Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 02:35
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20231129-en
General
-
Target
XClient.exe
-
Size
166KB
-
MD5
999d5d3666bdd99abf4a36257f5f24d7
-
SHA1
1f06da5c90907bd0f73bd4d2d14127d7d0ce6572
-
SHA256
d78ae71f6b40da4cd04ad34ea6a3b64997feca98871e0e24736b41d0b16cba17
-
SHA512
b72e2323a57c1b0f9da597b08ddd9c3ed67ea2397324ab13b0869afaa8d8f39bdf8849a6aff9f31951d4d1f940e464d1f9e1040c6c9590ee336c0f422203dc1f
-
SSDEEP
3072:l+GO3oDVuy2cbozBJ3ROZJfvcBz65/M6If+3Js+3JFkKeTno:lTVupcbA60xBt25
Malware Config
Extracted
xworm
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1404-1-0x0000000000E90000-0x0000000000EC0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2620 powershell.exe 2452 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
XClient.exepid process 1404 XClient.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeXClient.exepid process 2620 powershell.exe 2452 powershell.exe 1404 XClient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
XClient.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1404 XClient.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 1404 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 1404 XClient.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
XClient.exedescription pid process target process PID 1404 wrote to memory of 2620 1404 XClient.exe powershell.exe PID 1404 wrote to memory of 2620 1404 XClient.exe powershell.exe PID 1404 wrote to memory of 2620 1404 XClient.exe powershell.exe PID 1404 wrote to memory of 2452 1404 XClient.exe powershell.exe PID 1404 wrote to memory of 2452 1404 XClient.exe powershell.exe PID 1404 wrote to memory of 2452 1404 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MDWXECWDCDCW1GYIZI67.temp
Filesize7KB
MD5dcc709fd9475cd2120b1db5336ccf4a0
SHA128c846b2f019eb83f185f69b26aff6e34179db1b
SHA25690a5346e577ac62f6f0c0d64c6ca356c27cdaa76874107599c40b3ba58f7958a
SHA512a3d2e48509d622d8df5f342eceb89469b2fb56a9fd46ccdf87103937b18148bc10c2abdfa0f63b820ba24b60bf58c6fdeaf31de24612dd8074cd8455dde03b67