Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 09:11
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240426-en
General
-
Target
XClient.exe
-
Size
241KB
-
MD5
0d1bb5abb00b755f23abc9dd94ac48e5
-
SHA1
af98320e41cbaa605ac9eb4e6880e548e9ff4fa5
-
SHA256
763f829f6c81514765bba20dc7cee33b7943a2fd07a4d289b141a4379da1437b
-
SHA512
a1b589fc638b01684be832a78290747843eb7403e12392909a1c242ece810681e1658a9168b3ae6828f05927e6e06c2f167ebe4cdd7d87f342fecd79ef0168dc
-
SSDEEP
6144:5Q2yOGXC7BsBb/eFVhOg3UhcX7elbKTua9bfF/H9d9n:5QwGS2ZeFVhX33X3u+
Malware Config
Extracted
xworm
artist-forum.gl.at.ply.gg:38847
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-0-0x0000000000A90000-0x0000000000AD2000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm behavioral1/memory/328-36-0x0000000000B70000-0x0000000000BB2000-memory.dmp family_xworm behavioral1/memory/1688-39-0x00000000002D0000-0x0000000000312000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
XClient.exeXClient.exepid process 328 XClient.exe 1688 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 2120 powershell.exe 2716 powershell.exe 2544 powershell.exe 1896 powershell.exe 1740 XClient.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exeXClient.exedescription pid process Token: SeDebugPrivilege 1740 XClient.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 1740 XClient.exe Token: SeDebugPrivilege 328 XClient.exe Token: SeDebugPrivilege 1688 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 1740 XClient.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
XClient.exetaskeng.exedescription pid process target process PID 1740 wrote to memory of 2120 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 2120 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 2120 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 2716 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 2716 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 2716 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 2544 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 2544 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 2544 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 1896 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 1896 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 1896 1740 XClient.exe powershell.exe PID 1740 wrote to memory of 2064 1740 XClient.exe schtasks.exe PID 1740 wrote to memory of 2064 1740 XClient.exe schtasks.exe PID 1740 wrote to memory of 2064 1740 XClient.exe schtasks.exe PID 2860 wrote to memory of 328 2860 taskeng.exe XClient.exe PID 2860 wrote to memory of 328 2860 taskeng.exe XClient.exe PID 2860 wrote to memory of 328 2860 taskeng.exe XClient.exe PID 2860 wrote to memory of 1688 2860 taskeng.exe XClient.exe PID 2860 wrote to memory of 1688 2860 taskeng.exe XClient.exe PID 2860 wrote to memory of 1688 2860 taskeng.exe XClient.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {9EBFA8DA-A136-4AF2-B0A0-12D51729A5FA} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD54333d0e00908294442b633a49d546e14
SHA1cbd7e435b282331327212fed3726b4908cde5818
SHA2566e16fc595ed4bd2e72715ce318ca7427412a9fdd5f77aa0412f6f2bce353a7b8
SHA5120e035ff439b9d7ce9728d7df5ff291b8010bb5cfbd23a06e486f3fa73ee8df82dce161efb2c383b92aa1e13babebc5f087ab50dfaeaab63534f54a01a2ae1dc6
-
C:\Users\Admin\AppData\Roaming\XClient.exeFilesize
241KB
MD50d1bb5abb00b755f23abc9dd94ac48e5
SHA1af98320e41cbaa605ac9eb4e6880e548e9ff4fa5
SHA256763f829f6c81514765bba20dc7cee33b7943a2fd07a4d289b141a4379da1437b
SHA512a1b589fc638b01684be832a78290747843eb7403e12392909a1c242ece810681e1658a9168b3ae6828f05927e6e06c2f167ebe4cdd7d87f342fecd79ef0168dc
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/328-36-0x0000000000B70000-0x0000000000BB2000-memory.dmpFilesize
264KB
-
memory/1688-39-0x00000000002D0000-0x0000000000312000-memory.dmpFilesize
264KB
-
memory/1740-32-0x00000000009E0000-0x0000000000A60000-memory.dmpFilesize
512KB
-
memory/1740-1-0x000007FEF6280000-0x000007FEF6C6C000-memory.dmpFilesize
9.9MB
-
memory/1740-2-0x00000000009E0000-0x0000000000A60000-memory.dmpFilesize
512KB
-
memory/1740-0-0x0000000000A90000-0x0000000000AD2000-memory.dmpFilesize
264KB
-
memory/1740-31-0x000007FEF6280000-0x000007FEF6C6C000-memory.dmpFilesize
9.9MB
-
memory/2120-7-0x000000001B6A0000-0x000000001B982000-memory.dmpFilesize
2.9MB
-
memory/2120-8-0x0000000002690000-0x0000000002698000-memory.dmpFilesize
32KB
-
memory/2716-15-0x0000000001D70000-0x0000000001D78000-memory.dmpFilesize
32KB
-
memory/2716-14-0x000000001B6D0000-0x000000001B9B2000-memory.dmpFilesize
2.9MB