Overview

overview

10

Static

static

10

XCl11ient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1794s
  • max time network
    1180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XCl11ient.exe

  • Size

    198KB

  • MD5

    ad23c3ed0a57035ec1e96821af565e9c

  • SHA1

    bbb6a5195e6595bf0b0f9afcd0edcbd6da37204c

  • SHA256

    99622679495f7f3e9ce02aaaa8a62d16ad385efe204f0d59059df0e51607dec5

  • SHA512

    c2de4832bbcda8ef69213ed3d4a04ccecf2761208c8b918d5b6d8a401ed5566ac11486fb2dafe89daf167d6d940b4633cdfbbba09578dc6bca404931391cee7d

  • SSDEEP

    3072:T0GuY3knJR+b5Pvcc+iewCDOwRk8RUGKXs+S++7KFSbxeY+qDDrMf:T0RsknibJvF5GqStKEbxI

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XCl11ient.exe
    "C:\Users\Admin\AppData\Local\Temp\XCl11ient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XCl11ient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XCl11ient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4508
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d28a889fd956d5cb3accfbaf1143eb6f

    SHA1

    157ba54b365341f8ff06707d996b3635da8446f7

    SHA256

    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

    SHA512

    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    e60eb305a7b2d9907488068b7065abd3

    SHA1

    1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

    SHA256

    ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

    SHA512

    95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    a7cc007980e419d553568a106210549a

    SHA1

    c03099706b75071f36c3962fcc60a22f197711e0

    SHA256

    a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

    SHA512

    b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ulxsc0v.huw.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
    Filesize

    198KB

    MD5

    ad23c3ed0a57035ec1e96821af565e9c

    SHA1

    bbb6a5195e6595bf0b0f9afcd0edcbd6da37204c

    SHA256

    99622679495f7f3e9ce02aaaa8a62d16ad385efe204f0d59059df0e51607dec5

    SHA512

    c2de4832bbcda8ef69213ed3d4a04ccecf2761208c8b918d5b6d8a401ed5566ac11486fb2dafe89daf167d6d940b4633cdfbbba09578dc6bca404931391cee7d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk
    Filesize

    808B

    MD5

    45d3b53966c20c97baa89fc2702ec0f5

    SHA1

    9720b12f41210da409d0edc02937c29037ab640a

    SHA256

    7ea0953708dac887dc5912dad00be93064d14fe7c8a21af443e83690056e3446

    SHA512

    724c0aeb56a1d3f59a1c9bf34504fcdb4fe29ffc2846e96c230d13661df9d2be822de73ad764f1b61ff1061df8a70bb97642b531ed2caeb2aa61d9a19c5b9168

    Download Submit
  • memory/1492-2-0x000001F137580000-0x000001F1375A2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1492-12-0x00007FFD30850000-0x00007FFD31311000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1492-13-0x00007FFD30850000-0x00007FFD31311000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1492-14-0x00007FFD30850000-0x00007FFD31311000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1492-17-0x00007FFD30850000-0x00007FFD31311000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2632-71-0x000001FDA3850000-0x000001FDA3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-72-0x000001FDA3850000-0x000001FDA3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-66-0x000001FDA3850000-0x000001FDA3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-60-0x000001FDA3850000-0x000001FDA3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-61-0x000001FDA3850000-0x000001FDA3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-62-0x000001FDA3850000-0x000001FDA3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-68-0x000001FDA3850000-0x000001FDA3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-67-0x000001FDA3850000-0x000001FDA3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-69-0x000001FDA3850000-0x000001FDA3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-70-0x000001FDA3850000-0x000001FDA3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4528-57-0x00007FFD30853000-0x00007FFD30855000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4528-0-0x00000000001D0000-0x0000000000206000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4528-58-0x00007FFD30850000-0x00007FFD31311000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4528-56-0x00007FFD30850000-0x00007FFD31311000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4528-1-0x00007FFD30853000-0x00007FFD30855000-memory.dmp
    Filesize

    8KB

    Download