Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 14:00
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240426-en
General
-
Target
XClient.exe
-
Size
173KB
-
MD5
e53cfc4155bf01620aaf3ef5041116f2
-
SHA1
50b4d70680945e7e5806de76b47d56d1fc2af985
-
SHA256
7eb3f17102a94b55b2a95688d799bee21e55ad67c1ff6580c6968852705ace95
-
SHA512
63babf167c3ebdebf672213d68a441e3973009f52dc34d0f6bec880f8a9712669c223da43f0cd066da0e5495e885f66f5d2a366f918c07bb97b22fe6c8d58232
-
SSDEEP
3072:xIeFPAg95lvc+b6iTPXGOXx2Bz65/M6If+3Js+3JFkKeTns:xqg7Xbd2xBt25
Malware Config
Extracted
xworm
advertise-located.gl.at.ply.gg:54921
19.ip.gl.ply.gg:54921
-
Install_directory
%AppData%
-
install_file
cmd.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1984-44-0x0000000000AB0000-0x0000000000ABE000-memory.dmp disable_win_def -
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1984-1-0x0000000000AC0000-0x0000000000AF2000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\cmd.exe family_xworm behavioral1/memory/1448-38-0x0000000000A00000-0x0000000000A32000-memory.dmp family_xworm behavioral1/memory/2932-76-0x0000000000300000-0x0000000000332000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2860 powershell.exe 2416 powershell.exe 2884 powershell.exe 2480 powershell.exe -
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
cmd.execmd.exepid process 1448 cmd.exe 2932 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
XClient.exepid process 1984 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 2884 powershell.exe 2480 powershell.exe 2860 powershell.exe 2416 powershell.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe 1984 XClient.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
XClient.exepid process 1984 XClient.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.execmd.execmd.exedescription pid process Token: SeDebugPrivilege 1984 XClient.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 1984 XClient.exe Token: SeDebugPrivilege 1448 cmd.exe Token: SeDebugPrivilege 2932 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 1984 XClient.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
XClient.exetaskeng.exedescription pid process target process PID 1984 wrote to memory of 2884 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2884 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2884 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2480 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2480 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2480 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2860 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2860 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2860 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2416 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2416 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 2416 1984 XClient.exe powershell.exe PID 1984 wrote to memory of 1708 1984 XClient.exe schtasks.exe PID 1984 wrote to memory of 1708 1984 XClient.exe schtasks.exe PID 1984 wrote to memory of 1708 1984 XClient.exe schtasks.exe PID 2132 wrote to memory of 1448 2132 taskeng.exe cmd.exe PID 2132 wrote to memory of 1448 2132 taskeng.exe cmd.exe PID 2132 wrote to memory of 1448 2132 taskeng.exe cmd.exe PID 2132 wrote to memory of 2932 2132 taskeng.exe cmd.exe PID 2132 wrote to memory of 2932 2132 taskeng.exe cmd.exe PID 2132 wrote to memory of 2932 2132 taskeng.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\cmd.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\Users\Admin\AppData\Roaming\cmd.exe"2⤵
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\taskeng.exetaskeng.exe {C157E03F-92BB-45C9-AAAF-3072CF941535} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Roaming\cmd.exeC:\Users\Admin\AppData\Roaming\cmd.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Users\Admin\AppData\Roaming\cmd.exeC:\Users\Admin\AppData\Roaming\cmd.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵PID:452
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5001ebf95ed70d913b7d76c4e6970bfe7
SHA1a09f730ef4fb69342c2d362d605d437ca28a9d9c
SHA2561eb0c8c847926b9631ca57b7dbaf64819ae313147073c7472258fca9456fa15d
SHA5120a76e420f0f2c994f4570d3ecff822713329c7a4e9bdf27f897e6db0807ee0d583a697459f5afac7058e3d99158e750e5a349f9d83618f782390fbbddeab569a
-
C:\Users\Admin\AppData\Roaming\cmd.exeFilesize
173KB
MD5e53cfc4155bf01620aaf3ef5041116f2
SHA150b4d70680945e7e5806de76b47d56d1fc2af985
SHA2567eb3f17102a94b55b2a95688d799bee21e55ad67c1ff6580c6968852705ace95
SHA51263babf167c3ebdebf672213d68a441e3973009f52dc34d0f6bec880f8a9712669c223da43f0cd066da0e5495e885f66f5d2a366f918c07bb97b22fe6c8d58232
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\tmpCBA8.tmpFilesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
-
memory/1448-38-0x0000000000A00000-0x0000000000A32000-memory.dmpFilesize
200KB
-
memory/1984-34-0x0000000001F00000-0x0000000001F36000-memory.dmpFilesize
216KB
-
memory/1984-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmpFilesize
4KB
-
memory/1984-44-0x0000000000AB0000-0x0000000000ABE000-memory.dmpFilesize
56KB
-
memory/1984-1-0x0000000000AC0000-0x0000000000AF2000-memory.dmpFilesize
200KB
-
memory/1984-31-0x0000000002220000-0x00000000022A0000-memory.dmpFilesize
512KB
-
memory/1984-32-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmpFilesize
4KB
-
memory/1984-33-0x0000000002220000-0x00000000022A0000-memory.dmpFilesize
512KB
-
memory/1984-39-0x0000000002040000-0x000000000207A000-memory.dmpFilesize
232KB
-
memory/2480-15-0x0000000001F80000-0x0000000001F88000-memory.dmpFilesize
32KB
-
memory/2480-14-0x000000001B6B0000-0x000000001B992000-memory.dmpFilesize
2.9MB
-
memory/2884-7-0x000000001B6F0000-0x000000001B9D2000-memory.dmpFilesize
2.9MB
-
memory/2884-6-0x0000000002C10000-0x0000000002C90000-memory.dmpFilesize
512KB
-
memory/2884-8-0x0000000002690000-0x0000000002698000-memory.dmpFilesize
32KB
-
memory/2932-76-0x0000000000300000-0x0000000000332000-memory.dmpFilesize
200KB