Analysis

  • max time kernel
    1565s
  • max time network
    1566s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 20:07

General

  • Target

    XClient.exe

  • Size

    59KB

  • MD5

    d172c0a4ae3e8cef6a0a910bde62e195

  • SHA1

    51139fc633fe81a66c8ed55081f92ec5256bd0bd

  • SHA256

    94b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7

  • SHA512

    d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467

  • SSDEEP

    1536:9vv68xQQodoW8YTK6uDkbrfSVxwXSOqQ+k:1vjWQoGJYTK6CkbrfHSOqQ+k

Malware Config

Extracted

Family

xworm

C2

length-desert.gl.at.ply.gg:58023

%AppData%:9

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 10 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "9" /tr "C:\Users\Admin\AppData\Roaming\9"
      2⤵
      • Creates scheduled task(s)
      PID:2200
    • C:\Users\Admin\AppData\Local\Temp\cibqrp.exe
      "C:\Users\Admin\AppData\Local\Temp\cibqrp.exe"
      2⤵
      • Executes dropped EXE
      PID:1444
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "9"
      2⤵
        PID:1308
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B9C.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:992
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {166897BF-E7FB-4B38-AD4F-162F09AC4BA0} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3028
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1972
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2060
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2272
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1340
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:280
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1064
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2904
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2372
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1328
      • C:\Users\Admin\AppData\Roaming\9
        C:\Users\Admin\AppData\Roaming\9
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp1B9C.tmp.bat

      Filesize

      159B

      MD5

      6a889fa988b2ae81ab24b97e808d14bc

      SHA1

      f96c8353766fffd7ddef1f61574b08590b3a81de

      SHA256

      26c69258de12093e227f2f96ad66966e2d315bb0b095bc540dd61e44a492e218

      SHA512

      fcc436babe488425a6c8d759994411531b873666b6d4fbcfe03a680ae0e50e94cd6540d84d08bc8aeb687b8f4a175cdd91acae16ce9878e57c6d51d89d051fcf

    • C:\Users\Admin\AppData\Roaming\9

      Filesize

      59KB

      MD5

      d172c0a4ae3e8cef6a0a910bde62e195

      SHA1

      51139fc633fe81a66c8ed55081f92ec5256bd0bd

      SHA256

      94b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7

      SHA512

      d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467

    • \Users\Admin\AppData\Local\Temp\cibqrp.exe

      Filesize

      95KB

      MD5

      90d4d1e028d8be79482699f0a23eca1e

      SHA1

      1bb39ea5ddf177aab34a990ade5bd316b85f4dda

      SHA256

      03c10771abb8cd2ad13402826d8f69dee1f2637063d75613ece28ac557a842c4

      SHA512

      f710d67ad1beb2f9fb4e5a61d8e2fba2b28c0f7a390ee907e1c47f9396501e60062ef66459dd6ec2962e517c642f29c323c08522e477afb7f616b062bfd31617

    • memory/280-27-0x0000000000320000-0x0000000000336000-memory.dmp

      Filesize

      88KB

    • memory/1064-37-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

      Filesize

      88KB

    • memory/1444-35-0x000000013FCC0000-0x000000013FCEE000-memory.dmp

      Filesize

      184KB

    • memory/1972-16-0x00000000012D0000-0x00000000012E6000-memory.dmp

      Filesize

      88KB

    • memory/2124-22-0x0000000000330000-0x0000000000346000-memory.dmp

      Filesize

      88KB

    • memory/2204-31-0x000000013FCC0000-0x000000013FCEE000-memory.dmp

      Filesize

      184KB

    • memory/2204-9-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

      Filesize

      9.9MB

    • memory/2204-8-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

      Filesize

      4KB

    • memory/2204-7-0x0000000000560000-0x000000000056C000-memory.dmp

      Filesize

      48KB

    • memory/2204-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

      Filesize

      4KB

    • memory/2204-6-0x00000000004D0000-0x00000000004DC000-memory.dmp

      Filesize

      48KB

    • memory/2204-5-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

      Filesize

      9.9MB

    • memory/2204-1-0x00000000010D0000-0x00000000010E6000-memory.dmp

      Filesize

      88KB

    • memory/2204-54-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

      Filesize

      9.9MB

    • memory/2272-19-0x00000000013B0000-0x00000000013C6000-memory.dmp

      Filesize

      88KB

    • memory/2372-41-0x0000000000DF0000-0x0000000000E06000-memory.dmp

      Filesize

      88KB

    • memory/2564-24-0x0000000000A90000-0x0000000000AA6000-memory.dmp

      Filesize

      88KB

    • memory/3028-13-0x0000000001130000-0x0000000001146000-memory.dmp

      Filesize

      88KB