Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-05-2024 15:31

General

  • Target

    XClient.exe

  • Size

    85KB

  • MD5

    007e1223120cd10fa02e2d371211d82a

  • SHA1

    519b63a096d4e9c12b8150467996c068e6ff756d

  • SHA256

    06d5934c528750f025b2f682a829d6e5b978238503c5e61a498da63a1958c0ac

  • SHA512

    4413c3e41237633153e90ab469af4d820aa51db88cc0df04c64af2c9ef25ab71cb7aa8b4b09814e35db4495986c6ab1e3199ec34cec35472830df5e361729210

  • SSDEEP

    1536:FHPavxx983DKYFV6MnbNE4VbR+rKb6lqMOV6Cgn3e//r:kvxYDKYX6MnbNEwbEpVOQCg0/r

Malware Config

Extracted

Family

xworm

C2

0.tcp.eu.ngrok.io:18473

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Chrome.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:4120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    b41b9f548fb3778654d804f1a4884b7e

    SHA1

    82617b6a8b755fe5303de5f062cf34603fab01f0

    SHA256

    53e37dc33742509eb8b0fd65798cbd06f9a4ad8fb9377ce862bd660acdee6dd7

    SHA512

    37201f3b21bbf488eb283c39dd01eae99a996933e87aad225b962016e5911de7214d7337646ce573351b570188e5c3b87d7ee7e39567bb4605b608ac56150413

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    c544c4de8068bad197b4b8ba6ed18150

    SHA1

    1c5380f837675a39bbb9e2d6595484b26c898aba

    SHA256

    4e2638089eec13066b56f058ed10d3091c8fc7ade5885c0738b7d6e601ae5e18

    SHA512

    a81db050db5343fb95f8c774c4f7d32541f77e3394db742baac9ebdb905fe0ade0e423b92acd8e1fc6f6fea6e451b46a7cb1f042dd7d4ce4b1adde7d3ab2b8ee

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    030d805d9aa54c9090cebd87ea7fc864

    SHA1

    abd19fd42507415b0e1040fbc7b351f1726cd091

    SHA256

    dd3c00d91d55a6bdbb67fbf3746bd1501706c2c150f8b13f21edad7967e83d10

    SHA512

    436ac632ef76c24b77dd0ea13e09b9f4d32a940bd84e1ce6d8577b9a20fcb6538cf2b6c16221afd9dfc11b57f866a4d804280979ae634af267794cbd87e4031b

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ab3ds5qr.aau.ps1

    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

  • memory/3220-0-0x00007FF80AF13000-0x00007FF80AF14000-memory.dmp

    Filesize

    4KB

  • memory/3220-2-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

    Filesize

    9.9MB

  • memory/3220-1-0x00000000007D0000-0x00000000007EC000-memory.dmp

    Filesize

    112KB

  • memory/3220-185-0x00007FF80AF13000-0x00007FF80AF14000-memory.dmp

    Filesize

    4KB

  • memory/3220-186-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

    Filesize

    9.9MB

  • memory/4672-9-0x000001B043A10000-0x000001B043A32000-memory.dmp

    Filesize

    136KB

  • memory/4672-10-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

    Filesize

    9.9MB

  • memory/4672-13-0x000001B043BE0000-0x000001B043C56000-memory.dmp

    Filesize

    472KB

  • memory/4672-51-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

    Filesize

    9.9MB

  • memory/4672-8-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

    Filesize

    9.9MB

  • memory/4672-7-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

    Filesize

    9.9MB