Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    78KB

  • MD5

    08a0de0b53d4a1f754e89317e97cc876

  • SHA1

    79aa570739ea7ce828df347852fe7cd7947eab73

  • SHA256

    32f70eace4fb8d3d0711c104f7d9ed18a3e7b62c4eb44e6ee8fa2fef9101fb40

  • SHA512

    b7d828778f4def78b0f6b8ec7112c1e002656aafae3e355cb5498155a898a5361dcd75fc2673111ace6aae7edd309b6aa2daa1eb9d9503ddc693de4a21a22423

  • SSDEEP

    1536:EruZeKyBO87fRW6IxjbXtL6Kvvqsu6wGistrOO7XTZqAATQ:CuYHB5Wdhb9Lz3wOpqRQ

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

daily-lawn.gl.at.ply.gg:28256

Attributes
  • Install_directory

    %Public%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    7d222b8f41d228f5a269409eaa3dcadc

    SHA1

    d820d748609e1428ee081c2b97b1acd80833acd6

    SHA256

    a5d0abc2c880372ad26e0ea68a1840b5984620d5bb4a1010456ed71977c04429

    SHA512

    cdd62657588497fc8dee5a4c310e82b156a0efbbb27a131244889ce8172128d7a6a82d9ea3dbc6039e311818c50d6047ec0fae29fbf4335de903f6676150123d

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/764-49-0x000007FEED570000-0x000007FEEDF0D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/764-54-0x0000000002650000-0x00000000026D0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/764-53-0x0000000002650000-0x00000000026D0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/764-52-0x0000000002650000-0x00000000026D0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/764-51-0x000007FEED570000-0x000007FEEDF0D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/764-50-0x0000000002650000-0x00000000026D0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/764-55-0x000007FEED570000-0x000007FEEDF0D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1192-39-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1192-0-0x00000000013E0000-0x00000000013FA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1192-2-0x000000001B250000-0x000000001B2D0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1192-1-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2428-43-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2428-42-0x000000000289B000-0x0000000002902000-memory.dmp
    Filesize

    412KB

    Download
  • memory/2428-40-0x0000000002890000-0x0000000002910000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2428-41-0x0000000002890000-0x0000000002910000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2428-38-0x0000000002890000-0x0000000002910000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2428-37-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2428-36-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2540-13-0x00000000024B0000-0x0000000002530000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2540-15-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2540-7-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2540-9-0x000000001B2D0000-0x000000001B5B2000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2540-8-0x00000000024B0000-0x0000000002530000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2540-10-0x0000000002410000-0x0000000002418000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2540-11-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2540-12-0x00000000024B0000-0x0000000002530000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2540-14-0x00000000024B0000-0x0000000002530000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2732-25-0x00000000029F0000-0x0000000002A70000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2732-21-0x000000001B410000-0x000000001B6F2000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2732-23-0x00000000022F0000-0x00000000022F8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2732-22-0x000007FEED570000-0x000007FEEDF0D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2732-24-0x00000000029F0000-0x0000000002A70000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2732-29-0x000007FEED570000-0x000007FEEDF0D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2732-26-0x00000000029F0000-0x0000000002A70000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2732-27-0x000007FEED570000-0x000007FEEDF0D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2732-28-0x00000000029F0000-0x0000000002A70000-memory.dmp
    Filesize

    512KB

    Download