Resubmissions
31-05-2024 08:26
240531-kb5gxscc8t 1030-05-2024 13:27
240530-qp8dmaab3y 1030-05-2024 11:10
240530-m9qgrsfb9x 10Analysis
-
max time kernel
715s -
max time network
720s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 08:26
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20240226-en
General
-
Target
XClient.exe
-
Size
62KB
-
MD5
3f171ed4261c46329a1bcc62ebb19519
-
SHA1
06768df330b8012ee3d0cb22723408636ba7c17a
-
SHA256
3c096dc60917ae1e47a754fd578882f1286ee9114ff5c6558b4f84f0be69076f
-
SHA512
81e90ab476967a8ca6b88f8060fe72b56450dae6300adfbcef346dfb4c523e054da05d192209ff53771a8b49ad6a6922151d905a5a6bbc8decfe551ab757a06d
-
SSDEEP
1536:1RE9Nr0ZWB8lQkagw9DC1oTnNbSkoRek+OUpS:1RE9NQZWB8XaguCWNbSHwk+OUE
Malware Config
Extracted
xworm
3.0
scamov-48667.portmap.host:48667
-
Install_directory
%LocalAppData%
-
install_file
Cheat.exe
-
telegram
https://api.telegram.org/bot6992734078:AAE3Znug3pzwyvwxKrzRk75x1dHIdnYHy4Q/sendMessage?chat_id=6790913039
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/3964-25-0x0000000000B20000-0x0000000000B2E000-memory.dmp disable_win_def -
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3964-1-0x0000000000200000-0x0000000000216000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\XClient.exe family_xworm -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XClient.exeXClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation XClient.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 4 IoCs
Processes:
XClient.exeXClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 12 IoCs
Processes:
XClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exepid process 4820 XClient.exe 416 XClient.exe 5004 XClient.exe 1372 XClient.exe 940 XClient.exe 1188 XClient.exe 4460 XClient.exe 2668 XClient.exe 5024 XClient.exe 4992 XClient.exe 4420 XClient.exe 2920 XClient.exe -
Loads dropped DLL 1 IoCs
Processes:
XClient.exepid process 3964 XClient.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
XClient.exeXClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\XClient.exe" XClient.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\XClient.exe" XClient.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 88 ip-api.com 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4208 schtasks.exe 4300 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4544 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
XClient.exeXClient.exepid process 3964 XClient.exe 2920 XClient.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exeXClient.exepid process 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
XClient.exeXClient.exeXClient.exeAUDIODG.EXEXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exetaskmgr.exeXClient.exedescription pid process Token: SeDebugPrivilege 3964 XClient.exe Token: SeDebugPrivilege 3964 XClient.exe Token: SeDebugPrivilege 4820 XClient.exe Token: SeDebugPrivilege 416 XClient.exe Token: 33 2868 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2868 AUDIODG.EXE Token: SeDebugPrivilege 5004 XClient.exe Token: SeDebugPrivilege 1372 XClient.exe Token: SeDebugPrivilege 940 XClient.exe Token: SeDebugPrivilege 1188 XClient.exe Token: SeDebugPrivilege 4460 XClient.exe Token: SeDebugPrivilege 2668 XClient.exe Token: SeDebugPrivilege 5024 XClient.exe Token: SeDebugPrivilege 4992 XClient.exe Token: SeDebugPrivilege 4420 XClient.exe Token: SeDebugPrivilege 3360 taskmgr.exe Token: SeSystemProfilePrivilege 3360 taskmgr.exe Token: SeCreateGlobalPrivilege 3360 taskmgr.exe Token: SeDebugPrivilege 2920 XClient.exe Token: SeDebugPrivilege 2920 XClient.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
XClient.exetaskmgr.exepid process 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3964 XClient.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe 3360 taskmgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
XClient.execmd.exeXClient.exedescription pid process target process PID 3964 wrote to memory of 4208 3964 XClient.exe schtasks.exe PID 3964 wrote to memory of 4208 3964 XClient.exe schtasks.exe PID 3964 wrote to memory of 3428 3964 XClient.exe schtasks.exe PID 3964 wrote to memory of 3428 3964 XClient.exe schtasks.exe PID 3964 wrote to memory of 4308 3964 XClient.exe cmd.exe PID 3964 wrote to memory of 4308 3964 XClient.exe cmd.exe PID 4308 wrote to memory of 4544 4308 cmd.exe timeout.exe PID 4308 wrote to memory of 4544 4308 cmd.exe timeout.exe PID 2920 wrote to memory of 4300 2920 XClient.exe schtasks.exe PID 2920 wrote to memory of 4300 2920 XClient.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Local\XClient.exe"2⤵
- Creates scheduled task(s)
PID:4208
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB06F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4544
-
-
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:2960
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:416
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4c4 0x30c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4512 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:2252
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3360
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Local\XClient.exe"2⤵
- Creates scheduled task(s)
PID:4300
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
-
Filesize
159B
MD595aaef2e4a3d9429e656aefa68e76db8
SHA1deb1baf3d7a09c2a519527f52b0933440640a408
SHA256f205d84bc5b3e77d04c467589b720347f6dd195d8636ff20b3bb7ad41a300f71
SHA512d65b1f4c886fb6a67828cab6604596fab0691e0da876f9c7bea98a0c2ae1057db4b31f2f57ba65319211b22e25631b3956c6ae748a4862d0cd7b3b8ef583dcc8
-
Filesize
62KB
MD53f171ed4261c46329a1bcc62ebb19519
SHA106768df330b8012ee3d0cb22723408636ba7c17a
SHA2563c096dc60917ae1e47a754fd578882f1286ee9114ff5c6558b4f84f0be69076f
SHA51281e90ab476967a8ca6b88f8060fe72b56450dae6300adfbcef346dfb4c523e054da05d192209ff53771a8b49ad6a6922151d905a5a6bbc8decfe551ab757a06d