Resubmissions
26-05-2024 17:06
240526-vmg6wade6v 1026-05-2024 12:49
240526-p2q5faeh27 1026-05-2024 12:43
240526-pyanaadf3s 10Analysis
-
max time kernel
133s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-05-2024 12:49
General
-
Target
XClient.exe
-
Size
32KB
-
MD5
53d9b475ab5b6a31e7b89c28d49b2196
-
SHA1
118000b987a127ae6065f9739b583038e0f1780b
-
SHA256
5b64cc2c1a7d550a5fb1d344d373be0cf9a8a5041f5e7b33534a9aaee06a9073
-
SHA512
302b7e312298445df0fbecd5d8fa54086eefa85b2b3ed238481a385a5fa2a148c11b681c1a5a57dd20e5602f2430185738ab5ac134f3d2d965760ff84ec7f949
-
SSDEEP
768:+RPD9OQhx/BV3Tw4e1dVFE9jiOjhfbhO:+d9OW/V3U4epFE9jiOjJFO
Malware Config
Extracted
xworm
5.0
0.tcp.eu.ngrok.io:10897
QUjY5ulhX0UCX61h
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5012-1-0x0000000000FE0000-0x0000000000FEE000-memory.dmp family_xworm -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4064 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XClient.exedescription pid process Token: SeDebugPrivilege 5012 XClient.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
XClient.execmd.exedescription pid process target process PID 5012 wrote to memory of 4988 5012 XClient.exe cmd.exe PID 5012 wrote to memory of 4988 5012 XClient.exe cmd.exe PID 4988 wrote to memory of 4064 4988 cmd.exe timeout.exe PID 4988 wrote to memory of 4064 4988 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB551.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4064
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD53d8ef8d68c798d0319941508459ef0cd
SHA1799cb7b03f31621b1feb25340917073f52bd25d6
SHA256e12aeeb002186ccadc192b174c0fb2272281f8cb521d64b13791341107dad359
SHA5124f06e359e146ce006cd3c810fa845f5008c4ba2c668163dd22a32a7bdf407d5a1dc25b8a457fbbe8d3990a01f5780aa0a0abd2581760ccd689c4222527274b52