Analysis
-
max time kernel
1047s -
max time network
488s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-05-2024 10:26
Behavioral task
behavioral1
Sample
kiddions.exe
Resource
win11-20240508-en
General
-
Target
kiddions.exe
-
Size
77KB
-
MD5
66457c38d36822b43c72333837268fce
-
SHA1
45279743be3613147f741715e620fe9ee9136eb6
-
SHA256
3b280af17ea33850c3652f64436f4f02760afe4f0ba9bb9d63596dc942cac882
-
SHA512
bcc68460de0100d48806b5092dfcca1b69137f976c727f38e23f375b9c9d2c64f7e641c7e15005957bc975219cbba4fbb695617a3dbe8ea1e5da95f3dd2351ca
-
SSDEEP
1536:eYFcsoTxxsSq9H0RsqhLJxfRjj+wiGbgZqBQGaYu6nObbHh/GT:er9+URNhbRjy3GbgIpOXHhuT
Malware Config
Extracted
xworm
127.0.0.1:45129
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1656-1-0x00000000006C0000-0x00000000006DA000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 5112 powershell.exe 4116 powershell.exe 2228 powershell.exe 2132 powershell.exe -
Drops startup file 2 IoCs
Processes:
kiddions.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk kiddions.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk kiddions.exe -
Executes dropped EXE 18 IoCs
Processes:
XClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exepid process 3640 XClient.exe 3472 XClient.exe 4652 XClient.exe 1756 XClient.exe 1640 XClient.exe 2596 XClient.exe 4856 XClient.exe 4624 XClient.exe 3352 XClient.exe 4532 XClient.exe 2256 XClient.exe 4312 XClient.exe 3656 XClient.exe 2532 XClient.exe 2760 XClient.exe 484 XClient.exe 2648 XClient.exe 1160 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kiddions.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" kiddions.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
kiddions.exepid process 1656 kiddions.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exekiddions.exepid process 5112 powershell.exe 5112 powershell.exe 4116 powershell.exe 4116 powershell.exe 2228 powershell.exe 2228 powershell.exe 2132 powershell.exe 2132 powershell.exe 1656 kiddions.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
kiddions.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exedescription pid process Token: SeDebugPrivilege 1656 kiddions.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 4116 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 1656 kiddions.exe Token: SeDebugPrivilege 3640 XClient.exe Token: SeDebugPrivilege 3472 XClient.exe Token: SeDebugPrivilege 4652 XClient.exe Token: SeDebugPrivilege 1756 XClient.exe Token: SeDebugPrivilege 1640 XClient.exe Token: SeDebugPrivilege 2596 XClient.exe Token: SeDebugPrivilege 4856 XClient.exe Token: SeDebugPrivilege 4624 XClient.exe Token: SeDebugPrivilege 3352 XClient.exe Token: SeDebugPrivilege 4532 XClient.exe Token: SeDebugPrivilege 2256 XClient.exe Token: SeDebugPrivilege 4312 XClient.exe Token: SeDebugPrivilege 3656 XClient.exe Token: SeDebugPrivilege 2532 XClient.exe Token: SeDebugPrivilege 2760 XClient.exe Token: SeDebugPrivilege 484 XClient.exe Token: SeDebugPrivilege 2648 XClient.exe Token: SeDebugPrivilege 1160 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
kiddions.exepid process 1656 kiddions.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
kiddions.exedescription pid process target process PID 1656 wrote to memory of 5112 1656 kiddions.exe powershell.exe PID 1656 wrote to memory of 5112 1656 kiddions.exe powershell.exe PID 1656 wrote to memory of 4116 1656 kiddions.exe powershell.exe PID 1656 wrote to memory of 4116 1656 kiddions.exe powershell.exe PID 1656 wrote to memory of 2228 1656 kiddions.exe powershell.exe PID 1656 wrote to memory of 2228 1656 kiddions.exe powershell.exe PID 1656 wrote to memory of 2132 1656 kiddions.exe powershell.exe PID 1656 wrote to memory of 2132 1656 kiddions.exe powershell.exe PID 1656 wrote to memory of 748 1656 kiddions.exe schtasks.exe PID 1656 wrote to memory of 748 1656 kiddions.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\kiddions.exe"C:\Users\Admin\AppData\Local\Temp\kiddions.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kiddions.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kiddions.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.logFilesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534e3230cb2131270db1af79fb3d57752
SHA121434dd7cf3c4624226b89f404fd7982825f8ac6
SHA2560f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39
SHA5123756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD553f55f8c3d66463c79213e9f1f9207a6
SHA1b398f2281217a4d9c63a833d08bedcdd02a64e1b
SHA256180b74bfcf6383118baf7980d457136e454058d5842702348dc604e389c37dd8
SHA512ba5493743054950a5268de2a6d83007784c4405ae17db2e49768f1ddf26ddfc75d43667c9a7c28a8b25fee303132480b9a97b12f428a0e26db3be6d9f9b0886e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gyg1fcgr.5c4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\XClient.exeFilesize
77KB
MD566457c38d36822b43c72333837268fce
SHA145279743be3613147f741715e620fe9ee9136eb6
SHA2563b280af17ea33850c3652f64436f4f02760afe4f0ba9bb9d63596dc942cac882
SHA512bcc68460de0100d48806b5092dfcca1b69137f976c727f38e23f375b9c9d2c64f7e641c7e15005957bc975219cbba4fbb695617a3dbe8ea1e5da95f3dd2351ca
-
memory/1656-0-0x00007FFA20DB3000-0x00007FFA20DB5000-memory.dmpFilesize
8KB
-
memory/1656-2-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmpFilesize
10.8MB
-
memory/1656-57-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmpFilesize
10.8MB
-
memory/1656-1-0x00000000006C0000-0x00000000006DA000-memory.dmpFilesize
104KB
-
memory/5112-13-0x000001ED3EE40000-0x000001ED3EE62000-memory.dmpFilesize
136KB
-
memory/5112-14-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmpFilesize
10.8MB
-
memory/5112-15-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmpFilesize
10.8MB
-
memory/5112-16-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmpFilesize
10.8MB
-
memory/5112-19-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmpFilesize
10.8MB
-
memory/5112-9-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmpFilesize
10.8MB
-
memory/5112-3-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmpFilesize
10.8MB