Analysis Overview
SHA256
a089baba4b046b231c5008343025b97f47bab795bdebd0fb47c608053ba4d8b8
Threat Level: Known bad
The file XClient.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Xworm family
Command and Scripting Interpreter: PowerShell
Drops startup file
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 02:34
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 02:34
Reported
2024-05-26 02:37
Platform
win10-20240404-en
Max time kernel
149s
Max time network
137s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spoofer.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spoofer.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Spoofer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Spoofer.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
memory/2452-0-0x00007FFB323B3000-0x00007FFB323B4000-memory.dmp
memory/2452-1-0x00000000002B0000-0x00000000002E4000-memory.dmp
memory/2452-2-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/4864-7-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/4864-8-0x0000026E4ADA0000-0x0000026E4ADC2000-memory.dmp
memory/4864-9-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/4864-13-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/4864-14-0x0000026E4B030000-0x0000026E4B0A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_id01jyi0.4vg.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4864-52-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d0718d048ce8c7ef48af5802d22b8bbb |
| SHA1 | 18de622e48b52474cc7af62d77b089faf953392f |
| SHA256 | 294b9c6a3d38eae77642a9852fdc26261215a23cd400f43afc22f1ef6399c97f |
| SHA512 | 3843a681d14f59e29f59b7f3b292387e0d639d4a981dd005798f44f73e03ce74881a9a4a9d57fadfa946475b9698357baaaf8a3c33afad0eaa85e9fdfd0dd463 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 31ff38da2faad227b4a58f8a9c3518e1 |
| SHA1 | 7570c415eee21c58265a38fde5ce3924f04e3ee0 |
| SHA256 | 86fdcb908209ecdae0d720066ca33d667cd18b530c2c88eeb4e81f5e1ba89016 |
| SHA512 | 013e010214ef3d734564a6c0f5c78765e22b8e0ba714b871f0e4dfec97246bd9f22163ab725afa5194a5be8a0d9d3ddcb5ee06b895bf7b45a5864913fe6e2424 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7fd8c4fb2bfdf1147cffdbe626876e57 |
| SHA1 | 29dcadc976789a035cad7e9c1e9fc4c28de7574d |
| SHA256 | 8e5f76bc63ffdf60e836534189ed152733668ce014df2c2713f9bd9b83368a0a |
| SHA512 | d53f974258c282b5cb6bc348c77e34c8bdd502b7bb37303625481e00b6c491ee324d86bf8204ec4f1cfc9820eabe7c7191ed975223948feeefbc26a79d19ef76 |
memory/2452-187-0x00007FFB323B3000-0x00007FFB323B4000-memory.dmp
memory/2452-188-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp