Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 02:15
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240419-en
General
-
Target
XClient.exe
-
Size
179KB
-
MD5
48ec861dda66f8a5c4c4abe34bde5533
-
SHA1
cc33872e3bac88a5b426e1d44932a60a42e97a3c
-
SHA256
126def262910ee46ba3a1210d2c8f71f8348c18f248806abd559ae52d85e584f
-
SHA512
b50e3920d80ca5a9301be447c88294660901db1b453967365ed0031edc08e837aac6c351608643cdc0207bac6e3ce4c6ca49321a0641ab0759476db15537ac42
-
SSDEEP
3072:NChMbbOhEiNnIbodpABzmONKv3Bz65/M6If+3Js+3JFkKeTno:NCeO5abXUfxBt25
Malware Config
Extracted
xworm
non-activists.gl.at.ply.gg:63701
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1764-1-0x0000000000F70000-0x0000000000FA2000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2644 powershell.exe 2532 powershell.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1224 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1936 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
XClient.exepid process 1764 XClient.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeXClient.exepid process 2644 powershell.exe 2532 powershell.exe 1764 XClient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
XClient.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1764 XClient.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 1764 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 1764 XClient.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
XClient.execmd.exedescription pid process target process PID 1764 wrote to memory of 2644 1764 XClient.exe powershell.exe PID 1764 wrote to memory of 2644 1764 XClient.exe powershell.exe PID 1764 wrote to memory of 2644 1764 XClient.exe powershell.exe PID 1764 wrote to memory of 2532 1764 XClient.exe powershell.exe PID 1764 wrote to memory of 2532 1764 XClient.exe powershell.exe PID 1764 wrote to memory of 2532 1764 XClient.exe powershell.exe PID 1764 wrote to memory of 1224 1764 XClient.exe cmd.exe PID 1764 wrote to memory of 1224 1764 XClient.exe cmd.exe PID 1764 wrote to memory of 1224 1764 XClient.exe cmd.exe PID 1224 wrote to memory of 1936 1224 cmd.exe timeout.exe PID 1224 wrote to memory of 1936 1224 cmd.exe timeout.exe PID 1224 wrote to memory of 1936 1224 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DD5.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD56ab4ab4d425205316ec2c455a28c804a
SHA165b60ac1ce53cb6d9daaae8fb857e7c13c092757
SHA25670a88ad1f59eebda08db8808634d11adafdd9eb4f19fcfd42898f7a75a9c342d
SHA5128ac1245d3d8a488c7fc35a309812bb9b4098c69ddec7df683a8768743586bc2897d83ae42d65cb70d63fd9ed8a8d0b0b78a7faf0b4c3f77628d66029e0d3f46d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD595cfe3f84e727693fa11e39b5cde6e85
SHA1914f0ba0643c14bf6a14538372aa760a3ecb0df8
SHA2560eca63c29ccdedfa3ff262987b5b014cd040f6ef7d0be11e3a87a69d40f5d9f1
SHA51229ebd46129d50251596576fbcb8d63a1af2edca1ee1c7f2f51141caa9e5b6b472771dbdf026906776357a623026857166a2b89d5a986f877d25a42e43c9cc5ad