Resubmissions

26-05-2024 02:26

240526-cw1qgabe6z 10

26-05-2024 02:15

240526-cp3w9abc4z 10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 02:15

General

  • Target

    XClient.exe

  • Size

    179KB

  • MD5

    48ec861dda66f8a5c4c4abe34bde5533

  • SHA1

    cc33872e3bac88a5b426e1d44932a60a42e97a3c

  • SHA256

    126def262910ee46ba3a1210d2c8f71f8348c18f248806abd559ae52d85e584f

  • SHA512

    b50e3920d80ca5a9301be447c88294660901db1b453967365ed0031edc08e837aac6c351608643cdc0207bac6e3ce4c6ca49321a0641ab0759476db15537ac42

  • SSDEEP

    3072:NChMbbOhEiNnIbodpABzmONKv3Bz65/M6If+3Js+3JFkKeTno:NCeO5abXUfxBt25

Malware Config

Extracted

Family

xworm

C2

non-activists.gl.at.ply.gg:63701

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DD5.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9DD5.tmp.bat

    Filesize

    159B

    MD5

    6ab4ab4d425205316ec2c455a28c804a

    SHA1

    65b60ac1ce53cb6d9daaae8fb857e7c13c092757

    SHA256

    70a88ad1f59eebda08db8808634d11adafdd9eb4f19fcfd42898f7a75a9c342d

    SHA512

    8ac1245d3d8a488c7fc35a309812bb9b4098c69ddec7df683a8768743586bc2897d83ae42d65cb70d63fd9ed8a8d0b0b78a7faf0b4c3f77628d66029e0d3f46d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    95cfe3f84e727693fa11e39b5cde6e85

    SHA1

    914f0ba0643c14bf6a14538372aa760a3ecb0df8

    SHA256

    0eca63c29ccdedfa3ff262987b5b014cd040f6ef7d0be11e3a87a69d40f5d9f1

    SHA512

    29ebd46129d50251596576fbcb8d63a1af2edca1ee1c7f2f51141caa9e5b6b472771dbdf026906776357a623026857166a2b89d5a986f877d25a42e43c9cc5ad

  • memory/1764-17-0x0000000000F60000-0x0000000000F6C000-memory.dmp

    Filesize

    48KB

  • memory/1764-2-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/1764-0-0x000007FEF51F3000-0x000007FEF51F4000-memory.dmp

    Filesize

    4KB

  • memory/1764-18-0x000007FEF51F3000-0x000007FEF51F4000-memory.dmp

    Filesize

    4KB

  • memory/1764-19-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/1764-20-0x000000001AE90000-0x000000001AF1E000-memory.dmp

    Filesize

    568KB

  • memory/1764-1-0x0000000000F70000-0x0000000000FA2000-memory.dmp

    Filesize

    200KB

  • memory/1764-29-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/2532-15-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

  • memory/2532-16-0x00000000027E0000-0x00000000027E8000-memory.dmp

    Filesize

    32KB

  • memory/2644-7-0x0000000002BC0000-0x0000000002C40000-memory.dmp

    Filesize

    512KB

  • memory/2644-8-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB

  • memory/2644-9-0x0000000001F00000-0x0000000001F08000-memory.dmp

    Filesize

    32KB