Analysis

  • max time kernel
    139s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2024, 17:07

General

  • Target

    XClient.exe

  • Size

    61KB

  • MD5

    d4da0ac951e8e5ecc9bdaa37f8ce6efa

  • SHA1

    e59a48c06345fa211119b73c64b5fdc55bd2c496

  • SHA256

    91b7dffa239d1f1698e6548c42e796e0d68feb2816e9c055e16bffafcb119e60

  • SHA512

    75a09d740ec684249f548c03cab1df8cf86c952fe7f886f0cb55528d3f4f611b707ebedb7c5e42d0e12e7c5fdfac5f2a39d04ae16fa5bbc9108c528e3b5aedb2

  • SSDEEP

    768:A3tiGXbtXn+VNACttF83+9ufsltGCPogkbNGi15tt8i5aRy7P7VaOah+b4ljgPp+:A93WJtsQuftCPbkbN9zz4U7wOawQw+

Score
10/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

45.67.35.71:7000

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2732

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2732-0-0x0000000000E20000-0x0000000000E36000-memory.dmp

          Filesize

          88KB

        • memory/2732-1-0x00007FFE760C0000-0x00007FFE76B81000-memory.dmp

          Filesize

          10.8MB

        • memory/2732-2-0x00000000019D0000-0x00000000019E0000-memory.dmp

          Filesize

          64KB

        • memory/2732-3-0x00007FFE760C0000-0x00007FFE76B81000-memory.dmp

          Filesize

          10.8MB

        • memory/2732-4-0x00000000019D0000-0x00000000019E0000-memory.dmp

          Filesize

          64KB