Analysis
-
max time kernel
129s -
max time network
138s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
27-04-2024 22:22
General
-
Target
XClient.exe
-
Size
156KB
-
MD5
206d8c4205aaefb291345d0acd0df1a5
-
SHA1
a02bad8f9287889809560b99fe46cdc4d73a9fc8
-
SHA256
37be873cf24a676275343e5f34d7da005a811b8d35a7d6539c06c36d165cd08e
-
SHA512
a25072486d6f906d07c773847a8f1471f0f2a4aea79a8607ac86b2aa2baac7030c37406d688b42620d8c6d27d9622a2df2721f8764370e6ffcee2a583a0e974a
-
SSDEEP
3072:N3l4FE9RkOq7RUGKXs+S++7KFSbxeY+qDDrMK:N30E9ZGqStKEbxI
Malware Config
Extracted
Family
xworm
Version
3.1
C2
dffsdfsdfe434334.bounceme.net:4500
Mutex
IP78agCbZU6v7ZTL
Attributes
-
install_file
USB.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3668-0-0x00000000008F0000-0x000000000091C000-memory.dmp family_xworm -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XClient.exedescription pid process Token: SeDebugPrivilege 3668 XClient.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3668-0-0x00000000008F0000-0x000000000091C000-memory.dmpFilesize
176KB
-
memory/3668-1-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmpFilesize
9.9MB
-
memory/3668-2-0x000000001B470000-0x000000001B480000-memory.dmpFilesize
64KB
-
memory/3668-3-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmpFilesize
9.9MB
-
memory/3668-4-0x000000001B470000-0x000000001B480000-memory.dmpFilesize
64KB