Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-05-2024 08:08
General
-
Target
XClient.exe
-
Size
62KB
-
MD5
37fdd03f70527399a99b19c77dfafed1
-
SHA1
3b70e9c942883d8bec7042764ec0edfa62414906
-
SHA256
7b45e50061c5a05b74970e33573d2e22560a709e52959f9d6e0024b281f02fcf
-
SHA512
a353d4420d1706a1742089d806188fba79131a5d0b720ad7716bc1995cbf75b6d379034dee7dd18baa5bbd99148a21baa5787d4ada18a162b36a740643f36908
-
SSDEEP
1536:8UNsj0iOo4E9n7QBJuePnkbGdqLJe0GGqFOlqjuC:XNsjf4K8LnkbG8L4FOEjf
Malware Config
Extracted
Family
xworm
C2
0.tcp.eu.ngrok.io:13656
Attributes
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/600-0-0x0000000000440000-0x0000000000456000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XClient.exedescription pid process Token: SeDebugPrivilege 600 XClient.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:600
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1312