Analysis
-
max time kernel
128s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 02:26
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
General
-
Target
XClient.exe
-
Size
176KB
-
MD5
d90b5d4b053571352a95eb0001f02162
-
SHA1
25b83ffc67f11f95f81e749868829e8f861072c4
-
SHA256
a97071b70e639c205d450dd22cffdd9d5b4168812dc3bddf63860762b43a922c
-
SHA512
d5290e756f35f644cb8918073b405b3b7845adbdb1dc64597980317b4d22927717de6f69e8fe131878e5400d47b1bfff033af6a0ff9e86205103e883eac26dfa
-
SSDEEP
3072:JqPW0E1hGyUHwMkbf2v/PPpOXhv8Bz65/M6If+3Js+3JFkKeTno:JqPW0EbGRjkbQ3MUxBt25
Malware Config
Extracted
xworm
non-activists.gl.at.ply.gg:7000
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2476-1-0x00000000008C0000-0x00000000008F2000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2552 powershell.exe 2400 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
XClient.exepid process 2476 XClient.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeXClient.exepid process 2400 powershell.exe 2552 powershell.exe 2476 XClient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
XClient.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2476 XClient.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2476 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2476 XClient.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
XClient.exedescription pid process target process PID 2476 wrote to memory of 2400 2476 XClient.exe powershell.exe PID 2476 wrote to memory of 2400 2476 XClient.exe powershell.exe PID 2476 wrote to memory of 2400 2476 XClient.exe powershell.exe PID 2476 wrote to memory of 2552 2476 XClient.exe powershell.exe PID 2476 wrote to memory of 2552 2476 XClient.exe powershell.exe PID 2476 wrote to memory of 2552 2476 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BGY4EP79BSTOZEP4VG9T.temp
Filesize7KB
MD5a71ee6b636ad7a952131d8af9c06a264
SHA1977c4247233748d865f69a9ccad7a1057cfde3ed
SHA256c09e5b4a6ecafd2f2e8e43e4ddc8439f62506d10a9d1fbc20b79b5629d9209d2
SHA51209b1b1372aafe77f1004b055620018ac9c93a1ebcc66e7ca8e9a6852b25bad0a42ed3c9160fc97e9a1672a5655b585f8c2151b37465f2be4889d2384477fc84b