Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/04/2024, 22:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    33KB

  • MD5

    6a0dd7035dd8b214bc0e89abac86965b

  • SHA1

    bc37b9bd002d6e10e7922992d6c5cdd636f9820e

  • SHA256

    10893249600c494365edddc0bcca1b6bf5012f777cb375cd529972a0f94e9fa7

  • SHA512

    713a8515ed9f1ab509317593ac7b0b793af62b78a8d744bc532332d07f735b017e260872a1d0b77af14a1f753bd15c121d52a6a09f293f0e322f6313aec28216

  • SSDEEP

    768:3dKk9oVQUzoxVJt76NHRVFr9jcaIOjhBbS:NKD/y97QHDFr9jOOjve

Score
10/10
xwormransomwarerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638
Mutex

LbSpssCFgm7ibxmv

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2044

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          994e7827a974eca39d61d15a3b5e3035

          SHA1

          d97b3f489d7057c643d0276e25cb1bdf59ebb86f

          SHA256

          32bdcd82d4aef32f55a402a50c7c6f0f0a4a7037dae21d8f15a2c9ab9aa6236f

          SHA512

          0be99d3f3c7f3e1d616f83402945a3eec0e77183cd0ab1446e9141225bd626f20fe440779bc753d4c161192d9d6cb1f2fd7cca83ef7fda97262c2b97dde5002c

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          e4823e73fd33fa70876243b1ff911828

          SHA1

          896fea67c3103eacab8215419be3f89d9ff5d547

          SHA256

          155a4d70509d6e7c2a18711c09903e2019c426dd307739574a4efe25571eb946

          SHA512

          94e169edfb9169345e1afac78cda78c7ad66c29fe2d11f542e39be82b79ea8bee8d2fff9aa5cd73707324688b4d7bb6f2f411019bceff8057a71956582904a18

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          aea5225930e58fd358ecedc9ca16d7ca

          SHA1

          6f2ed8dfe3f85d086b1d3b5b7d2ca2a7881cfaf6

          SHA256

          40d6d4d4fc31345fe25e0d9f2aa56bef88a55a8a847b3ae304a21146a9c2d3bf

          SHA512

          0ec79914bfe7e878e9580e5f3d004bcbbd6abfc12c31f298a39341515da4a8839f264c4ff2e1ab4abb53568f159ffae1fe949dd5880b04540b9ef50128613e9e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          c3c51741ceca3137a55c442d9cbb73e5

          SHA1

          504dc36bdbbb7a0b6bb2cfcfd3e21e94403eb796

          SHA256

          da6cda60e64fe8d7938f01a4c6840ec9756d434ae15e25b06a42174357a6f5ff

          SHA512

          844615aaa66ad14306ecf1504779bea1bd50efc91f77200bdcd63796845a9981f9333ce2e1c0f79f5c231a4b71e6cd5524f5a3e490478bb02ea0ab2dacb0c239

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          1899e077a7193103ceddecd48e75abe4

          SHA1

          fca360cb6a46b2bf2b580691b720f490d9193720

          SHA256

          f3ab89f5ecfeaf10f92fad7f36066a29ecf84b02a7f1fa08ec2c1b83dc7bb028

          SHA512

          d421eeb012bb181e8df1eede27caca9560119f6755433e9c0ec44b0338ac40a8ecb5267682f57202affad98d05738b50afdd5719a6b58c72ef0b63920b21726a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          f029061672b919be316be659d95f2d07

          SHA1

          fc75e7bd48cdfabfe5b8af0fddf578d0580bbc04

          SHA256

          e74f1b66c7096a470b06f540014a70d2d67bbc3b1555c3e6fed19e204a60920c

          SHA512

          7e91da148872d39d4bda2add24e802db5b6ea23ed46aec5967022c03b7913e36ae49003c27f7c4e4c7f8ba617a6b25559b745d2086068af4a50530abddc434ed

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          7839598a344ac99e544fd8ddcd09ba27

          SHA1

          ad266a7884cf0ee476b05ff99b8e7c671a2a722b

          SHA256

          bb022c714afff2c87aa7c04ec208d889556cb5142e90b8db9f81962e3ea05e02

          SHA512

          4d09b21319f67079ae1f505c78c9e11178b82a26d5c5d57fc45120d30008169bb47795351f24ac605ec0f1147c6cdfcd47e9aa05a021b8527e848f32ef4b3070

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          e2035f87db6e12d7d1e7d1b4ca25ea4b

          SHA1

          2e53dcd05d1f9a2b1ac9531a1c5efa22f7a79fad

          SHA256

          4ade35f202bcd7571d9b13cb65ef2c634c56e3404c5e1fb8e87e666a01e6d270

          SHA512

          2b9363cca2247507ebb76a861c7ec2a7d7a53d74e78f5b4eab63fb1db53919702cd6a5dff2ee8ac2ef037bfa5b075e663b3249ff087c8bb9218878aec4e4002f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CabA768.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TarA85A.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          Download Submit

        • C:\Users\Admin\Desktop\How To Decrypt My Files.html
          Filesize

          633B

          MD5

          eefbd5b610a3d9b60fceb6195982e523

          SHA1

          3089afe1027e03e1e114af21d1e1ed3a4394630d

          SHA256

          2b83723e038cbaee0a9db8e68b460c30435ede36ca5114272a8bd779aa3e6a78

          SHA512

          0d4d973ff20d852bb73fee3e31df69166be555490d520f9384ea1bb6af36758575f5f5536a8626e84d1cc785f83003601d2976901c819e9afaf44abb4d4296e7

          Download Submit

        • C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
          Filesize

          16B

          MD5

          3da7dfbd6c9e11b4d8dd5adb76c9a987

          SHA1

          cdd4cf0d8e5d5656d1e47308835268c1c27f5567

          SHA256

          4c00b7f2eac4df1134d965618429bf66e981bca09974e14e6447bdc269f51f40

          SHA512

          107e23de41fd6863fc639cdd2157c9b7df51f2daa38bfb9e28c45e00366b1904121192b1a5f0a73eaed1941fc5c96beb5b81d9c94af71f3983933e6f89928d31

          Download Submit

        • memory/2784-0-0x0000000000E40000-0x0000000000E4E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2784-5-0x0000000000540000-0x000000000054C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2784-4-0x000000001AEB0000-0x000000001AF30000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2784-3-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2784-2-0x000000001AEB0000-0x000000001AF30000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2784-1-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

          Filesize

          9.9MB

          Download