Analysis
-
max time kernel
1799s -
max time network
1800s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 20:07
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
XClient.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
XClient.exe
Resource
win11-20240508-en
General
-
Target
XClient.exe
-
Size
59KB
-
MD5
d172c0a4ae3e8cef6a0a910bde62e195
-
SHA1
51139fc633fe81a66c8ed55081f92ec5256bd0bd
-
SHA256
94b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7
-
SHA512
d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467
-
SSDEEP
1536:9vv68xQQodoW8YTK6uDkbrfSVxwXSOqQ+k:1vjWQoGJYTK6CkbrfHSOqQ+k
Malware Config
Extracted
xworm
length-desert.gl.at.ply.gg:58023
%AppData%:9
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/3668-1-0x0000000000240000-0x0000000000256000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\9 family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9.lnk XClient.exe -
Executes dropped EXE 30 IoCs
Processes:
999999999999999999999999999999pid process 3656 9 1516 9 4208 9 3288 9 4612 9 4020 9 4616 9 532 9 116 9 3664 9 2624 9 3288 9 3048 9 3812 9 2268 9 4356 9 4508 9 3064 9 4936 9 1444 9 1972 9 5024 9 4408 9 1876 9 4824 9 416 9 4296 9 732 9 2112 9 2536 9 -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9 = "C:\\Users\\Admin\\AppData\\Roaming\\9" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
XClient.exe999999999999999999999999999999description pid process Token: SeDebugPrivilege 3668 XClient.exe Token: SeDebugPrivilege 3668 XClient.exe Token: SeDebugPrivilege 3656 9 Token: SeDebugPrivilege 1516 9 Token: SeDebugPrivilege 4208 9 Token: SeDebugPrivilege 3288 9 Token: SeDebugPrivilege 4612 9 Token: SeDebugPrivilege 4020 9 Token: SeDebugPrivilege 4616 9 Token: SeDebugPrivilege 532 9 Token: SeDebugPrivilege 116 9 Token: SeDebugPrivilege 3664 9 Token: SeDebugPrivilege 2624 9 Token: SeDebugPrivilege 3288 9 Token: SeDebugPrivilege 3048 9 Token: SeDebugPrivilege 3812 9 Token: SeDebugPrivilege 2268 9 Token: SeDebugPrivilege 4356 9 Token: SeDebugPrivilege 4508 9 Token: SeDebugPrivilege 3064 9 Token: SeDebugPrivilege 4936 9 Token: SeDebugPrivilege 1444 9 Token: SeDebugPrivilege 1972 9 Token: SeDebugPrivilege 5024 9 Token: SeDebugPrivilege 4408 9 Token: SeDebugPrivilege 1876 9 Token: SeDebugPrivilege 4824 9 Token: SeDebugPrivilege 416 9 Token: SeDebugPrivilege 4296 9 Token: SeDebugPrivilege 732 9 Token: SeDebugPrivilege 2112 9 Token: SeDebugPrivilege 2536 9 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
XClient.exepid process 3668 XClient.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
XClient.exevbc.exevbc.exedescription pid process target process PID 3668 wrote to memory of 3052 3668 XClient.exe schtasks.exe PID 3668 wrote to memory of 3052 3668 XClient.exe schtasks.exe PID 3668 wrote to memory of 4676 3668 XClient.exe vbc.exe PID 3668 wrote to memory of 4676 3668 XClient.exe vbc.exe PID 4676 wrote to memory of 116 4676 vbc.exe cvtres.exe PID 4676 wrote to memory of 116 4676 vbc.exe cvtres.exe PID 3668 wrote to memory of 2432 3668 XClient.exe vbc.exe PID 3668 wrote to memory of 2432 3668 XClient.exe vbc.exe PID 2432 wrote to memory of 1868 2432 vbc.exe cvtres.exe PID 2432 wrote to memory of 1868 2432 vbc.exe cvtres.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "9" /tr "C:\Users\Admin\AppData\Roaming\9"2⤵
- Creates scheduled task(s)
PID:3052
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\arbdhjhr\arbdhjhr.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC76D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B41AB182F4927863664736AA5672.TMP"3⤵PID:116
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2yps2p3l\2yps2p3l.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc369B539194FA46D9861547C9D3559A88.TMP"3⤵PID:1868
-
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:532
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:416
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:732
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
313B
MD542ef8ba6f6c5595dc02e6eb783b159e6
SHA148223d9487c44d8c47c40fefe060a762156fd5c9
SHA2560198d49ffd6f0b38435fe576195a5ce8f26402a8afe2297d8c9ec6399cb597cb
SHA5120f14ad240cb083ac86dfdbbf6211df350c152602bbf9a149543efa97a95bc315c09cb507686faa030b0f4d6c3ede8d32af7a9d6ff602199803eff8a0b4187e92
-
Filesize
6KB
MD598a9c09624157f127d1dc60470ef5217
SHA12c0d0c58426615b9aca357477a1053ee9c12c5f0
SHA256f5029329384defc1dd748b8295c72a8318779ca7eb8fc97153d7d47682ec9311
SHA51209e01dab4af4ea1d31d86459fa7d17b34f9e9b1360552a78895dea1c6d7402cc362327dbc2c1ce3e447705676c9d9e9d348fde0321c03289289c6bb495130108
-
Filesize
1KB
MD5c4d069d728d9330ce28355fa9a594013
SHA191fce22137f25234eb6816602cc144a0d7f591bd
SHA25666226d495ed0597eefa682830189a0b67ea96c569352695df174635ff66dcdca
SHA5125f012dd67a116310a4f80eb2c8d04a0df2ad97f58ab171a396b28be97f42f0fb8b1b6fc1e3f40bc49eb8f50bb40ad87e434bef017bf83d2c135a846dcbc511e8
-
Filesize
1KB
MD53d462ceede08fcd6f8b0a7d07fcbb3c5
SHA16dbac8bbc37054746376ed707412a0d00e1afb4a
SHA2567261f0746b8eb35fa9afc09f0ef66a6c485bf11d48395ddc366497d0fd399e19
SHA5122f12b17a8318fb7f26827ba46b538d4fa163f2d9335f6ddb65f71ec13f2df4eaff260ec127969130d6a868f37b0aac8f66da0df4ebb829bd2193d208f6799297
-
Filesize
386B
MD5156a4b3e570d9c7efc0f0094dbceb24e
SHA1ccd7e470b9114884d6e958ab4d8b4c451f493c66
SHA2567443a1bcd15924a389e5da2a0530b6703a35aed61e63cd1a1d7d0699d49a5a77
SHA51290123975819cc2fc3030f94cc8bfce587e8c7efcca8c7ac8a1e99c5f3211c0a50fe16994836fb46fcb3a68b2157259a59f7a5928c19bba2fc3cb4059ecc8efa2
-
Filesize
313B
MD5ff941a42379fb288dea668f7cc59ec8b
SHA1873a51c9f1a9fc7d8b530588f9eddff7a0c40d9e
SHA256f4d2ac743c297ce6c2a5e034de5621df03878d665785a2fb0f96b8178f97ef4c
SHA512db85e6e1d8bfdfd1daa493b777af57a60d832d2a4272af4f4ce9e4ddcc9dd5d285936bd690514fdebafc577e88ea5839f0034deec15edb496ba73e6bdaf7f4f9
-
Filesize
6KB
MD5c4c12c8ddfa7191370e7b2ce701f8b5b
SHA193cc2a10c88ec83d31e72c78bf54bd57ca86684c
SHA256f65239ce6769332b519130a9ef01bf1073c17f81c5fbe9b59e0fb258ce63fb99
SHA512b96cd5b8b467269865a88ed13766223c96c7a51254dc6b7fcdd0d8ba08d1a4aabc7632cfe67da87885479f1296437584aac7da1da48a47843c4f95255879fcc1
-
Filesize
1KB
MD585130c51eeff5c77ed2257d145c8e0bb
SHA10742f51ec95c44d37f9003bfdbee89d739faee16
SHA256b932913944c9381ccaabe98a8352f1cb260e70322f6af29ac6d3c7eebc76dc49
SHA512b6e4db8099fac97302eaa105f0a06730de1989ffa2d81b9adca19358b078a8d3cbf8c7ee812d6084f7d613392d6df86c034fb25f353de203b8fc8d2777a5ca94
-
Filesize
1KB
MD5312b4ecee3885e9c3518c369150d48da
SHA1186a8142fc143cb84e18059ebfef1142f0be153d
SHA2568aa04426ab5f454fdc34831ad53fab1f9933aac9a68b8c610e934d64aee5ae95
SHA512efc831341d55ef19965d7532afd8b37ba06e2dab0085a9e29bfb4ee9f22cc31abe018373070f4f58eb9189d0e34ae74c0b7283f95532a00f2ee9fa0c97d2c5f2
-
Filesize
59KB
MD5d172c0a4ae3e8cef6a0a910bde62e195
SHA151139fc633fe81a66c8ed55081f92ec5256bd0bd
SHA25694b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7
SHA512d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467