Analysis

  • max time kernel
    299s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28/03/2024, 23:01

General

  • Target

    XClient.exe

  • Size

    68KB

  • MD5

    dea0e75dc3142c29ace4526228f8e47c

  • SHA1

    304b5fe2863e63c231bd7d0d833334a030cf65e2

  • SHA256

    dd68bd8d2da4ba41c11af01920eb6a89a5b7d96bfcf326ca0be04e886eebcaef

  • SHA512

    28001cf9650bf0df86033c84d85d890f37c351819da949debba9bef1433c81d99f39a091eb378548939514cdf5decdb042bd0a3fe427d5a80f2689c80b274787

  • SSDEEP

    1536:URkFtXMDh+0BT51gYgd3Gu+bXnVtBMN28qhH1KOgnHGBQi1:UmUM0fundWu+bXnntVKOAGqi1

Score
10/10

Malware Config

Extracted

Family

xworm

C2

86.173.127.81:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4092
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.0.825497065\567223734" -parentBuildID 20221007134813 -prefsHandle 1692 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c169aecf-70d4-44b3-aa87-5bca01351821} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 1784 22a6d2fba58 gpu
        3⤵
          PID:4296
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.1.408691808\1100689251" -parentBuildID 20221007134813 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd674b6d-24b1-4b0b-8fd8-5b62f261c4bf} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2152 22a6d1fc558 socket
          3⤵
            PID:2020
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.2.1973475754\1018201299" -childID 1 -isForBrowser -prefsHandle 2700 -prefMapHandle 2884 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11fda7a5-2f03-4de0-8c88-6c461824d560} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2896 22a6d258458 tab
            3⤵
              PID:440
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.3.27740560\1034116138" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3416 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {031c10ef-49cc-4abf-a425-df02941bcc54} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 3464 22a6ff86c58 tab
              3⤵
                PID:4392
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.4.709958770\34862757" -childID 3 -isForBrowser -prefsHandle 4276 -prefMapHandle 3936 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c069c33f-4d1f-4a8d-9710-c2b27faa07b6} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4288 22a72f77558 tab
                3⤵
                  PID:3692
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.5.1818679951\192001528" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4776 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99a20f2a-2dec-4992-976a-d86e01c0b9e2} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4808 22a6fa24e58 tab
                  3⤵
                    PID:308
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.6.1549661796\871174213" -childID 5 -isForBrowser -prefsHandle 4948 -prefMapHandle 4952 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efec2836-d341-44b2-8af9-bc632b0ae05e} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4940 22a734fb958 tab
                    3⤵
                      PID:1832
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.7.1578179319\518753067" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {138ecf81-bf08-47f2-b4c0-e7fd2c063cfd} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5136 22a734fcb58 tab
                      3⤵
                        PID:4680
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.8.641364706\1187112944" -childID 7 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ead53bf-ec77-4fb5-9267-ed5c291a4ba1} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5612 22a732fde58 tab
                        3⤵
                          PID:1720

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\datareporting\glean\db\data.safe.bin

                            Filesize

                            2KB

                            MD5

                            379f4e6ada1326aff27e160a7a70015f

                            SHA1

                            0d6968a3f6c144f381bac85e0e94935cebb175e9

                            SHA256

                            fbbc40114fdcf45f1dde61cc063a0322217f127bb2af24f34caedf7290409ea3

                            SHA512

                            a0f3c31641230d617a8903d574fd1ec4901a97401ff9b2df26cc586481b7a3684ec83f116ae1fc8def6c7215c62caac040aa41028d5b9c02a0eb361e274ddd4c

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\datareporting\glean\pending_pings\bd994c55-69f7-4985-97e0-29cd6ec1043f

                            Filesize

                            746B

                            MD5

                            85081423d4ff8f6157aa502f29d78a54

                            SHA1

                            1855f1dd4cb9d9b6faf67f8a8f0f3905165b049c

                            SHA256

                            0cf747cdbe26eac44704bcc735e966595cc76d5dd59c30b94bfe210293941ebd

                            SHA512

                            247c29e0d17aa65c46e2cadcc943fcf62806b6b713592dee255e14e2c72d21872ea97117e6db397e4b0dc80b42732e0c23a855ce0112d131c7d095dcd40983dc

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\datareporting\glean\pending_pings\f4f32069-f969-4f10-b563-3da828cc8a02

                            Filesize

                            10KB

                            MD5

                            7f4771d0df232ff49fa4d4a383d3c95c

                            SHA1

                            d7bf3436a45f69bb4588f526b949894e1d85fc74

                            SHA256

                            4951e353f603c2420cb8ff6903d6b353148d278f579c4b5a39b31f8241f9639e

                            SHA512

                            bc3f1134448220942b4f09bc152e24633e4f45a406f108abb79d6884155adb3be4e3e8d9df51ee090f301a8dc1bce64e3aa92511600065761904da90b0882789

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\prefs-1.js

                            Filesize

                            6KB

                            MD5

                            f8e72828672b88991ca8969984730a3f

                            SHA1

                            7905a77e1c1cd73ca651cbb38570b875b91baae4

                            SHA256

                            3c15f05bdeb24d463fb454e5ccd3aec1fe4fa1db51f21f8ca72fcd96319da1f2

                            SHA512

                            90ccfb8ca836933e2688100767777f02cba825a80a19c875f6dcbe118a39a819ea850497a4c0a593a72925890f12b480435d2c40308a751b8afeb3999fe868cd

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            3KB

                            MD5

                            d4d9b1c83604b1ef21d8aa77586f8c48

                            SHA1

                            f3d9db6897b2579eb2bd1741c9f21613a366bd08

                            SHA256

                            764c9c3f45e965217bc45fba8d6b8b3be404af2f0fd9dac43b0ade04695c6caf

                            SHA512

                            150de7e316412c78cd58e0f5572512ee205a2986f19c9712237634665af9062ec9134d1f063ba022801aca1e47e358278a04530bbf8cba84d162314f21f4eb48

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            4KB

                            MD5

                            032040af155932773b58f11e76443168

                            SHA1

                            a99b9c709b403f0650aae1374850f70dafa33411

                            SHA256

                            b3e3c4b8027735e8e5995e9a2f3c1b69a8d4a6516fbdd8fd19b55206fa589932

                            SHA512

                            4ea249a2d4a0e7267bd0ecd6744dc5e226f3a3f9d32b5e1efbe954fbe920633749d039cd2433b0d3bd790850252db011b2734671d38f5618ac386e77d1ded392

                          • \Users\Admin\AppData\Local\Temp\tmp3F67.tmp

                            Filesize

                            100KB

                            MD5

                            1b942faa8e8b1008a8c3c1004ba57349

                            SHA1

                            cd99977f6c1819b12b33240b784ca816dfe2cb91

                            SHA256

                            555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

                            SHA512

                            5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

                          • memory/4092-7-0x00007FFAAAF90000-0x00007FFAAB97C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/4092-11-0x00000000012C0000-0x00000000012FA000-memory.dmp

                            Filesize

                            232KB

                          • memory/4092-10-0x0000000001260000-0x000000000126C000-memory.dmp

                            Filesize

                            48KB

                          • memory/4092-8-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

                            Filesize

                            64KB

                          • memory/4092-0-0x0000000000BF0000-0x0000000000C08000-memory.dmp

                            Filesize

                            96KB

                          • memory/4092-6-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

                            Filesize

                            64KB

                          • memory/4092-1-0x00007FFAAAF90000-0x00007FFAAB97C000-memory.dmp

                            Filesize

                            9.9MB