Analysis
-
max time kernel
564s -
max time network
593s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 12:27
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win11-20240426-en
General
-
Target
XClient.exe
-
Size
62KB
-
MD5
ec8785fe24a3652b48f3c26305fbe895
-
SHA1
55d19ee15841fc8f9862d1c5eed0884b7c0b4363
-
SHA256
43acaa8dd6ef2afc04a0c5de6b4c6ffb879e79af8c4ebcc033c9a230ffa7944a
-
SHA512
20e792dfe3d50159bc67267ab067dbdf4b29c52cd865bb7fbacfcb6e1b0a52a10a9fe5efb09b3f074c01b06feb8354ee293ecdb0b1c843e530f6d2cd2278824d
-
SSDEEP
1536:mI/gDbWOkAlgI7RxE6kkbftYV5j6M5O5Jf7:mIAiAlN7RxEVkbfOhO5R7
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
Runtime Broker.exe
-
pastebin_url
https://pastebin.com/raw/kYPYyCCf
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1844-1-0x0000000000A40000-0x0000000000A56000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Runtime Broker.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2584 powershell.exe 4212 powershell.exe 2400 powershell.exe 3064 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk XClient.exe -
Executes dropped EXE 10 IoCs
Processes:
Runtime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exepid process 2208 Runtime Broker.exe 2748 Runtime Broker.exe 3428 Runtime Broker.exe 4340 Runtime Broker.exe 4320 Runtime Broker.exe 4048 Runtime Broker.exe 3632 Runtime Broker.exe 3692 Runtime Broker.exe 112 Runtime Broker.exe 4812 Runtime Broker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2584 powershell.exe 2584 powershell.exe 4212 powershell.exe 4212 powershell.exe 2400 powershell.exe 2400 powershell.exe 3064 powershell.exe 3064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exedescription pid process Token: SeDebugPrivilege 1844 XClient.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 4212 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 1844 XClient.exe Token: SeDebugPrivilege 2208 Runtime Broker.exe Token: SeDebugPrivilege 2748 Runtime Broker.exe Token: SeDebugPrivilege 3428 Runtime Broker.exe Token: SeDebugPrivilege 4340 Runtime Broker.exe Token: SeDebugPrivilege 4320 Runtime Broker.exe Token: SeDebugPrivilege 4048 Runtime Broker.exe Token: SeDebugPrivilege 3632 Runtime Broker.exe Token: SeDebugPrivilege 3692 Runtime Broker.exe Token: SeDebugPrivilege 112 Runtime Broker.exe Token: SeDebugPrivilege 4812 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
XClient.exedescription pid process target process PID 1844 wrote to memory of 2584 1844 XClient.exe powershell.exe PID 1844 wrote to memory of 2584 1844 XClient.exe powershell.exe PID 1844 wrote to memory of 4212 1844 XClient.exe powershell.exe PID 1844 wrote to memory of 4212 1844 XClient.exe powershell.exe PID 1844 wrote to memory of 2400 1844 XClient.exe powershell.exe PID 1844 wrote to memory of 2400 1844 XClient.exe powershell.exe PID 1844 wrote to memory of 3064 1844 XClient.exe powershell.exe PID 1844 wrote to memory of 3064 1844 XClient.exe powershell.exe PID 1844 wrote to memory of 5048 1844 XClient.exe schtasks.exe PID 1844 wrote to memory of 5048 1844 XClient.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"2⤵
- Creates scheduled task(s)
PID:5048
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:112
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD5781da0576417bf414dc558e5a315e2be
SHA1215451c1e370be595f1c389f587efeaa93108b4c
SHA25641a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA51224e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
62KB
MD5ec8785fe24a3652b48f3c26305fbe895
SHA155d19ee15841fc8f9862d1c5eed0884b7c0b4363
SHA25643acaa8dd6ef2afc04a0c5de6b4c6ffb879e79af8c4ebcc033c9a230ffa7944a
SHA51220e792dfe3d50159bc67267ab067dbdf4b29c52cd865bb7fbacfcb6e1b0a52a10a9fe5efb09b3f074c01b06feb8354ee293ecdb0b1c843e530f6d2cd2278824d