Analysis
-
max time kernel
47s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 08:05
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
XClient.exe
-
Size
173KB
-
MD5
e53cfc4155bf01620aaf3ef5041116f2
-
SHA1
50b4d70680945e7e5806de76b47d56d1fc2af985
-
SHA256
7eb3f17102a94b55b2a95688d799bee21e55ad67c1ff6580c6968852705ace95
-
SHA512
63babf167c3ebdebf672213d68a441e3973009f52dc34d0f6bec880f8a9712669c223da43f0cd066da0e5495e885f66f5d2a366f918c07bb97b22fe6c8d58232
-
SSDEEP
3072:xIeFPAg95lvc+b6iTPXGOXx2Bz65/M6If+3Js+3JFkKeTns:xqg7Xbd2xBt25
Malware Config
Extracted
xworm
advertise-located.gl.at.ply.gg:54921
19.ip.gl.ply.gg:54921
-
Install_directory
%AppData%
-
install_file
cmd.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/348-1-0x0000000000DB0000-0x0000000000DE2000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\cmd.exe family_xworm behavioral1/memory/2032-38-0x00000000012C0000-0x00000000012F2000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1712 powershell.exe 2848 powershell.exe 2300 powershell.exe 2508 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk XClient.exe -
Executes dropped EXE 1 IoCs
Processes:
cmd.exepid process 2032 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 1712 powershell.exe 2848 powershell.exe 2300 powershell.exe 2508 powershell.exe 348 XClient.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exedescription pid process Token: SeDebugPrivilege 348 XClient.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 348 XClient.exe Token: SeDebugPrivilege 2032 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 348 XClient.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
XClient.exetaskeng.exedescription pid process target process PID 348 wrote to memory of 1712 348 XClient.exe powershell.exe PID 348 wrote to memory of 1712 348 XClient.exe powershell.exe PID 348 wrote to memory of 1712 348 XClient.exe powershell.exe PID 348 wrote to memory of 2848 348 XClient.exe powershell.exe PID 348 wrote to memory of 2848 348 XClient.exe powershell.exe PID 348 wrote to memory of 2848 348 XClient.exe powershell.exe PID 348 wrote to memory of 2300 348 XClient.exe powershell.exe PID 348 wrote to memory of 2300 348 XClient.exe powershell.exe PID 348 wrote to memory of 2300 348 XClient.exe powershell.exe PID 348 wrote to memory of 2508 348 XClient.exe powershell.exe PID 348 wrote to memory of 2508 348 XClient.exe powershell.exe PID 348 wrote to memory of 2508 348 XClient.exe powershell.exe PID 348 wrote to memory of 1504 348 XClient.exe schtasks.exe PID 348 wrote to memory of 1504 348 XClient.exe schtasks.exe PID 348 wrote to memory of 1504 348 XClient.exe schtasks.exe PID 1416 wrote to memory of 2032 1416 taskeng.exe cmd.exe PID 1416 wrote to memory of 2032 1416 taskeng.exe cmd.exe PID 1416 wrote to memory of 2032 1416 taskeng.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\cmd.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\Users\Admin\AppData\Roaming\cmd.exe"2⤵
- Creates scheduled task(s)
PID:1504
-
C:\Windows\system32\taskeng.exetaskeng.exe {B1ADF0AA-B683-461A-B34B-68EBBF5160B5} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Roaming\cmd.exeC:\Users\Admin\AppData\Roaming\cmd.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1284
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD501bbee526793a92533c16dad0e3955d3
SHA176481a8ae2fde280c9454db75695b10df3894335
SHA256fad327b6e62c5851f8c27d52e9362a0e239ef002fb8146e9bc7625aaef14a3d9
SHA5124b4857f8d8ee14af48f187f4141fd4b3624c10046cb9167e344af92e40ab0c317364a3f2ea73fc128f16d40f42c8586a61fd71f4551ea4a882f21195bd8a5265
-
C:\Users\Admin\AppData\Roaming\cmd.exeFilesize
173KB
MD5e53cfc4155bf01620aaf3ef5041116f2
SHA150b4d70680945e7e5806de76b47d56d1fc2af985
SHA2567eb3f17102a94b55b2a95688d799bee21e55ad67c1ff6580c6968852705ace95
SHA51263babf167c3ebdebf672213d68a441e3973009f52dc34d0f6bec880f8a9712669c223da43f0cd066da0e5495e885f66f5d2a366f918c07bb97b22fe6c8d58232
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/348-1-0x0000000000DB0000-0x0000000000DE2000-memory.dmpFilesize
200KB
-
memory/348-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmpFilesize
4KB
-
memory/348-34-0x0000000000D20000-0x0000000000D2C000-memory.dmpFilesize
48KB
-
memory/348-33-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmpFilesize
4KB
-
memory/348-32-0x000000001ACE0000-0x000000001AD60000-memory.dmpFilesize
512KB
-
memory/1712-7-0x000000001B780000-0x000000001BA62000-memory.dmpFilesize
2.9MB
-
memory/1712-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmpFilesize
32KB
-
memory/1712-6-0x0000000002E10000-0x0000000002E90000-memory.dmpFilesize
512KB
-
memory/2032-38-0x00000000012C0000-0x00000000012F2000-memory.dmpFilesize
200KB
-
memory/2848-15-0x00000000027F0000-0x00000000027F8000-memory.dmpFilesize
32KB
-
memory/2848-14-0x000000001B4C0000-0x000000001B7A2000-memory.dmpFilesize
2.9MB