Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 01:59
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
General
-
Target
XClient.exe
-
Size
175KB
-
MD5
9afc2e70fad3d440999ed605851850e4
-
SHA1
34836262686a5b0b726a39c668fe1d7dd6008c0d
-
SHA256
90c35873f1c8dc86fcf087b25a5030bd530ae6cbe72e2b5a8a1e78aa1fca6599
-
SHA512
a9d106af7956fc0edea1c41bf1da6d91660a84ed20a70cc249fea392f15d86ba994f5648a463cb5cebd4df8e20adcd7f1e3ce23522b1fd140aa95b90b3688c53
-
SSDEEP
3072:yClC9kymzLTWb/3mGOzZnvzBz65/M6If+3Js+3JFkKeTno:yClCuRqb2rxBt25
Malware Config
Extracted
xworm
127.0.0.1:7000
192.168.1.3:7000
fe80::717e:3988:f9ae:459f%20:7000
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1924-1-0x0000000000950000-0x0000000000982000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2756 powershell.exe 2584 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
XClient.exepid process 1924 XClient.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeXClient.exepid process 2756 powershell.exe 2584 powershell.exe 1924 XClient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
XClient.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1924 XClient.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 1924 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 1924 XClient.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
XClient.exedescription pid process target process PID 1924 wrote to memory of 2756 1924 XClient.exe powershell.exe PID 1924 wrote to memory of 2756 1924 XClient.exe powershell.exe PID 1924 wrote to memory of 2756 1924 XClient.exe powershell.exe PID 1924 wrote to memory of 2584 1924 XClient.exe powershell.exe PID 1924 wrote to memory of 2584 1924 XClient.exe powershell.exe PID 1924 wrote to memory of 2584 1924 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c13e7fd54030db1c7b44cb1b93269287
SHA14366ac80473f09821384f74da407701c1dead518
SHA25638774ac9f7db8cfcdc6b41fd422fe1b3c04269a5daef61fd644e3f5d56342a88
SHA512de48ce730c8d310bbe9d25c01ae19ea26f98565f57d42ddbd800dc2502a952044088f173ce964bf818adb9ae89e6a346275e9b97fe7990ea6cfe6526626708ff