm
86.173.127.81:7000
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4092-0-0x0000000000BF0000-0x0000000000C08000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Loads dropped DLL 1 IoCs
pid Process 4092 XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe 4092 XClient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4092 XClient.exe Token: SeDebugPrivilege 4092 XClient.exe Token: SeDebugPrivilege 5108 firefox.exe Token: SeDebugPrivilege 5108 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 5108 firefox.exe 5108 firefox.exe 5108 firefox.exe 5108 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 5108 firefox.exe 5108 firefox.exe 5108 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4092 XClient.exe 5108 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 3044 wrote to memory of 5108 3044 firefox.exe 77 PID 5108 wrote to memory of 4296 5108 firefox.exe 78 PID 5108 wrote to memory of 4296 5108 firefox.exe 78 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 2020 5108 firefox.exe 79 PID 5108 wrote to memory of 440 5108 firefox.exe 80 PID 5108 wrote to memory of 440 5108 firefox.exe 80 PID 5108 wrote to memory of 440 5108 firefox.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4092
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.0.825497065\567223734" -parentBuildID 20221007134813 -prefsHandle 1692 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c169aecf-70d4-44b3-aa87-5bca01351821} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 1784 22a6d2fba58 gpu3⤵PID:4296
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.1.408691808\1100689251" -parentBuildID 20221007134813 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd674b6d-24b1-4b0b-8fd8-5b62f261c4bf} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2152 22a6d1fc558 socket3⤵PID:2020
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.2.1973475754\1018201299" -childID 1 -isForBrowser -prefsHandle 2700 -prefMapHandle 2884 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11fda7a5-2f03-4de0-8c88-6c461824d560} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2896 22a6d258458 tab3⤵PID:440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.3.27740560\1034116138" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3416 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {031c10ef-49cc-4abf-a425-df02941bcc54} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 3464 22a6ff86c58 tab3⤵PID:4392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.4.709958770\34862757" -childID 3 -isForBrowser -prefsHandle 4276 -prefMapHandle 3936 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c069c33f-4d1f-4a8d-9710-c2b27faa07b6} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4288 22a72f77558 tab3⤵PID:3692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.5.1818679951\192001528" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4776 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99a20f2a-2dec-4992-976a-d86e01c0b9e2} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4808 22a6fa24e58 tab3⤵PID:308
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.6.1549661796\871174213" -childID 5 -isForBrowser -prefsHandle 4948 -prefMapHandle 4952 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efec2836-d341-44b2-8af9-bc632b0ae05e} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4940 22a734fb958 tab3⤵PID:1832
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.7.1578179319\518753067" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {138ecf81-bf08-47f2-b4c0-e7fd2c063cfd} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5136 22a734fcb58 tab3⤵PID:4680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.8.641364706\1187112944" -childID 7 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ead53bf-ec77-4fb5-9267-ed5c291a4ba1} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5612 22a732fde58 tab3⤵PID:1720
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5379f4e6ada1326aff27e160a7a70015f
SHA10d6968a3f6c144f381bac85e0e94935cebb175e9
SHA256fbbc40114fdcf45f1dde61cc063a0322217f127bb2af24f34caedf7290409ea3
SHA512a0f3c31641230d617a8903d574fd1ec4901a97401ff9b2df26cc586481b7a3684ec83f116ae1fc8def6c7215c62caac040aa41028d5b9c02a0eb361e274ddd4c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\datareporting\glean\pending_pings\bd994c55-69f7-4985-97e0-29cd6ec1043f
Filesize746B
MD585081423d4ff8f6157aa502f29d78a54
SHA11855f1dd4cb9d9b6faf67f8a8f0f3905165b049c
SHA2560cf747cdbe26eac44704bcc735e966595cc76d5dd59c30b94bfe210293941ebd
SHA512247c29e0d17aa65c46e2cadcc943fcf62806b6b713592dee255e14e2c72d21872ea97117e6db397e4b0dc80b42732e0c23a855ce0112d131c7d095dcd40983dc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\datareporting\glean\pending_pings\f4f32069-f969-4f10-b563-3da828cc8a02
Filesize10KB
MD57f4771d0df232ff49fa4d4a383d3c95c
SHA1d7bf3436a45f69bb4588f526b949894e1d85fc74
SHA2564951e353f603c2420cb8ff6903d6b353148d278f579c4b5a39b31f8241f9639e
SHA512bc3f1134448220942b4f09bc152e24633e4f45a406f108abb79d6884155adb3be4e3e8d9df51ee090f301a8dc1bce64e3aa92511600065761904da90b0882789
-
Filesize
6KB
MD5f8e72828672b88991ca8969984730a3f
SHA17905a77e1c1cd73ca651cbb38570b875b91baae4
SHA2563c15f05bdeb24d463fb454e5ccd3aec1fe4fa1db51f21f8ca72fcd96319da1f2
SHA51290ccfb8ca836933e2688100767777f02cba825a80a19c875f6dcbe118a39a819ea850497a4c0a593a72925890f12b480435d2c40308a751b8afeb3999fe868cd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5d4d9b1c83604b1ef21d8aa77586f8c48
SHA1f3d9db6897b2579eb2bd1741c9f21613a366bd08
SHA256764c9c3f45e965217bc45fba8d6b8b3be404af2f0fd9dac43b0ade04695c6caf
SHA512150de7e316412c78cd58e0f5572512ee205a2986f19c9712237634665af9062ec9134d1f063ba022801aca1e47e358278a04530bbf8cba84d162314f21f4eb48
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5032040af155932773b58f11e76443168
SHA1a99b9c709b403f0650aae1374850f70dafa33411
SHA256b3e3c4b8027735e8e5995e9a2f3c1b69a8d4a6516fbdd8fd19b55206fa589932
SHA5124ea249a2d4a0e7267bd0ecd6744dc5e226f3a3f9d32b5e1efbe954fbe920633749d039cd2433b0d3bd790850252db011b2734671d38f5618ac386e77d1ded392
-
Filesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43