Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 02:35

General

  • Target

    XClient.exe

  • Size

    166KB

  • MD5

    999d5d3666bdd99abf4a36257f5f24d7

  • SHA1

    1f06da5c90907bd0f73bd4d2d14127d7d0ce6572

  • SHA256

    d78ae71f6b40da4cd04ad34ea6a3b64997feca98871e0e24736b41d0b16cba17

  • SHA512

    b72e2323a57c1b0f9da597b08ddd9c3ed67ea2397324ab13b0869afaa8d8f39bdf8849a6aff9f31951d4d1f940e464d1f9e1040c6c9590ee336c0f422203dc1f

  • SSDEEP

    3072:l+GO3oDVuy2cbozBJ3ROZJfvcBz65/M6If+3Js+3JFkKeTno:lTVupcbA60xBt25

Malware Config

Extracted

Family

xworm

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MDWXECWDCDCW1GYIZI67.temp

    Filesize

    7KB

    MD5

    dcc709fd9475cd2120b1db5336ccf4a0

    SHA1

    28c846b2f019eb83f185f69b26aff6e34179db1b

    SHA256

    90a5346e577ac62f6f0c0d64c6ca356c27cdaa76874107599c40b3ba58f7958a

    SHA512

    a3d2e48509d622d8df5f342eceb89469b2fb56a9fd46ccdf87103937b18148bc10c2abdfa0f63b820ba24b60bf58c6fdeaf31de24612dd8074cd8455dde03b67

  • memory/1404-0-0x000007FEF5B53000-0x000007FEF5B54000-memory.dmp

    Filesize

    4KB

  • memory/1404-1-0x0000000000E90000-0x0000000000EC0000-memory.dmp

    Filesize

    192KB

  • memory/1404-2-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

    Filesize

    9.9MB

  • memory/1404-17-0x000007FEF5B53000-0x000007FEF5B54000-memory.dmp

    Filesize

    4KB

  • memory/1404-18-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

    Filesize

    9.9MB

  • memory/2452-15-0x000000001B710000-0x000000001B9F2000-memory.dmp

    Filesize

    2.9MB

  • memory/2452-16-0x00000000021D0000-0x00000000021D8000-memory.dmp

    Filesize

    32KB

  • memory/2620-7-0x0000000002B70000-0x0000000002BF0000-memory.dmp

    Filesize

    512KB

  • memory/2620-8-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

  • memory/2620-9-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB