Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
28-04-2024 09:11
General
-
Target
XClient.exe
-
Size
241KB
-
MD5
0d1bb5abb00b755f23abc9dd94ac48e5
-
SHA1
af98320e41cbaa605ac9eb4e6880e548e9ff4fa5
-
SHA256
763f829f6c81514765bba20dc7cee33b7943a2fd07a4d289b141a4379da1437b
-
SHA512
a1b589fc638b01684be832a78290747843eb7403e12392909a1c242ece810681e1658a9168b3ae6828f05927e6e06c2f167ebe4cdd7d87f342fecd79ef0168dc
-
SSDEEP
6144:5Q2yOGXC7BsBb/eFVhOg3UhcX7elbKTua9bfF/H9d9n:5QwGS2ZeFVhX33X3u+
Malware Config
Extracted
xworm
artist-forum.gl.at.ply.gg:38847
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {9EBFA8DA-A136-4AF2-B0A0-12D51729A5FA} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD54333d0e00908294442b633a49d546e14
SHA1cbd7e435b282331327212fed3726b4908cde5818
SHA2566e16fc595ed4bd2e72715ce318ca7427412a9fdd5f77aa0412f6f2bce353a7b8
SHA5120e035ff439b9d7ce9728d7df5ff291b8010bb5cfbd23a06e486f3fa73ee8df82dce161efb2c383b92aa1e13babebc5f087ab50dfaeaab63534f54a01a2ae1dc6
-
C:\Users\Admin\AppData\Roaming\XClient.exeFilesize
241KB
MD50d1bb5abb00b755f23abc9dd94ac48e5
SHA1af98320e41cbaa605ac9eb4e6880e548e9ff4fa5
SHA256763f829f6c81514765bba20dc7cee33b7943a2fd07a4d289b141a4379da1437b
SHA512a1b589fc638b01684be832a78290747843eb7403e12392909a1c242ece810681e1658a9168b3ae6828f05927e6e06c2f167ebe4cdd7d87f342fecd79ef0168dc
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/328-36-0x0000000000B70000-0x0000000000BB2000-memory.dmpFilesize
264KB
-
memory/1688-39-0x00000000002D0000-0x0000000000312000-memory.dmpFilesize
264KB
-
memory/1740-32-0x00000000009E0000-0x0000000000A60000-memory.dmpFilesize
512KB
-
memory/1740-1-0x000007FEF6280000-0x000007FEF6C6C000-memory.dmpFilesize
9.9MB
-
memory/1740-2-0x00000000009E0000-0x0000000000A60000-memory.dmpFilesize
512KB
-
memory/1740-0-0x0000000000A90000-0x0000000000AD2000-memory.dmpFilesize
264KB
-
memory/1740-31-0x000007FEF6280000-0x000007FEF6C6C000-memory.dmpFilesize
9.9MB
-
memory/2120-7-0x000000001B6A0000-0x000000001B982000-memory.dmpFilesize
2.9MB
-
memory/2120-8-0x0000000002690000-0x0000000002698000-memory.dmpFilesize
32KB
-
memory/2716-15-0x0000000001D70000-0x0000000001D78000-memory.dmpFilesize
32KB
-
memory/2716-14-0x000000001B6D0000-0x000000001B9B2000-memory.dmpFilesize
2.9MB