Analysis Overview
SHA256
070ca53cb9d8d21753aa9dcc25e76c941e3894665731c9ba16b114ace647bb4b
Threat Level: Known bad
The file XClient.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 22:43
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 22:43
Reported
2024-05-31 22:44
Platform
win10-20240404-en
Max time kernel
35s
Max time network
48s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.165:19130 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 165.31.192.18.in-addr.arpa | udp |
Files
memory/4924-0-0x00007FF8E5213000-0x00007FF8E5214000-memory.dmp
memory/4924-1-0x0000000000AB0000-0x0000000000AC2000-memory.dmp
memory/4924-2-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp
memory/4800-7-0x00000179BBEB0000-0x00000179BBED2000-memory.dmp
memory/4800-8-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp
memory/4800-9-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp
memory/4800-10-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp
memory/4800-13-0x00000179BC060000-0x00000179BC0D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2dgkycu5.k0q.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4800-51-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c6d932b98ac7c249ed88d2b15666f4e3 |
| SHA1 | 8ef1684ac2962cf2dfd45d1e40b1804da7d6839e |
| SHA256 | e02f97e96277344c3178ddee80249b8b3ecea82094bdab62997182482cc7e5d2 |
| SHA512 | 87030bc3e602eb92a9bbd485bb7a28bd3ae79e233e2c1f4606ff38f4fc11c6ba62c998ff43d9bf1997bf35b130a66f08a32e6f004cded246428495edf61c249b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10c0a0a59c1c07e67bc75e7dd4a966df |
| SHA1 | 8960ae3f46793149f20bd21af4232337562a2586 |
| SHA256 | cd9159c6fa245c6e06707d4115307bad3fb2b5f435c545952f645255ee955975 |
| SHA512 | 9f0c20ec2c75cc8a3a0fcd456667be0adbdd7c06bbfb0bbbe3dac2812711665f3ca1edcde9e7977594e117c512c74ba388c69d9d35f57fce33b87ac61c16f2b9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b66f6a9fb3f7ba08227b1cb46a03979f |
| SHA1 | 4f9e65c359d052140295a8684f2e7f83ff745a8d |
| SHA256 | c9a8db6adde88896155d4598269ec0e10b9b826390fe04bba99911eef39b35db |
| SHA512 | 213bc72b51638fee0f725ec0c2c7ef65d46dcbf4ad0de48c05c7a43b9dfcf40a7a49840c81481d5891c1c48c7af57d9e4ba76066cc62b2b67dba142994c5b577 |
memory/4924-186-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp