Overview

overview

8

Static

static

3

XClient-protected.exe

windows7-x64

8

XClient-protected.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20/05/2024, 02:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient-protected.exe

  • Size

    309KB

  • MD5

    61a9752c153144d46947b2764a098d72

  • SHA1

    d477fd5bf2fdb1bc6f99b538687f75618c53c55f

  • SHA256

    3793639df23de841f332d99a3ef1ff8212a0e0593d415896344b5e54ea1238b6

  • SHA512

    eefe1ad6c60bd340db317c74d5cacc8ce2d9c53c3725d6ca7ea7c5bfefcdf0627a54749d31b6d8fc223cc0f08a7dfc0d2255c548954fc8b6e4fd39b28ef9cc38

  • SSDEEP

    6144:gaWaSdnPm73wByB4zNl8FF/yybIiQXsaIkjRSkYQ:MaSZQ3wByBCNlRiQTjK

Score
8/10
executionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient-protected.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient-protected.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient-protected.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient-protected.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2988
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {FB4B5919-150E-4DF3-A769-452442702CEE} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:576

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          19b4ceb89e76a3641bc47f9f404cc31e

          SHA1

          f4af9e078e80c4b5f4f4a1d9a6a4027eaef2f1fc

          SHA256

          03d82f6401740b0fe7a6cf0cb55952c219417c9853750d4238a3cedc5ad5a140

          SHA512

          d3d999e8608a2cd5bfff485d5c4ad4d8c148b51ad2efe11ad0c57150c11cb9e93dfd0c618d18f5b8f8ebc51304a1bbfd9d791c5d905a906e2a624631008d93d9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          309KB

          MD5

          61a9752c153144d46947b2764a098d72

          SHA1

          d477fd5bf2fdb1bc6f99b538687f75618c53c55f

          SHA256

          3793639df23de841f332d99a3ef1ff8212a0e0593d415896344b5e54ea1238b6

          SHA512

          eefe1ad6c60bd340db317c74d5cacc8ce2d9c53c3725d6ca7ea7c5bfefcdf0627a54749d31b6d8fc223cc0f08a7dfc0d2255c548954fc8b6e4fd39b28ef9cc38

          Download Submit

        • \Users\Admin\AppData\Local\Temp\tmp8823.tmp
          Filesize

          100KB

          MD5

          1b942faa8e8b1008a8c3c1004ba57349

          SHA1

          cd99977f6c1819b12b33240b784ca816dfe2cb91

          SHA256

          555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

          SHA512

          5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

          Download Submit

        • memory/576-47-0x0000000000020000-0x0000000000076000-memory.dmp

          Filesize

          344KB

          Download

        • memory/2572-14-0x000000001B690000-0x000000001B972000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2572-15-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2624-38-0x0000000001180000-0x00000000011D6000-memory.dmp

          Filesize

          344KB

          Download

        • memory/2924-34-0x000000001AF80000-0x000000001B000000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2924-32-0x000000001AF80000-0x000000001B000000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2924-33-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2924-1-0x00000000010E0000-0x0000000001136000-memory.dmp

          Filesize

          344KB

          Download

        • memory/2924-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2924-39-0x000000001AB40000-0x000000001AB4C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2924-41-0x000000001AF40000-0x000000001AF7A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2924-52-0x000000001B020000-0x000000001B02C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2948-7-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2948-6-0x0000000002D90000-0x0000000002E10000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2948-8-0x0000000000440000-0x0000000000448000-memory.dmp

          Filesize

          32KB

          Download