Overview

overview

10

Static

static

10

XClient.exe

windows10-2004-x64

Resubmissions

21-05-2024 16:26

240521-txyqyabf56 10

21-05-2024 16:11

240521-tm8s6abe3x 10

21-05-2024 16:06

240521-tkknjsbc68 10

21-05-2024 16:02

240521-tg8k7sbb83 10

21-05-2024 15:59

240521-tfbj3sbb35 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    32KB

  • Sample

    240521-tg8k7sbb83

  • MD5

    796d46d24a498cbd5c0161979b6b97ae

  • SHA1

    0bad45e27d99ab1900cbb99bd97895c2286f7c53

  • SHA256

    1e3b4846c9c304c0ea408381e99c1f80940cdd7e3d30170afd23ab492bfd5d13

  • SHA512

    0046a95e056a3e7385d46fd383e3bc48b0b6891726d2dbcb2901139af5c9d1a3bb415446fc236b68cbf0a87cc13185f6fb2604447f02228c9c1f92f67a0593d4

  • SSDEEP

    384:5YxRXcrP31VZBELRUnvJff3cdiwOURJpkFTBLToOZwxJd2v99IkuisuVFxOjhlbD:lPjgRevJ3cdIUGF/9jTOjhlbD

Score
10/10
xwormevasionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

ee7Mn1pG1AADdFhL

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/LY8grq3Z

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      32KB

    • MD5

      796d46d24a498cbd5c0161979b6b97ae

    • SHA1

      0bad45e27d99ab1900cbb99bd97895c2286f7c53

    • SHA256

      1e3b4846c9c304c0ea408381e99c1f80940cdd7e3d30170afd23ab492bfd5d13

    • SHA512

      0046a95e056a3e7385d46fd383e3bc48b0b6891726d2dbcb2901139af5c9d1a3bb415446fc236b68cbf0a87cc13185f6fb2604447f02228c9c1f92f67a0593d4

    • SSDEEP

      384:5YxRXcrP31VZBELRUnvJff3cdiwOURJpkFTBLToOZwxJd2v99IkuisuVFxOjhlbD:lPjgRevJ3cdIUGF/9jTOjhlbD

    Score
    10/10
    xwormevasionpersistenceransomwarerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks