3a23809b4f8c295cc07fb589966ef0c695d6df61c244e28127be54874ef38ec4

Resubmissions

01-05-2024 16:35

240501-t3ng6ade53 7

01-05-2024 11:16

240501-ndh89afg46 10

Analysis

max time kernel
996s
max time network
996s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

1.3MB
MD5

0e7dbde65ff6eb526caf5a8517b3ef14
SHA1

326b1a54238ff6560dea85053bbea1c521dddd62
SHA256

3a23809b4f8c295cc07fb589966ef0c695d6df61c244e28127be54874ef38ec4
SHA512

f6fd535c17c5ea57eb9ee6a0f6705885b58b628801b3cd6e792da1518d5e1e490a007dbb9f1e72341ba2e60c635c2549762faed878fcdfac7633f3074dc55302
SSDEEP

6144:HCvSkBoOd7x9JR0hg5efTfnxPQ6EgjDcOKeSZhzjnnpDnC5QQfWMFH6n/8sJdaTp:HCvTo+GTfnxPQlgyymKJ162d0jLifU

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
1988	bgekgo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\ProgramData\\XClient.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2548	powershell.exe
2668	powershell.exe
2716	powershell.exe
2832	XClient.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	XClient.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2832	XClient.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1988	bgekgo.exe
1988	bgekgo.exe
1988	bgekgo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2832	XClient.exe
1988	bgekgo.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2548	2832	XClient.exe	29
PID 2832 wrote to memory of 2548	2832	XClient.exe	29
PID 2832 wrote to memory of 2548	2832	XClient.exe	29
PID 2832 wrote to memory of 2668	2832	XClient.exe	31
PID 2832 wrote to memory of 2668	2832	XClient.exe	31
PID 2832 wrote to memory of 2668	2832	XClient.exe	31
PID 2832 wrote to memory of 2716	2832	XClient.exe	33
PID 2832 wrote to memory of 2716	2832	XClient.exe	33
PID 2832 wrote to memory of 2716	2832	XClient.exe	33
PID 2832 wrote to memory of 1988	2832	XClient.exe	37
PID 2832 wrote to memory of 1988	2832	XClient.exe	37
PID 2832 wrote to memory of 1988	2832	XClient.exe	37
PID 2832 wrote to memory of 1988	2832	XClient.exe	37

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\bgekgo.exe
  "C:\Users\Admin\AppData\Local\Temp\bgekgo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bgekgo.exe

Filesize
28KB

MD5
22cee09d1b29de08f3bd7b340e8afcbf

SHA1
169050c72ec8369668282ce8fd2f7b645c532455

SHA256
f6a8d6117962b2f48c77aa14bd01a9962bb8d7a87d752fa50df76cdbd6e56533

SHA512
0514c39bcc76ffba415f46aba8cec5f82f5d349b49b2f2ad402e1b2445cc342622781d19a5d77a62f300ba3c1b3522b684f948dad59b5ff6503316c2610b49c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
758d03cdfeaea1429a55452cce47dd72

SHA1
05ad9b901f4ca29a8f0293d9ac917d0be692387b

SHA256
59e46663686441c96975863df8bcefa37a9f04197e4e584b4a58438b7d8d0292

SHA512
11e0781685265dfcfae36017bf1e5b37568004779d80124299175fd1fc956430bb5cf7c8ffe083e12396219951842219bae91d917e7dd06a3638b32395ffbc19

Download Submit
memory/2548-7-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2548-8-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2668-14-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2668-15-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2832-0-0x0000000000E00000-0x0000000000F5C000-memory.dmp

Filesize
1.4MB

Download
memory/2832-1-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2832-2-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/2832-27-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2832-29-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

Filesize
40KB

Download