Analysis Overview
SHA256
be1243dcd5cd64592aeb2c04d1dcb1a76c101aade618dbf6c33f96704741451e
Threat Level: Known bad
The file Xclient.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm family
Xworm
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 10:07
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 10:07
Reported
2024-05-30 10:10
Platform
win7-20240215-en
Max time kernel
145s
Max time network
122s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Xclient.exe
"C:\Users\Admin\AppData\Local\Temp\Xclient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xclient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xclient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp |
Files
memory/2980-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp
memory/2980-1-0x00000000011A0000-0x00000000011B0000-memory.dmp
memory/3040-6-0x0000000002D90000-0x0000000002E10000-memory.dmp
memory/3040-7-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/3040-8-0x0000000001E80000-0x0000000001E88000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 68b8661d8a26c780d923f385a5e87cbf |
| SHA1 | bf77a5d028c23005fadde21c2953b31851b8307d |
| SHA256 | c5b8338ad3f3a1e904da0d9846a63c8551ed3436d161357996e84fad0a8d88fc |
| SHA512 | 3a5d8fdf05d545f144c6452ddacbee48d52a47c6bb5198167dbff4dea6e973abb1d00b99b5d5ea7a8586777eb405fd621fe6e07396a3b84e96450d343b9dc64d |
memory/2568-14-0x000000001B770000-0x000000001BA52000-memory.dmp
memory/2568-15-0x0000000002870000-0x0000000002878000-memory.dmp
memory/2980-30-0x000000001B2F0000-0x000000001B370000-memory.dmp
memory/2980-31-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp
memory/2980-32-0x000000001B2F0000-0x000000001B370000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 10:07
Reported
2024-05-30 10:10
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
129s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xclient.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Xclient.exe
"C:\Users\Admin\AppData\Local\Temp\Xclient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xclient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xclient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 88.221.83.195:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.83.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:4099 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:4099 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4099 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp | |
| N/A | 127.0.0.1:4099 | tcp |
Files
memory/2280-0-0x00007FFAC0F23000-0x00007FFAC0F25000-memory.dmp
memory/2280-1-0x0000000000100000-0x0000000000110000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ardfu4mk.rwu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4600-11-0x000001B8C9830000-0x000001B8C9852000-memory.dmp
memory/4600-12-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp
memory/4600-13-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp
memory/4600-14-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp
memory/4600-15-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp
memory/4600-18-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | a7e7cfd43d30bcc61251a5a230d79a7c |
| SHA1 | 0d5c054cc7a8a11b102ba68635e306799897ce28 |
| SHA256 | 063bb7675f043bb4c1d78d5dc04801560331b0e430e7579d3a535740c539590f |
| SHA512 | 1fd8d7924a249fb3200dad3d5d9eda04b33f01bbb25579e71d541d6be97b0467338a28b0a8948223e357d6bf6b851f9fd9a2c38026002307ccf7a973f7ecbe83 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4b451bfff41491fbb65db7899b220e6e |
| SHA1 | a80f200d4fa07d163f77edaf76ca88a13ae8b92e |
| SHA256 | 2460aaf397f756acea0d527e928a2633b6e947ce02a363cbb2288ec7dafd7e6b |
| SHA512 | 4e01c3bb07259f5e93ad6a98f97aaf20b32bc00d306bec76b235a0dbabc66cb29aebe568265dd3b44c9ad0fe31d2230029e88700498bb819b9ae22f2acd4b2f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 634cde2589934e07d99490d6d6b9feca |
| SHA1 | c118bd53a94e9ce0bd970b354812131675c1269f |
| SHA256 | 518e9613183fe36f877d1ae225c4e8e96c53349b09025e1c91533bb696a3f2d8 |
| SHA512 | 972035cd12a6ec63b7a827867a54700d91855b45825bf57f15d5985d9380d77308e1638a8490403ad13a5ae307dfdd5a868bd9bfc6b37d4ecf00a8b54b9deae5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c740b7699e2363ac4ecdf496520ca35 |
| SHA1 | aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9 |
| SHA256 | be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61 |
| SHA512 | 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af |
memory/2280-57-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp
memory/2280-58-0x00007FFAC0F23000-0x00007FFAC0F25000-memory.dmp
memory/2280-59-0x00007FFAC0F20000-0x00007FFAC19E1000-memory.dmp