Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 15:41
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
46KB
-
MD5
f057994465d01526751fd54b2d51211f
-
SHA1
6c5f8b5f144cb461c423a19e19b80c7592da2adb
-
SHA256
fe3147f86b26fd633dc86f6104010d34326fa015e1cc1cb44c6e13dfadf5842f
-
SHA512
ce9fe02b419029708fd1c9ad57fbb678a741c60948c8e75ef51e221b5adf7b2bd27d7a9aedb81d8910f3b443804d5fec8016f928ceb606fd367fa7aea8878ad0
-
SSDEEP
768:YnxE3+8AgNT7IqTpGhJduILzFh0gFEPI9O0Lr68Ouhvzj09:Yn2+86JtXFr9Zn68OuJW
Malware Config
Extracted
xworm
5.0
users-bikes.gl.at.ply.gg:60963
gkvCDExYHD5vnCdW
-
Install_directory
%Temp%
-
install_file
solara.exe
-
telegram
https://api.telegram.org/bot7146936438:AAE_9wNhZKkwFCU2TNwhMIogBHJX_-QiQso/sendMessage?chat_id=1380863399
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2084-1-0x0000000000130000-0x0000000000142000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2532 powershell.exe 1476 powershell.exe 2528 powershell.exe 2796 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\solara.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\solara.lnk XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\solara.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 2532 powershell.exe 1476 powershell.exe 2528 powershell.exe 2796 powershell.exe 2084 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2084 XClient.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2084 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2084 XClient.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
XClient.exedescription pid process target process PID 2084 wrote to memory of 2532 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 2532 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 2532 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 1476 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 1476 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 1476 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 2528 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 2528 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 2528 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 2796 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 2796 2084 XClient.exe powershell.exe PID 2084 wrote to memory of 2796 2084 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\solara.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'solara.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD596800fa2665f469a41178c92d529a4ad
SHA1b19843f61cabed68b0c63ac6acb8ffba274e7ef3
SHA25625376e9cd5142a3aa07301ea5f5b527166358a623c3622ba663b48ecbd2b9dd5
SHA51276b8fee2271d03b88959c2f5036a990f04ce09e6b9b122542e60bc809ba22f8e013eed0a792effe33c55cc984995c12ddd4c1f0a1da8694af1d2a4c591977c54
-
memory/1476-15-0x000000001B5D0000-0x000000001B8B2000-memory.dmpFilesize
2.9MB
-
memory/1476-16-0x0000000001D20000-0x0000000001D28000-memory.dmpFilesize
32KB
-
memory/2084-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmpFilesize
4KB
-
memory/2084-1-0x0000000000130000-0x0000000000142000-memory.dmpFilesize
72KB
-
memory/2084-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB
-
memory/2084-31-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmpFilesize
4KB
-
memory/2084-32-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB
-
memory/2532-7-0x0000000002D20000-0x0000000002DA0000-memory.dmpFilesize
512KB
-
memory/2532-8-0x000000001B670000-0x000000001B952000-memory.dmpFilesize
2.9MB
-
memory/2532-9-0x0000000001D20000-0x0000000001D28000-memory.dmpFilesize
32KB