Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-05-2024 15:31
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
85KB
-
MD5
007e1223120cd10fa02e2d371211d82a
-
SHA1
519b63a096d4e9c12b8150467996c068e6ff756d
-
SHA256
06d5934c528750f025b2f682a829d6e5b978238503c5e61a498da63a1958c0ac
-
SHA512
4413c3e41237633153e90ab469af4d820aa51db88cc0df04c64af2c9ef25ab71cb7aa8b4b09814e35db4495986c6ab1e3199ec34cec35472830df5e361729210
-
SSDEEP
1536:FHPavxx983DKYFV6MnbNE4VbR+rKb6lqMOV6Cgn3e//r:kvxYDKYX6MnbNEwbEpVOQCg0/r
Malware Config
Extracted
xworm
0.tcp.eu.ngrok.io:18473
-
Install_directory
%ProgramData%
-
install_file
Chrome.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3220-1-0x00000000007D0000-0x00000000007EC000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4672 powershell.exe 500 powershell.exe 820 powershell.exe 4120 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 4672 powershell.exe 4672 powershell.exe 4672 powershell.exe 500 powershell.exe 500 powershell.exe 500 powershell.exe 820 powershell.exe 820 powershell.exe 820 powershell.exe 4120 powershell.exe 4120 powershell.exe 4120 powershell.exe 3220 XClient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3220 XClient.exe Token: SeDebugPrivilege 4672 powershell.exe Token: SeIncreaseQuotaPrivilege 4672 powershell.exe Token: SeSecurityPrivilege 4672 powershell.exe Token: SeTakeOwnershipPrivilege 4672 powershell.exe Token: SeLoadDriverPrivilege 4672 powershell.exe Token: SeSystemProfilePrivilege 4672 powershell.exe Token: SeSystemtimePrivilege 4672 powershell.exe Token: SeProfSingleProcessPrivilege 4672 powershell.exe Token: SeIncBasePriorityPrivilege 4672 powershell.exe Token: SeCreatePagefilePrivilege 4672 powershell.exe Token: SeBackupPrivilege 4672 powershell.exe Token: SeRestorePrivilege 4672 powershell.exe Token: SeShutdownPrivilege 4672 powershell.exe Token: SeDebugPrivilege 4672 powershell.exe Token: SeSystemEnvironmentPrivilege 4672 powershell.exe Token: SeRemoteShutdownPrivilege 4672 powershell.exe Token: SeUndockPrivilege 4672 powershell.exe Token: SeManageVolumePrivilege 4672 powershell.exe Token: 33 4672 powershell.exe Token: 34 4672 powershell.exe Token: 35 4672 powershell.exe Token: 36 4672 powershell.exe Token: SeDebugPrivilege 500 powershell.exe Token: SeIncreaseQuotaPrivilege 500 powershell.exe Token: SeSecurityPrivilege 500 powershell.exe Token: SeTakeOwnershipPrivilege 500 powershell.exe Token: SeLoadDriverPrivilege 500 powershell.exe Token: SeSystemProfilePrivilege 500 powershell.exe Token: SeSystemtimePrivilege 500 powershell.exe Token: SeProfSingleProcessPrivilege 500 powershell.exe Token: SeIncBasePriorityPrivilege 500 powershell.exe Token: SeCreatePagefilePrivilege 500 powershell.exe Token: SeBackupPrivilege 500 powershell.exe Token: SeRestorePrivilege 500 powershell.exe Token: SeShutdownPrivilege 500 powershell.exe Token: SeDebugPrivilege 500 powershell.exe Token: SeSystemEnvironmentPrivilege 500 powershell.exe Token: SeRemoteShutdownPrivilege 500 powershell.exe Token: SeUndockPrivilege 500 powershell.exe Token: SeManageVolumePrivilege 500 powershell.exe Token: 33 500 powershell.exe Token: 34 500 powershell.exe Token: 35 500 powershell.exe Token: 36 500 powershell.exe Token: SeDebugPrivilege 820 powershell.exe Token: SeIncreaseQuotaPrivilege 820 powershell.exe Token: SeSecurityPrivilege 820 powershell.exe Token: SeTakeOwnershipPrivilege 820 powershell.exe Token: SeLoadDriverPrivilege 820 powershell.exe Token: SeSystemProfilePrivilege 820 powershell.exe Token: SeSystemtimePrivilege 820 powershell.exe Token: SeProfSingleProcessPrivilege 820 powershell.exe Token: SeIncBasePriorityPrivilege 820 powershell.exe Token: SeCreatePagefilePrivilege 820 powershell.exe Token: SeBackupPrivilege 820 powershell.exe Token: SeRestorePrivilege 820 powershell.exe Token: SeShutdownPrivilege 820 powershell.exe Token: SeDebugPrivilege 820 powershell.exe Token: SeSystemEnvironmentPrivilege 820 powershell.exe Token: SeRemoteShutdownPrivilege 820 powershell.exe Token: SeUndockPrivilege 820 powershell.exe Token: SeManageVolumePrivilege 820 powershell.exe Token: 33 820 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 3220 XClient.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
XClient.exedescription pid process target process PID 3220 wrote to memory of 4672 3220 XClient.exe powershell.exe PID 3220 wrote to memory of 4672 3220 XClient.exe powershell.exe PID 3220 wrote to memory of 500 3220 XClient.exe powershell.exe PID 3220 wrote to memory of 500 3220 XClient.exe powershell.exe PID 3220 wrote to memory of 820 3220 XClient.exe powershell.exe PID 3220 wrote to memory of 820 3220 XClient.exe powershell.exe PID 3220 wrote to memory of 4120 3220 XClient.exe powershell.exe PID 3220 wrote to memory of 4120 3220 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5b41b9f548fb3778654d804f1a4884b7e
SHA182617b6a8b755fe5303de5f062cf34603fab01f0
SHA25653e37dc33742509eb8b0fd65798cbd06f9a4ad8fb9377ce862bd660acdee6dd7
SHA51237201f3b21bbf488eb283c39dd01eae99a996933e87aad225b962016e5911de7214d7337646ce573351b570188e5c3b87d7ee7e39567bb4605b608ac56150413
-
Filesize
1KB
MD5c544c4de8068bad197b4b8ba6ed18150
SHA11c5380f837675a39bbb9e2d6595484b26c898aba
SHA2564e2638089eec13066b56f058ed10d3091c8fc7ade5885c0738b7d6e601ae5e18
SHA512a81db050db5343fb95f8c774c4f7d32541f77e3394db742baac9ebdb905fe0ade0e423b92acd8e1fc6f6fea6e451b46a7cb1f042dd7d4ce4b1adde7d3ab2b8ee
-
Filesize
1KB
MD5030d805d9aa54c9090cebd87ea7fc864
SHA1abd19fd42507415b0e1040fbc7b351f1726cd091
SHA256dd3c00d91d55a6bdbb67fbf3746bd1501706c2c150f8b13f21edad7967e83d10
SHA512436ac632ef76c24b77dd0ea13e09b9f4d32a940bd84e1ce6d8577b9a20fcb6538cf2b6c16221afd9dfc11b57f866a4d804280979ae634af267794cbd87e4031b
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a