Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 08:39
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
41KB
-
MD5
cb09c9133f40c4903525fa5a7df4c405
-
SHA1
e8496990338d09a6b73d4808e3aada0f50cf758a
-
SHA256
ad335bba6ec965c12c17a0fb8ae86aa26beebca57e63fba662757a79f1d6df22
-
SHA512
be757f81deb1b8f43d51332d383ff829524ea94a54a732576b30bdba43a31eee2dfc9cd8ed5dce2cd06e191c307db2ddee687895a0de5ad6bc9709d167631b1f
-
SSDEEP
768:KU0MzzOOfBbw197oyoyv08cr/rZ+IF5Pa9n2e6iOwhM3sik:KU0M/bZbwXsyrs3rd9F492e6iOwSNk
Malware Config
Extracted
xworm
5.0
https://pastebin.com/raw/qaWffTar:5
C6npgtaAk9A5snxm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/qaWffTar
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-1-0x0000000001150000-0x0000000001160000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm behavioral1/memory/1548-36-0x0000000000DD0000-0x0000000000DE0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2988 powershell.exe 2576 powershell.exe 2872 powershell.exe 2708 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 1548 svchost.exe 2904 svchost.exe 2240 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 2988 powershell.exe 2576 powershell.exe 2872 powershell.exe 2708 powershell.exe 1932 XClient.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1932 XClient.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 1932 XClient.exe Token: SeDebugPrivilege 1548 svchost.exe Token: SeDebugPrivilege 2904 svchost.exe Token: SeDebugPrivilege 2240 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 1932 XClient.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
XClient.exetaskeng.exedescription pid process target process PID 1932 wrote to memory of 2988 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2988 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2988 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2576 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2576 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2576 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2872 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2872 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2872 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2708 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2708 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 2708 1932 XClient.exe powershell.exe PID 1932 wrote to memory of 1864 1932 XClient.exe schtasks.exe PID 1932 wrote to memory of 1864 1932 XClient.exe schtasks.exe PID 1932 wrote to memory of 1864 1932 XClient.exe schtasks.exe PID 1452 wrote to memory of 1548 1452 taskeng.exe svchost.exe PID 1452 wrote to memory of 1548 1452 taskeng.exe svchost.exe PID 1452 wrote to memory of 1548 1452 taskeng.exe svchost.exe PID 1452 wrote to memory of 2904 1452 taskeng.exe svchost.exe PID 1452 wrote to memory of 2904 1452 taskeng.exe svchost.exe PID 1452 wrote to memory of 2904 1452 taskeng.exe svchost.exe PID 1452 wrote to memory of 2240 1452 taskeng.exe svchost.exe PID 1452 wrote to memory of 2240 1452 taskeng.exe svchost.exe PID 1452 wrote to memory of 2240 1452 taskeng.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {9DBF893E-5606-466E-BE56-FAAB580DCFBD} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5574ab3f1e372e9cdf3c5a8b4c8e26f2f
SHA1422c17f79cba7ca6beb933ba964ccd162feb5631
SHA25633a9aafeb02a29dfb86ac284ebc7364f2e40888cb24cbdd69985a4831aa13c86
SHA5122f01568664f88c0eb958eae700b0142b2207325eae7cd4c2fd4868b7138ec788bd97aec25ee94a93fded3ea807776116dcd0af1fc650b4b16ef3469792a3b36d
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
41KB
MD5cb09c9133f40c4903525fa5a7df4c405
SHA1e8496990338d09a6b73d4808e3aada0f50cf758a
SHA256ad335bba6ec965c12c17a0fb8ae86aa26beebca57e63fba662757a79f1d6df22
SHA512be757f81deb1b8f43d51332d383ff829524ea94a54a732576b30bdba43a31eee2dfc9cd8ed5dce2cd06e191c307db2ddee687895a0de5ad6bc9709d167631b1f
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1548-36-0x0000000000DD0000-0x0000000000DE0000-memory.dmpFilesize
64KB
-
memory/1932-1-0x0000000001150000-0x0000000001160000-memory.dmpFilesize
64KB
-
memory/1932-2-0x000007FEFD150000-0x000007FEFD22B000-memory.dmpFilesize
876KB
-
memory/1932-0-0x000007FEFD150000-0x000007FEFD22B000-memory.dmpFilesize
876KB
-
memory/1932-37-0x000007FEFD150000-0x000007FEFD22B000-memory.dmpFilesize
876KB
-
memory/2576-16-0x000000001B580000-0x000000001B862000-memory.dmpFilesize
2.9MB
-
memory/2576-17-0x0000000002070000-0x0000000002078000-memory.dmpFilesize
32KB
-
memory/2988-7-0x000007FEFD150000-0x000007FEFD22B000-memory.dmpFilesize
876KB
-
memory/2988-10-0x000007FEFD150000-0x000007FEFD22B000-memory.dmpFilesize
876KB
-
memory/2988-9-0x0000000002860000-0x0000000002868000-memory.dmpFilesize
32KB
-
memory/2988-8-0x000000001B6E0000-0x000000001B9C2000-memory.dmpFilesize
2.9MB