Analysis
-
max time kernel
124s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 13:09
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
216KB
-
MD5
a6d3d1061fb61a90a933acceb1af5358
-
SHA1
ea62a67f7a0726e76e3a849652672dd95868bb00
-
SHA256
370ea3e983c58ed74d3ee9ec54663ff29dba195a040d0fe56c20b7554cf18472
-
SHA512
9341af271094515df448e9ee9273e2d8a3b1101feaaeef64838c2ff908bfdc56b6afc688f117c971e1eb5adc5c8304cec936bac20ff03c23430a6e945c55637d
-
SSDEEP
3072:lBxhsxnroxM7btQ+ROU0Z5hh4DAiKeNhK1pEeGklktiVMPneSYHl:vx+nr2M7bK+YLheDAiKeNkLzblk
Malware Config
Extracted
xworm
2.tcp.eu.ngrok.io:16807
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2240-1-0x0000000000FA0000-0x0000000000FDC000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm behavioral1/memory/536-38-0x0000000000F40000-0x0000000000F7C000-memory.dmp family_xworm behavioral1/memory/948-40-0x00000000003A0000-0x00000000003DC000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2108 powershell.exe 1844 powershell.exe 2388 powershell.exe 2516 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 536 svchost.exe 948 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 2388 powershell.exe 2516 powershell.exe 2108 powershell.exe 1844 powershell.exe 2240 XClient.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2240 XClient.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 2240 XClient.exe Token: SeDebugPrivilege 536 svchost.exe Token: SeDebugPrivilege 948 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2240 XClient.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
XClient.exetaskeng.exedescription pid process target process PID 2240 wrote to memory of 2388 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 2388 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 2388 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 2516 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 2516 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 2516 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 2108 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 2108 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 2108 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 1844 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 1844 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 1844 2240 XClient.exe powershell.exe PID 2240 wrote to memory of 2724 2240 XClient.exe schtasks.exe PID 2240 wrote to memory of 2724 2240 XClient.exe schtasks.exe PID 2240 wrote to memory of 2724 2240 XClient.exe schtasks.exe PID 2012 wrote to memory of 536 2012 taskeng.exe svchost.exe PID 2012 wrote to memory of 536 2012 taskeng.exe svchost.exe PID 2012 wrote to memory of 536 2012 taskeng.exe svchost.exe PID 2012 wrote to memory of 948 2012 taskeng.exe svchost.exe PID 2012 wrote to memory of 948 2012 taskeng.exe svchost.exe PID 2012 wrote to memory of 948 2012 taskeng.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\taskeng.exetaskeng.exe {7C25F853-6135-46D2-B96E-900000BEA75C} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5a6ea7fd62544ea83501292e8d79e9492
SHA163ba7328eafcc80bbf33e8b70f64a8f665ca20da
SHA2562b0749738d4eafb92736ec1588309aefdcc13a7421cd4d8e40ebf5b95cb2a26b
SHA512ebdcb7d1cb70282ab0afa221c9ed32eae34c2db7132aead7fd2fd4095ef8afb566dfbd088481c8262bf4991f6f429997f4374df703f7564654c55c820bd44517
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
216KB
MD5a6d3d1061fb61a90a933acceb1af5358
SHA1ea62a67f7a0726e76e3a849652672dd95868bb00
SHA256370ea3e983c58ed74d3ee9ec54663ff29dba195a040d0fe56c20b7554cf18472
SHA5129341af271094515df448e9ee9273e2d8a3b1101feaaeef64838c2ff908bfdc56b6afc688f117c971e1eb5adc5c8304cec936bac20ff03c23430a6e945c55637d
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/536-38-0x0000000000F40000-0x0000000000F7C000-memory.dmpFilesize
240KB
-
memory/948-40-0x00000000003A0000-0x00000000003DC000-memory.dmpFilesize
240KB
-
memory/2240-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmpFilesize
9.9MB
-
memory/2240-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmpFilesize
4KB
-
memory/2240-32-0x000007FEF5433000-0x000007FEF5434000-memory.dmpFilesize
4KB
-
memory/2240-33-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmpFilesize
9.9MB
-
memory/2240-1-0x0000000000FA0000-0x0000000000FDC000-memory.dmpFilesize
240KB
-
memory/2388-7-0x0000000002950000-0x00000000029D0000-memory.dmpFilesize
512KB
-
memory/2388-8-0x000000001B6E0000-0x000000001B9C2000-memory.dmpFilesize
2.9MB
-
memory/2388-9-0x0000000002690000-0x0000000002698000-memory.dmpFilesize
32KB
-
memory/2516-15-0x000000001B5C0000-0x000000001B8A2000-memory.dmpFilesize
2.9MB
-
memory/2516-16-0x00000000028E0000-0x00000000028E8000-memory.dmpFilesize
32KB