Resubmissions
26-05-2024 17:06
240526-vmg6wade6v 1026-05-2024 12:49
240526-p2q5faeh27 1026-05-2024 12:43
240526-pyanaadf3s 10Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 12:43
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240508-en
General
-
Target
XClient.exe
-
Size
32KB
-
MD5
53d9b475ab5b6a31e7b89c28d49b2196
-
SHA1
118000b987a127ae6065f9739b583038e0f1780b
-
SHA256
5b64cc2c1a7d550a5fb1d344d373be0cf9a8a5041f5e7b33534a9aaee06a9073
-
SHA512
302b7e312298445df0fbecd5d8fa54086eefa85b2b3ed238481a385a5fa2a148c11b681c1a5a57dd20e5602f2430185738ab5ac134f3d2d965760ff84ec7f949
-
SSDEEP
768:+RPD9OQhx/BV3Tw4e1dVFE9jiOjhfbhO:+d9OW/V3U4epFE9jiOjJFO
Malware Config
Extracted
xworm
5.0
0.tcp.eu.ngrok.io:10897
QUjY5ulhX0UCX61h
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2924-1-0x0000000000DF0000-0x0000000000DFE000-memory.dmp family_xworm -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4088 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XClient.exedescription pid process Token: SeDebugPrivilege 2924 XClient.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
XClient.execmd.exedescription pid process target process PID 2924 wrote to memory of 2576 2924 XClient.exe cmd.exe PID 2924 wrote to memory of 2576 2924 XClient.exe cmd.exe PID 2576 wrote to memory of 4088 2576 cmd.exe timeout.exe PID 2576 wrote to memory of 4088 2576 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB58F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4088
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD5491e12f1a7037f33b6f7c8794e4ffd7d
SHA128992faaf66f8a454688db26e2b2a11f1a195cdb
SHA25674209c62b9a3cb2c4001adf0a2c4b5900e7fe3ee5964711c2bc8b0c1368a166d
SHA51210c8958b1c37ab49fe883588c0a34156be30ebb200166ed051025107ecedee9a6a8e07e76ddde872c706e1c3c6333af840c34f4cf594c4d96d5aff1501aa650a