Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 11:25
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
39KB
-
MD5
e714edb3f5402f430bdab1cca71a4715
-
SHA1
743d06c2fe1a13838e37ad345e8a23507a162c7f
-
SHA256
118d236485ff8b58d7ab372d55f083fa7b6db08ad0a3655d4e1d871d76c9d2dd
-
SHA512
89b93fd141fd2703bbc60831f6b16161050bd1ef56f805c71fb22b2a3c1446694333cbb8389d747c72f67606724c17746734e063d10e97bb123af87aca6940e0
-
SSDEEP
768:xG7+qmT8ztyh6pwDYvCL2v6hCuuJf27j1fFWPG9/p6OOwh5jObH:cfmT8ztyh6pwDnKwCuuJf4Fv9/p6OOwo
Malware Config
Extracted
xworm
5.0
19.ip.gl.ply.gg:49487
oMmNpHSdiI3wJln5
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1640-1-0x00000000011E0000-0x00000000011F0000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm behavioral1/memory/1444-43-0x0000000001260000-0x0000000001270000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1612 powershell.exe 2112 powershell.exe 2684 powershell.exe 1984 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
XClient.exeXClient.exepid process 1444 XClient.exe 1088 XClient.exe -
Loads dropped DLL 2 IoCs
Processes:
XClient.exepid process 1640 XClient.exe 1640 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 1612 powershell.exe 2112 powershell.exe 2684 powershell.exe 1984 powershell.exe 1640 XClient.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exeXClient.exedescription pid process Token: SeDebugPrivilege 1640 XClient.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 1640 XClient.exe Token: SeDebugPrivilege 1444 XClient.exe Token: SeDebugPrivilege 1088 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 1640 XClient.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
XClient.exetaskeng.exedescription pid process target process PID 1640 wrote to memory of 1612 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 1612 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 1612 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 2112 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 2112 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 2112 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 2684 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 2684 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 2684 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 1984 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 1984 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 1984 1640 XClient.exe powershell.exe PID 1640 wrote to memory of 3068 1640 XClient.exe schtasks.exe PID 1640 wrote to memory of 3068 1640 XClient.exe schtasks.exe PID 1640 wrote to memory of 3068 1640 XClient.exe schtasks.exe PID 572 wrote to memory of 1444 572 taskeng.exe XClient.exe PID 572 wrote to memory of 1444 572 taskeng.exe XClient.exe PID 572 wrote to memory of 1444 572 taskeng.exe XClient.exe PID 572 wrote to memory of 1088 572 taskeng.exe XClient.exe PID 572 wrote to memory of 1088 572 taskeng.exe XClient.exe PID 572 wrote to memory of 1088 572 taskeng.exe XClient.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\taskeng.exetaskeng.exe {A70320E9-7978-4C1B-A433-1F8068F804AA} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD53d4ec81efcee9a529d8c4ee24b50ac15
SHA116f152593200005ed15a2cc1cbd221d0f53adb57
SHA256165c1caf92d32c48ae95fa24e2267ca3f3649d6c72a036c5ed172941d0ad1f56
SHA5123fe895482aa1f9a0c30316fd5819ce06453982767e4e844bc68781e0bf50c6d622800b5000e6457399ced4660c2b3777120d91938e7efa8faa3664257ed6a28e
-
C:\Users\Admin\AppData\Roaming\XClient.exeFilesize
39KB
MD5e714edb3f5402f430bdab1cca71a4715
SHA1743d06c2fe1a13838e37ad345e8a23507a162c7f
SHA256118d236485ff8b58d7ab372d55f083fa7b6db08ad0a3655d4e1d871d76c9d2dd
SHA51289b93fd141fd2703bbc60831f6b16161050bd1ef56f805c71fb22b2a3c1446694333cbb8389d747c72f67606724c17746734e063d10e97bb123af87aca6940e0
-
\Users\Admin\AppData\Local\Temp\tmp9BA3.tmpFilesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
-
memory/1444-43-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/1612-6-0x0000000002C00000-0x0000000002C80000-memory.dmpFilesize
512KB
-
memory/1612-7-0x000000001B640000-0x000000001B922000-memory.dmpFilesize
2.9MB
-
memory/1612-8-0x0000000002890000-0x0000000002898000-memory.dmpFilesize
32KB
-
memory/1640-30-0x000000001B330000-0x000000001B3B0000-memory.dmpFilesize
512KB
-
memory/1640-0-0x000007FEF5533000-0x000007FEF5534000-memory.dmpFilesize
4KB
-
memory/1640-31-0x00000000004F0000-0x00000000004FC000-memory.dmpFilesize
48KB
-
memory/1640-32-0x000007FEF5533000-0x000007FEF5534000-memory.dmpFilesize
4KB
-
memory/1640-33-0x000000001B330000-0x000000001B3B0000-memory.dmpFilesize
512KB
-
memory/1640-34-0x000000001AC40000-0x000000001AC7A000-memory.dmpFilesize
232KB
-
memory/1640-39-0x000000001AE10000-0x000000001AE1A000-memory.dmpFilesize
40KB
-
memory/1640-1-0x00000000011E0000-0x00000000011F0000-memory.dmpFilesize
64KB
-
memory/2112-15-0x0000000002960000-0x0000000002968000-memory.dmpFilesize
32KB
-
memory/2112-14-0x000000001B6B0000-0x000000001B992000-memory.dmpFilesize
2.9MB