Analysis Overview
SHA256
dd68bd8d2da4ba41c11af01920eb6a89a5b7d96bfcf326ca0be04e886eebcaef
Threat Level: Known bad
The file XClient.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Detect Xworm Payload
Xworm
Loads dropped DLL
Drops startup file
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Modifies registry class
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 23:01
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 23:01
Reported
2024-03-28 23:07
Platform
win10-20240221-en
Max time kernel
299s
Max time network
300s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.0.825497065\567223734" -parentBuildID 20221007134813 -prefsHandle 1692 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c169aecf-70d4-44b3-aa87-5bca01351821} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 1784 22a6d2fba58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.1.408691808\1100689251" -parentBuildID 20221007134813 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd674b6d-24b1-4b0b-8fd8-5b62f261c4bf} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2152 22a6d1fc558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.2.1973475754\1018201299" -childID 1 -isForBrowser -prefsHandle 2700 -prefMapHandle 2884 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11fda7a5-2f03-4de0-8c88-6c461824d560} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2896 22a6d258458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.3.27740560\1034116138" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3416 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {031c10ef-49cc-4abf-a425-df02941bcc54} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 3464 22a6ff86c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.4.709958770\34862757" -childID 3 -isForBrowser -prefsHandle 4276 -prefMapHandle 3936 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c069c33f-4d1f-4a8d-9710-c2b27faa07b6} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4288 22a72f77558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.5.1818679951\192001528" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4776 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99a20f2a-2dec-4992-976a-d86e01c0b9e2} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4808 22a6fa24e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.6.1549661796\871174213" -childID 5 -isForBrowser -prefsHandle 4948 -prefMapHandle 4952 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efec2836-d341-44b2-8af9-bc632b0ae05e} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4940 22a734fb958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.7.1578179319\518753067" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {138ecf81-bf08-47f2-b4c0-e7fd2c063cfd} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5136 22a734fcb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.8.641364706\1187112944" -childID 7 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ead53bf-ec77-4fb5-9267-ed5c291a4ba1} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5612 22a732fde58 tab
Network
| Country | Destination | Domain | Proto |
| GB | 86.173.127.81:7000 | tcp | |
| US | 8.8.8.8:53 | 81.127.173.86.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.135.221.88.in-addr.arpa | udp |
| GB | 86.173.127.81:7000 | tcp | |
| GB | 86.173.127.81:7000 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 52.25.97.240:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| N/A | 127.0.0.1:49780 | tcp | |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 240.97.25.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:49786 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.4:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 4.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
Files
memory/4092-0-0x0000000000BF0000-0x0000000000C08000-memory.dmp
memory/4092-1-0x00007FFAAAF90000-0x00007FFAAB97C000-memory.dmp
memory/4092-6-0x000000001BAC0000-0x000000001BAD0000-memory.dmp
memory/4092-7-0x00007FFAAAF90000-0x00007FFAAB97C000-memory.dmp
memory/4092-8-0x000000001BAC0000-0x000000001BAD0000-memory.dmp
memory/4092-10-0x0000000001260000-0x000000000126C000-memory.dmp
memory/4092-11-0x00000000012C0000-0x00000000012FA000-memory.dmp
\Users\Admin\AppData\Local\Temp\tmp3F67.tmp
| MD5 | 1b942faa8e8b1008a8c3c1004ba57349 |
| SHA1 | cd99977f6c1819b12b33240b784ca816dfe2cb91 |
| SHA256 | 555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc |
| SHA512 | 5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\datareporting\glean\pending_pings\bd994c55-69f7-4985-97e0-29cd6ec1043f
| MD5 | 85081423d4ff8f6157aa502f29d78a54 |
| SHA1 | 1855f1dd4cb9d9b6faf67f8a8f0f3905165b049c |
| SHA256 | 0cf747cdbe26eac44704bcc735e966595cc76d5dd59c30b94bfe210293941ebd |
| SHA512 | 247c29e0d17aa65c46e2cadcc943fcf62806b6b713592dee255e14e2c72d21872ea97117e6db397e4b0dc80b42732e0c23a855ce0112d131c7d095dcd40983dc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\datareporting\glean\pending_pings\f4f32069-f969-4f10-b563-3da828cc8a02
| MD5 | 7f4771d0df232ff49fa4d4a383d3c95c |
| SHA1 | d7bf3436a45f69bb4588f526b949894e1d85fc74 |
| SHA256 | 4951e353f603c2420cb8ff6903d6b353148d278f579c4b5a39b31f8241f9639e |
| SHA512 | bc3f1134448220942b4f09bc152e24633e4f45a406f108abb79d6884155adb3be4e3e8d9df51ee090f301a8dc1bce64e3aa92511600065761904da90b0882789 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 379f4e6ada1326aff27e160a7a70015f |
| SHA1 | 0d6968a3f6c144f381bac85e0e94935cebb175e9 |
| SHA256 | fbbc40114fdcf45f1dde61cc063a0322217f127bb2af24f34caedf7290409ea3 |
| SHA512 | a0f3c31641230d617a8903d574fd1ec4901a97401ff9b2df26cc586481b7a3684ec83f116ae1fc8def6c7215c62caac040aa41028d5b9c02a0eb361e274ddd4c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\prefs-1.js
| MD5 | f8e72828672b88991ca8969984730a3f |
| SHA1 | 7905a77e1c1cd73ca651cbb38570b875b91baae4 |
| SHA256 | 3c15f05bdeb24d463fb454e5ccd3aec1fe4fa1db51f21f8ca72fcd96319da1f2 |
| SHA512 | 90ccfb8ca836933e2688100767777f02cba825a80a19c875f6dcbe118a39a819ea850497a4c0a593a72925890f12b480435d2c40308a751b8afeb3999fe868cd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d4d9b1c83604b1ef21d8aa77586f8c48 |
| SHA1 | f3d9db6897b2579eb2bd1741c9f21613a366bd08 |
| SHA256 | 764c9c3f45e965217bc45fba8d6b8b3be404af2f0fd9dac43b0ade04695c6caf |
| SHA512 | 150de7e316412c78cd58e0f5572512ee205a2986f19c9712237634665af9062ec9134d1f063ba022801aca1e47e358278a04530bbf8cba84d162314f21f4eb48 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wsv9rfx0.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 032040af155932773b58f11e76443168 |
| SHA1 | a99b9c709b403f0650aae1374850f70dafa33411 |
| SHA256 | b3e3c4b8027735e8e5995e9a2f3c1b69a8d4a6516fbdd8fd19b55206fa589932 |
| SHA512 | 4ea249a2d4a0e7267bd0ecd6744dc5e226f3a3f9d32b5e1efbe954fbe920633749d039cd2433b0d3bd790850252db011b2734671d38f5618ac386e77d1ded392 |