Analysis
-
max time kernel
1565s -
max time network
1566s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 20:07
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
XClient.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
XClient.exe
Resource
win11-20240508-en
General
-
Target
XClient.exe
-
Size
59KB
-
MD5
d172c0a4ae3e8cef6a0a910bde62e195
-
SHA1
51139fc633fe81a66c8ed55081f92ec5256bd0bd
-
SHA256
94b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7
-
SHA512
d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467
-
SSDEEP
1536:9vv68xQQodoW8YTK6uDkbrfSVxwXSOqQ+k:1vjWQoGJYTK6CkbrfHSOqQ+k
Malware Config
Extracted
xworm
length-desert.gl.at.ply.gg:58023
%AppData%:9
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/2204-1-0x00000000010D0000-0x00000000010E6000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\9 family_xworm behavioral2/memory/3028-13-0x0000000001130000-0x0000000001146000-memory.dmp family_xworm behavioral2/memory/1972-16-0x00000000012D0000-0x00000000012E6000-memory.dmp family_xworm behavioral2/memory/2272-19-0x00000000013B0000-0x00000000013C6000-memory.dmp family_xworm behavioral2/memory/2124-22-0x0000000000330000-0x0000000000346000-memory.dmp family_xworm behavioral2/memory/2564-24-0x0000000000A90000-0x0000000000AA6000-memory.dmp family_xworm behavioral2/memory/280-27-0x0000000000320000-0x0000000000336000-memory.dmp family_xworm behavioral2/memory/1064-37-0x0000000000BD0000-0x0000000000BE6000-memory.dmp family_xworm behavioral2/memory/2372-41-0x0000000000DF0000-0x0000000000E06000-memory.dmp family_xworm -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1044 cmd.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9.lnk XClient.exe -
Executes dropped EXE 16 IoCs
Processes:
999999999cibqrp.exe999999pid process 3028 9 1972 9 2060 9 2272 9 1340 9 2124 9 2564 9 2692 9 280 9 1444 cibqrp.exe 1064 9 2904 9 2484 9 2372 9 1328 9 1168 9 -
Loads dropped DLL 2 IoCs
Processes:
XClient.exepid process 2204 XClient.exe 1332 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\9 = "C:\\Users\\Admin\\AppData\\Roaming\\9" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
XClient.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier XClient.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 992 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
XClient.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName XClient.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate XClient.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
XClient.exe999999999999999description pid process Token: SeDebugPrivilege 2204 XClient.exe Token: SeDebugPrivilege 2204 XClient.exe Token: SeDebugPrivilege 3028 9 Token: SeDebugPrivilege 1972 9 Token: SeDebugPrivilege 2060 9 Token: SeDebugPrivilege 2272 9 Token: SeDebugPrivilege 1340 9 Token: SeDebugPrivilege 2124 9 Token: SeDebugPrivilege 2564 9 Token: SeDebugPrivilege 2692 9 Token: SeDebugPrivilege 280 9 Token: SeDebugPrivilege 1064 9 Token: SeDebugPrivilege 2904 9 Token: SeDebugPrivilege 2484 9 Token: SeDebugPrivilege 2372 9 Token: SeDebugPrivilege 1328 9 Token: SeDebugPrivilege 1168 9 -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
XClient.exetaskeng.execmd.exedescription pid process target process PID 2204 wrote to memory of 2200 2204 XClient.exe schtasks.exe PID 2204 wrote to memory of 2200 2204 XClient.exe schtasks.exe PID 2204 wrote to memory of 2200 2204 XClient.exe schtasks.exe PID 916 wrote to memory of 3028 916 taskeng.exe 9 PID 916 wrote to memory of 3028 916 taskeng.exe 9 PID 916 wrote to memory of 3028 916 taskeng.exe 9 PID 916 wrote to memory of 1972 916 taskeng.exe 9 PID 916 wrote to memory of 1972 916 taskeng.exe 9 PID 916 wrote to memory of 1972 916 taskeng.exe 9 PID 916 wrote to memory of 2060 916 taskeng.exe 9 PID 916 wrote to memory of 2060 916 taskeng.exe 9 PID 916 wrote to memory of 2060 916 taskeng.exe 9 PID 916 wrote to memory of 2272 916 taskeng.exe 9 PID 916 wrote to memory of 2272 916 taskeng.exe 9 PID 916 wrote to memory of 2272 916 taskeng.exe 9 PID 916 wrote to memory of 1340 916 taskeng.exe 9 PID 916 wrote to memory of 1340 916 taskeng.exe 9 PID 916 wrote to memory of 1340 916 taskeng.exe 9 PID 916 wrote to memory of 2124 916 taskeng.exe 9 PID 916 wrote to memory of 2124 916 taskeng.exe 9 PID 916 wrote to memory of 2124 916 taskeng.exe 9 PID 916 wrote to memory of 2564 916 taskeng.exe 9 PID 916 wrote to memory of 2564 916 taskeng.exe 9 PID 916 wrote to memory of 2564 916 taskeng.exe 9 PID 916 wrote to memory of 2692 916 taskeng.exe 9 PID 916 wrote to memory of 2692 916 taskeng.exe 9 PID 916 wrote to memory of 2692 916 taskeng.exe 9 PID 916 wrote to memory of 280 916 taskeng.exe 9 PID 916 wrote to memory of 280 916 taskeng.exe 9 PID 916 wrote to memory of 280 916 taskeng.exe 9 PID 2204 wrote to memory of 1444 2204 XClient.exe cibqrp.exe PID 2204 wrote to memory of 1444 2204 XClient.exe cibqrp.exe PID 2204 wrote to memory of 1444 2204 XClient.exe cibqrp.exe PID 916 wrote to memory of 1064 916 taskeng.exe 9 PID 916 wrote to memory of 1064 916 taskeng.exe 9 PID 916 wrote to memory of 1064 916 taskeng.exe 9 PID 916 wrote to memory of 2904 916 taskeng.exe 9 PID 916 wrote to memory of 2904 916 taskeng.exe 9 PID 916 wrote to memory of 2904 916 taskeng.exe 9 PID 916 wrote to memory of 2484 916 taskeng.exe 9 PID 916 wrote to memory of 2484 916 taskeng.exe 9 PID 916 wrote to memory of 2484 916 taskeng.exe 9 PID 916 wrote to memory of 2372 916 taskeng.exe 9 PID 916 wrote to memory of 2372 916 taskeng.exe 9 PID 916 wrote to memory of 2372 916 taskeng.exe 9 PID 916 wrote to memory of 1328 916 taskeng.exe 9 PID 916 wrote to memory of 1328 916 taskeng.exe 9 PID 916 wrote to memory of 1328 916 taskeng.exe 9 PID 916 wrote to memory of 1168 916 taskeng.exe 9 PID 916 wrote to memory of 1168 916 taskeng.exe 9 PID 916 wrote to memory of 1168 916 taskeng.exe 9 PID 2204 wrote to memory of 1308 2204 XClient.exe schtasks.exe PID 2204 wrote to memory of 1308 2204 XClient.exe schtasks.exe PID 2204 wrote to memory of 1308 2204 XClient.exe schtasks.exe PID 2204 wrote to memory of 1044 2204 XClient.exe cmd.exe PID 2204 wrote to memory of 1044 2204 XClient.exe cmd.exe PID 2204 wrote to memory of 1044 2204 XClient.exe cmd.exe PID 1044 wrote to memory of 992 1044 cmd.exe timeout.exe PID 1044 wrote to memory of 992 1044 cmd.exe timeout.exe PID 1044 wrote to memory of 992 1044 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "9" /tr "C:\Users\Admin\AppData\Roaming\9"2⤵
- Creates scheduled task(s)
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\cibqrp.exe"C:\Users\Admin\AppData\Local\Temp\cibqrp.exe"2⤵
- Executes dropped EXE
PID:1444
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "9"2⤵PID:1308
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B9C.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:992
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {166897BF-E7FB-4B38-AD4F-162F09AC4BA0} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:280
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD56a889fa988b2ae81ab24b97e808d14bc
SHA1f96c8353766fffd7ddef1f61574b08590b3a81de
SHA25626c69258de12093e227f2f96ad66966e2d315bb0b095bc540dd61e44a492e218
SHA512fcc436babe488425a6c8d759994411531b873666b6d4fbcfe03a680ae0e50e94cd6540d84d08bc8aeb687b8f4a175cdd91acae16ce9878e57c6d51d89d051fcf
-
Filesize
59KB
MD5d172c0a4ae3e8cef6a0a910bde62e195
SHA151139fc633fe81a66c8ed55081f92ec5256bd0bd
SHA25694b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7
SHA512d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467
-
Filesize
95KB
MD590d4d1e028d8be79482699f0a23eca1e
SHA11bb39ea5ddf177aab34a990ade5bd316b85f4dda
SHA25603c10771abb8cd2ad13402826d8f69dee1f2637063d75613ece28ac557a842c4
SHA512f710d67ad1beb2f9fb4e5a61d8e2fba2b28c0f7a390ee907e1c47f9396501e60062ef66459dd6ec2962e517c642f29c323c08522e477afb7f616b062bfd31617