Resubmissions

31-05-2024 08:26

240531-kb5gxscc8t 10

30-05-2024 13:27

240530-qp8dmaab3y 10

30-05-2024 11:10

240530-m9qgrsfb9x 10

Analysis

  • max time kernel
    715s
  • max time network
    720s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 08:26

General

  • Target

    XClient.exe

  • Size

    62KB

  • MD5

    3f171ed4261c46329a1bcc62ebb19519

  • SHA1

    06768df330b8012ee3d0cb22723408636ba7c17a

  • SHA256

    3c096dc60917ae1e47a754fd578882f1286ee9114ff5c6558b4f84f0be69076f

  • SHA512

    81e90ab476967a8ca6b88f8060fe72b56450dae6300adfbcef346dfb4c523e054da05d192209ff53771a8b49ad6a6922151d905a5a6bbc8decfe551ab757a06d

  • SSDEEP

    1536:1RE9Nr0ZWB8lQkagw9DC1oTnNbSkoRek+OUpS:1RE9NQZWB8XaguCWNbSHwk+OUE

Malware Config

Extracted

Family

xworm

Version

3.0

C2

scamov-48667.portmap.host:48667

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Cheat.exe

  • telegram

    https://api.telegram.org/bot6992734078:AAE3Znug3pzwyvwxKrzRk75x1dHIdnYHy4Q/sendMessage?chat_id=6790913039

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Local\XClient.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4208
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
      2⤵
        PID:3428
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB06F.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4308
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:4544
    • C:\Users\Admin\AppData\Local\XClient.exe
      C:\Users\Admin\AppData\Local\XClient.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4820
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2960
      • C:\Users\Admin\AppData\Local\XClient.exe
        C:\Users\Admin\AppData\Local\XClient.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:416
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4c4 0x30c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
      • C:\Users\Admin\AppData\Local\XClient.exe
        C:\Users\Admin\AppData\Local\XClient.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
      • C:\Users\Admin\AppData\Local\XClient.exe
        C:\Users\Admin\AppData\Local\XClient.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
      • C:\Users\Admin\AppData\Local\XClient.exe
        C:\Users\Admin\AppData\Local\XClient.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:940
      • C:\Users\Admin\AppData\Local\XClient.exe
        C:\Users\Admin\AppData\Local\XClient.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1188
      • C:\Users\Admin\AppData\Local\XClient.exe
        C:\Users\Admin\AppData\Local\XClient.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4460
      • C:\Users\Admin\AppData\Local\XClient.exe
        C:\Users\Admin\AppData\Local\XClient.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4512 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2252
        • C:\Users\Admin\AppData\Local\XClient.exe
          C:\Users\Admin\AppData\Local\XClient.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:5024
        • C:\Users\Admin\AppData\Local\XClient.exe
          C:\Users\Admin\AppData\Local\XClient.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4992
        • C:\Users\Admin\AppData\Local\XClient.exe
          C:\Users\Admin\AppData\Local\XClient.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4420
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3360
        • C:\Users\Admin\AppData\Local\XClient.exe
          C:\Users\Admin\AppData\Local\XClient.exe
          1⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Local\XClient.exe"
            2⤵
            • Creates scheduled task(s)
            PID:4300

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

          Filesize

          654B

          MD5

          2ff39f6c7249774be85fd60a8f9a245e

          SHA1

          684ff36b31aedc1e587c8496c02722c6698c1c4e

          SHA256

          e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

          SHA512

          1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        • C:\Users\Admin\AppData\Local\Temp\tmp5D42.tmp

          Filesize

          100KB

          MD5

          1b942faa8e8b1008a8c3c1004ba57349

          SHA1

          cd99977f6c1819b12b33240b784ca816dfe2cb91

          SHA256

          555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

          SHA512

          5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

        • C:\Users\Admin\AppData\Local\Temp\tmpB06F.tmp.bat

          Filesize

          159B

          MD5

          95aaef2e4a3d9429e656aefa68e76db8

          SHA1

          deb1baf3d7a09c2a519527f52b0933440640a408

          SHA256

          f205d84bc5b3e77d04c467589b720347f6dd195d8636ff20b3bb7ad41a300f71

          SHA512

          d65b1f4c886fb6a67828cab6604596fab0691e0da876f9c7bea98a0c2ae1057db4b31f2f57ba65319211b22e25631b3956c6ae748a4862d0cd7b3b8ef583dcc8

        • C:\Users\Admin\AppData\Local\XClient.exe

          Filesize

          62KB

          MD5

          3f171ed4261c46329a1bcc62ebb19519

          SHA1

          06768df330b8012ee3d0cb22723408636ba7c17a

          SHA256

          3c096dc60917ae1e47a754fd578882f1286ee9114ff5c6558b4f84f0be69076f

          SHA512

          81e90ab476967a8ca6b88f8060fe72b56450dae6300adfbcef346dfb4c523e054da05d192209ff53771a8b49ad6a6922151d905a5a6bbc8decfe551ab757a06d

        • memory/3360-52-0x000001F9A86A0000-0x000001F9A86A1000-memory.dmp

          Filesize

          4KB

        • memory/3360-51-0x000001F9A86A0000-0x000001F9A86A1000-memory.dmp

          Filesize

          4KB

        • memory/3360-50-0x000001F9A86A0000-0x000001F9A86A1000-memory.dmp

          Filesize

          4KB

        • memory/3360-53-0x000001F9A86A0000-0x000001F9A86A1000-memory.dmp

          Filesize

          4KB

        • memory/3360-49-0x000001F9A86A0000-0x000001F9A86A1000-memory.dmp

          Filesize

          4KB

        • memory/3360-54-0x000001F9A86A0000-0x000001F9A86A1000-memory.dmp

          Filesize

          4KB

        • memory/3360-48-0x000001F9A86A0000-0x000001F9A86A1000-memory.dmp

          Filesize

          4KB

        • memory/3360-44-0x000001F9A86A0000-0x000001F9A86A1000-memory.dmp

          Filesize

          4KB

        • memory/3360-43-0x000001F9A86A0000-0x000001F9A86A1000-memory.dmp

          Filesize

          4KB

        • memory/3360-42-0x000001F9A86A0000-0x000001F9A86A1000-memory.dmp

          Filesize

          4KB

        • memory/3964-31-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

          Filesize

          40KB

        • memory/3964-23-0x00000000008A0000-0x00000000008AA000-memory.dmp

          Filesize

          40KB

        • memory/3964-36-0x000000001AEC0000-0x000000001AEFA000-memory.dmp

          Filesize

          232KB

        • memory/3964-0-0x00007FF9D5CB3000-0x00007FF9D5CB5000-memory.dmp

          Filesize

          8KB

        • memory/3964-29-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

          Filesize

          40KB

        • memory/3964-28-0x0000000000A90000-0x0000000000A9A000-memory.dmp

          Filesize

          40KB

        • memory/3964-25-0x0000000000B20000-0x0000000000B2E000-memory.dmp

          Filesize

          56KB

        • memory/3964-34-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

          Filesize

          40KB

        • memory/3964-21-0x00000000008C0000-0x000000000094E000-memory.dmp

          Filesize

          568KB

        • memory/3964-61-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

          Filesize

          10.8MB

        • memory/3964-1-0x0000000000200000-0x0000000000216000-memory.dmp

          Filesize

          88KB

        • memory/3964-12-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

          Filesize

          10.8MB

        • memory/3964-11-0x00007FF9D5CB3000-0x00007FF9D5CB5000-memory.dmp

          Filesize

          8KB

        • memory/3964-2-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

          Filesize

          10.8MB

        • memory/4820-15-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

          Filesize

          10.8MB

        • memory/4820-17-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

          Filesize

          10.8MB