Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 02:32
Behavioral task
behavioral1
Sample
c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe
Resource
win10v2004-20240426-en
General
-
Target
c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe
-
Size
276KB
-
MD5
9f14aa0555e80190fe99817d0b3ae058
-
SHA1
d5b77274a0d5cb8a3b17d12b26e8fb48914c6d98
-
SHA256
c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783
-
SHA512
88ea107c23eb017d8dae25d57402a11ccc2660d4860259f40820676aebeef1df920e25d1280eeca5cc24a249d8f654211c752c7ed64399f5d07ef160c6c238e7
-
SSDEEP
6144:zrMRFSb7IdaHvbp/yYtgE6dWltqvMJAF0tWcTPEt8:HMrSbcdgd6YtgP0iU78
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/819HpC9S
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1704-1-0x0000000000160000-0x00000000001AA000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm behavioral1/memory/1640-36-0x0000000000F80000-0x0000000000FCA000-memory.dmp family_xworm behavioral1/memory/1968-41-0x00000000012B0000-0x00000000012FA000-memory.dmp family_xworm behavioral1/memory/796-43-0x00000000012F0000-0x000000000133A000-memory.dmp family_xworm -
Detects Windows executables referencing non-Windows User-Agents 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1704-1-0x0000000000160000-0x00000000001AA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\XClient.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1640-36-0x0000000000F80000-0x0000000000FCA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1968-41-0x00000000012B0000-0x00000000012FA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/796-43-0x00000000012F0000-0x000000000133A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2704 powershell.exe 2544 powershell.exe 1196 powershell.exe 2656 powershell.exe -
Drops startup file 2 IoCs
Processes:
c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe -
Executes dropped EXE 3 IoCs
Processes:
XClient.exeXClient.exeXClient.exepid process 1640 XClient.exe 1968 XClient.exe 796 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 8 0.tcp.eu.ngrok.io 17 0.tcp.eu.ngrok.io 26 0.tcp.eu.ngrok.io 6 pastebin.com 7 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exec1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exepid process 2656 powershell.exe 2704 powershell.exe 2544 powershell.exe 1196 powershell.exe 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exeXClient.exeXClient.exedescription pid process Token: SeDebugPrivilege 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe Token: SeDebugPrivilege 1640 XClient.exe Token: SeDebugPrivilege 1968 XClient.exe Token: SeDebugPrivilege 796 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exepid process 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exetaskeng.exedescription pid process target process PID 1704 wrote to memory of 2656 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 2656 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 2656 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 2704 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 2704 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 2704 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 2544 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 2544 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 2544 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 1196 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 1196 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 1196 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe powershell.exe PID 1704 wrote to memory of 2896 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe schtasks.exe PID 1704 wrote to memory of 2896 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe schtasks.exe PID 1704 wrote to memory of 2896 1704 c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe schtasks.exe PID 1760 wrote to memory of 1640 1760 taskeng.exe XClient.exe PID 1760 wrote to memory of 1640 1760 taskeng.exe XClient.exe PID 1760 wrote to memory of 1640 1760 taskeng.exe XClient.exe PID 1760 wrote to memory of 1968 1760 taskeng.exe XClient.exe PID 1760 wrote to memory of 1968 1760 taskeng.exe XClient.exe PID 1760 wrote to memory of 1968 1760 taskeng.exe XClient.exe PID 1760 wrote to memory of 796 1760 taskeng.exe XClient.exe PID 1760 wrote to memory of 796 1760 taskeng.exe XClient.exe PID 1760 wrote to memory of 796 1760 taskeng.exe XClient.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe"C:\Users\Admin\AppData\Local\Temp\c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
PID:2896
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9A973574-8FF8-4F97-AF05-CDBC76B81472} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cc6d4596989f38fed8e7e4fed43f70c0
SHA12d32d6f5fe2431fc91328628ce86fcfcefcd4f28
SHA256d4c7f07f9fb15c7055bec075933c4c450f5be729ea1ea49ba6f8ed29a929ffe0
SHA512282bec1f6ff0dd60381a56fb1b39d02c645731c152d85070143e1f2031975ed75a36aab46940c60b83650ca50223f54ee475df2c73334574f14c7ae2ea53db88
-
Filesize
276KB
MD59f14aa0555e80190fe99817d0b3ae058
SHA1d5b77274a0d5cb8a3b17d12b26e8fb48914c6d98
SHA256c1130543ef2f5093477fc0f719d889445cbddf096494122a64f268aeb9a2d783
SHA51288ea107c23eb017d8dae25d57402a11ccc2660d4860259f40820676aebeef1df920e25d1280eeca5cc24a249d8f654211c752c7ed64399f5d07ef160c6c238e7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e