Analysis
-
max time kernel
49s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 11:07
General
-
Target
XClient.exe
-
Size
60KB
-
MD5
0f803689398c092ad9ae274d5c7507d6
-
SHA1
693161863fa62cb65e7f3102d55087a9bf816889
-
SHA256
0c336bb9258f45ded239bfd2a721a779c3a467cfd177d9ab75841d6eb61d2a8a
-
SHA512
1fed05b278b8243c1e45c34a1eca78492fb24d18296feac978bd54528359d2c07a783bff434921a26a96ba122a8dc9da6d00b9cdda09c6c8569910d0472080f8
-
SSDEEP
1536:b5GHtqKStfgDGVHc08kbsXHZBgGOq+k6Z:lGNqrIDK8kbsXLOq+bZ
Malware Config
Extracted
xworm
91.92.241.69:5555
-
Install_directory
%AppData%
-
install_file
AMD Graphics Manager.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4664-1-0x00000000004C0000-0x00000000004D6000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk XClient.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AMD Graphics Manager = "C:\\Users\\Admin\\AppData\\Roaming\\AMD Graphics Manager" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XClient.exedescription pid process Token: SeDebugPrivilege 4664 XClient.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
XClient.exedescription pid process target process PID 4664 wrote to memory of 2704 4664 XClient.exe schtasks.exe PID 4664 wrote to memory of 2704 4664 XClient.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AMD Graphics Manager" /tr "C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"2⤵
- Creates scheduled task(s)
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
764KB
MD5ccfc02fb9d15327232037daf7e71c83c
SHA119dcd73715035b6f7a68356cf3c28a5411b8dd91
SHA256e70675a05005f2167480e201f7db4ec3923afc383275a4a2fe48af8530f0af83
SHA5124ee99a6d0d4c2771c14c1bc9c4bc514fbd96e58d58f277f447e5149f407876f6d66caa82b079ffb5f7752356f7ad2020a991d632370d4b6f35efa9f025e06dbf
-
Filesize
666KB
MD50355f1bce4ff09872c95fdbd917308ef
SHA13e59965a635a6a90470c72531ca0c58d3eee0150
SHA2567db497d4a400e6ae03f52ae04c790897b4cb7f39b969994c30f88e015befac2f
SHA5128dd3bfb5d12d63621607febec356fd6b1a57012a2bd9e707583c0cb9a03e5bdc77ee4d7ce6711a3c9148fde1783f7d6ac506c25ab8f9dc90bfe4e5f6bc36fd08
-
Filesize
724KB
MD5dbf07c66680e1aec829703ae1b1371dd
SHA117217def413ed8685b5163e4e8cf414ba86a8576
SHA25644bbd6b54c023d896923437066cff3f51f497db369de3cc926c2a2c3e80308c9
SHA512846aa32f2c0c6b0984d6bf1befcc8d78fff47f7479e7d83118f385c7fab58d6797cd7a366c844c6eb98818d4f1b8028a9040f91ee822fe21c8d7437459fa6d28
-
Filesize
313KB
MD513daae583e2fe64ececed044df32def7
SHA1156cc09516932c67a74a7b50543ed0e379d9d49f
SHA256f9191596b5ad32609bd9a9f384fe9352b772708c6ec9e097359bdf2070541dca
SHA512ad07f3494fd743c6216ca359a7b3a67290b6f911fc8834dea606d99e0c2ac69914136f5b62e441490b564b152b6fcc46dcbcf6f1b4aacc15d13ecd2fbfbc665a
-
Filesize
372KB
MD5011e27a735e2dce6cafa12cb122ef336
SHA1f43d4cafc415524344949bc6c80ff486f7a5b038
SHA256cab9399cf8727bb3c1d96d68def6e606b37dff0d42d36c68ca329cd96b9a8dd5
SHA5126616782564ec78cacc17b401ecad03e57176f14ea560474eb26e41a2572b590a1da8dcbc246f0147d42482554aa99fb1351c79e284d95a6327495dbf952acf8d
-
Filesize
646KB
MD57fe219c0a48434151981a6cb5445763e
SHA168068dd0777e2a9073950de9055878d0eb050334
SHA256be62bc14f014915ce2486b7f40d2399717d49741ca81c57caf2d3987830bf5b5
SHA512983f76bf034da19a0b282f2380138abf84154a0c00e6e3bb75c46b3b617cb62d81e42f6da54d2dc83dac9669db33afb335f7f1599e6ee076caea7114a598f7e7
-
Filesize
391KB
MD556a07b258dab2208b9814fa70d5e2586
SHA1c46c21af0e74167e996e53aa0c3d2686ea87de96
SHA256bc46e7b72936400a397bb5bf26dbb5d8c872aa46ec08c9ba85a190c4a474653d
SHA5128e760305dffa60d4d96b34b3c95346b0554ba254633d701e240fd715743885654879cf79558556a73d3f7ff29afa97d4983bd5d4470d262ee03242f79c9d3232
-
Filesize
626KB
MD543e39f8bcede388cb8166e9179fbb71a
SHA1d27f7397a75ff85b23374ec01f71d53ca622f2c0
SHA2563fef85837c11df00389945e23a8e5d21ed8164760a4f24d88468f2a012d871d6
SHA5122545e4bea2c4c202f8dc87bcf152c37d4657b4ac4ce7ca74daa3598a82463788ca315d24e13dcfa3a5a4b16c757bd3c6ec1972e3f2d9b708791a1265fa0fd0b8
-
Filesize
431KB
MD5db8360e76d053ab9656c3ccf4a053cbd
SHA12f5af1bb69a4bb96ec42290c6a9ce517afee3953
SHA256d65b707a15b28f15c25769e99dfb763037cf81cb45273a23b116a1f7bbe96aeb
SHA512295da8381b39a76fce7275c8e7d7a55f347dacc9da0af1015111e03867fd141ab1b5137413516763d13ce282fc748a807517b4aeb88f2e964a831eadd7f1e7b5
-
Filesize
568KB
MD5ef786e6b01fe700a0383ceb0cbba8ab0
SHA1e41bddbeaa6ba3d009f88b1af99e641153ed6636
SHA25608f94ae3fc496775983310b2c15386845bdb7e66bc02c4ba51f95eff1e9520cc
SHA512c5193b0ec3cd26cc49fc34f77d1e2d689ae5926cd65cdf81b830332e580d04efc9ff3bb7403cc68c72d42beea97bed66b1be651f71fa7bec0e9904ed9ff2484f
-
Filesize
1.1MB
MD5c16e59999345a206a4ecf71449a7495e
SHA149d8a76c0d80cdce5e41381a12fde978a707f82d
SHA2561816d0c8f0142386fe99dbd4cce608ac6b457971bef2a816569b8bd2c4c7ffc6
SHA5121c172bd95452a2bf237e4c37b0e41a48ce6d349196aa9d243f524ff1158a7481869f4c7b2e70582fbb1a53a5932bbc28917b848157b7deca4d47117d9d8f572a
-
Filesize
587KB
MD59c6018eb022f8db4a01dff92f2904493
SHA18012e593408b6449e6a273ae794ce0636dd140d4
SHA256559f3200314c11efe517b13746913ad0f51347f4bd0cf4028149e69c4d6370ef
SHA512f976b8d053d13d47552575ef9c6b93ff6b1fa48f984e785f4c72b24dec83aa3e1b0c99ef8d611f2dc6dec5d180b2a982a4ce2d224c77a9ea013394b91449fc0c
-
Filesize
450KB
MD5b526c7ab83e008c61e5ff61ad0d083ee
SHA14fb80a81f47187d96f73ef860cdc4bf309d30fa9
SHA256ca2b100f84ce72b506abce33f69d95b1b1c06c81f2272d965e23d8929db68a94
SHA5120e68e3d26ebfaa772e6cd2d381ef88b3a3a97ee89c2d0c1f780d633664e2f1d8c5118b3ff53a2635a9d2dbab862af88aff0bd9ac317532018d5fd71c3c5eea55
-
Filesize
607KB
MD58d4e7c7fccaec523b2c2a028db1ae72c
SHA1f6838997f44a05731493695012af1adc6df42675
SHA256d4239200acea76100af25441ca60d9097927819e392e61aca58e79797fbcf955
SHA512af2908cec589b15a46e45721ff3c5499d4408ab710edcd7bc046109444bfb6c337eb3e8d589717c048b7351c15df3841960b2f8713172a1b71f2e046305c3340
-
Filesize
705KB
MD5ed0f27e010cb15bb2d671e69f92e90ae
SHA189b66b31423842018b577d0bbed0131853654205
SHA25666af501897f25b3338cc1b9df2fba2fa4102d7fa51d1249e4527ec50d0994396
SHA51239b8e550f46ca2725e9f25d3e3ef09d5ac03ab9989a68775accb177bd3fd2cec4c27acd016491d74ae144c09d93812632bbc1f0d6e6615d0d6774b20b68c04b3
-
Filesize
528KB
MD563b1ae3cc5b45806ca2614c48beaf2ff
SHA1c08e6679c379bf8f42dfb252e44f4c4499494635
SHA2567fe4d55c02deb1130669c01720de4fc1208a88c8f210278408fe9de08829df1e
SHA5128d49d2c7379e1fab7de8453b2ff3508c699c61026b82801682003a143438311e9e81a90c3d496c4b4630eb2a4ab5436221d3d655b39e0de80134be7bda657445
-
Filesize
783KB
MD5de2db85b12821f63cdd8137f6e9c6384
SHA14d30396365663681d102d25e4394cd9eb1b7c755
SHA25643b952b5580e1fdbbd33bce83d028e08a92cdd7cd461737e396c020683b14424
SHA512edaccdf54776aebd1785633671c800ef0ec61ec830aa1c955b45b74afee837a9651eaa7abeb41d3243ca18ebddd123e3adefeaace49ff4d7c1e724bcbe1c5f68
-
Filesize
293KB
MD54905e7d4a1c12366e4535695a936cdc0
SHA1cd6a3ac5757134a5e197f8203dbf5f14cc0d2c4e
SHA256c112f59cc9066d8bf2dd9246186ce390bb3d1653556e6e3b3ea4760ce2f076aa
SHA5124b77c6363ee9448e18273e81365143818bffbd17e71e6351761cb284c8c9c059d6db05ed7dfd36dc9a5b3ae41ca241bda8f5eaf886932d11ac41f31a5458ab22
-
Filesize
333KB
MD5dd37ba32ba123c1275d7b1ca522603af
SHA17d18fb57788eedc86107e6f0ade432f41f82843f
SHA256a4effcb67215e5ca3c032be18125c42373ec22d1ee886a2e2ecb71d0d1506c1c
SHA5122f31788691fa5f8f630fb115f0f782c98f0b45ac84d07483b6001791c7812095f29b29eba96851c9ba941f96491b4924d5a12245c79c954adb8b35d32a4388f7
-
Filesize
509KB
MD5ce27f762b22f82646224ca917c0609c9
SHA1432426491711977c1291a036afd13097e2261991
SHA256dd71788e2169573797f0c1f137e77857dd23a4f0d81f48eec898ce6118a17fc6
SHA51213b842faeb25c94e1a58a902de47cf1d935fc9ee652a2fe7c087be49a7327b0f6dc0ccbe6ff60ebab54043c6c35c97fc0ed42318ba491ab1d29b140e04c8ecb5
-
Filesize
352KB
MD504b4c6f58e79429a389b5fa2dff7327e
SHA12142454a3812e2f6eb94db3ab17a76919ac805ea
SHA2567e605915c8e740624d72b43758337558fcb122e3469af9a76d0ee56b409c0526
SHA512ab3bb4593f4834a34324981021bb7680c128ac84084af57ffad327181b80b0fb9bbf1a68f36029f818362c403e9623263e17c423b598761b39bd01bd21ed1134
-
Filesize
744KB
MD519e6ac0c825cd5729d59b0b49bc4eacb
SHA1cbaf4f6cadb5557988645a2d542bce715e016b0a
SHA2567384a0fc1c8b67d88d3ecbb698cb36b8bc2a18bb632411b126192f64a7271fe4
SHA51298f7368f9a66ad044850cf515c3bf44811edec2ef3f697353c8792d7f67af36c5231f2a21234314067cc9358c8ebb4c4e234beceedf02937da8c6aefc33969f5
-
Filesize
274KB
MD53d5c692b17169e3e7452b1498d9dc9d1
SHA1c5cf29c5fc38af06951d368434356485e5d4d885
SHA256b8dae58ff3fd3dd27ee036d8856c3796e60688ff4555fb031c6f16d1d4671bb0
SHA512631b73b60f9c2c9ca2cebe0bb758ac12007c461673d9ff9f2eb13bbfb2685d5c3eb44b9dda890fad3dd1eaeb9799bdd0b99efa090ea4220700e248acc074619d
-
Filesize
548KB
MD503d3229fdd728c38c98564f180e59b7d
SHA18080eaac01f61d991c0d3ceb075bd8e1939197f4
SHA256b783b6d6048d2afe1166e4131e0833f3eda9dd2b9589a470124e2f49395c1830
SHA51299a4f0034c615f78e66a29cd520d9ea0450b0e61f36ee4e567b2bcd871bb47be46ffbf631b18aad23bd9af63379717ae5b33ca72249a96ed5764611289e8625a
-
Filesize
685KB
MD598400ef5a5ae00de992ca91ae39e508f
SHA165aa18d289983532f55cb5e150735f6e826a2f7c
SHA2563f4992b833b2593a5d246f1324ef202c8ceef3263d192aa813e59001ff883b16
SHA51292f6edc21e0ea904895f3beddfe0b23cb8340723edb846798a6323009b9712fb6eea13d253aa4c886bd6ecdc66e45b39cbb35254ac1e10aff4a11b5bf7eb4e73
-
Filesize
470KB
MD5f42f79db66b8bcc199d80c7b80248e9b
SHA1c07bbdbf503e6f533c7a8f245710b491c30e7d5d
SHA256c0483e1d02a870dd5cb797d4db7098947e67af536b2527bec678f7679b734fbc
SHA512a090f60f336ed3e7a2e1d9d35f46e4b5fbe85db6467432d3401dddf9b522508a3f529683954e02a3e94c55a6f7ed52de8b84179f924c8cb89cee2b159828a440
-
Filesize
411KB
MD52960bd37980b8e3f6be10b907b1bad28
SHA1510ea032688cfdd2ef15b85872796cce3b3e6e4b
SHA2560bc531b6624382f793a215ba2556a5c2d1592b3a996c671ac5a277045ab94385
SHA5123b77bc85df531ea98389c4ba566b5c5a3b585579c27963b0d11b40a080e7ec73a19cc4988830dbf38141047b8a5d6bf344ffc5d02aec8bf01490582c1e634f3d
-
Filesize
489KB
MD5071a784c0218e5797f33e089cb73df12
SHA1408c61221db6c2288e68afcf3e1821a10324b08e
SHA256d4b473dab850188de65ebd3f6474cdc261d22fe1c548261c2df6f99cf21fe02f
SHA512ed6b481d6a7f343e25363b7af07911933d67d3d19f98bb0ed7d846ce3328fe62602be936c6aacac0c5d563d664c5d90cdd2741fe182b7ae526f2b03cfa381cd0
-
Filesize
2KB
MD5248891795954a5044110d8a8ffcc47c0
SHA16a689619d173927e7cd9d68fe82c4488a8e48fd7
SHA256f8c95cfbfb7212fa48f0ab9954ba8866524a2ababd73b05781a8e5d8110afe40
SHA5129b6ceffc55b4d9fbcf3ce9deb0a2f7b711c5d11fe2426077da8265560c8ec4af10d8f0acb10ab5b8628c1564d847dfd7e3d73d0f268761e7c620f710777c9c6f
-
Filesize
1000B
MD57313a00b87207b6bcbbff5f194100ab1
SHA11f73f56a1f4aa0b42c918ab3aeecb94ccd455972
SHA256c78509048450c9889ef9c8de63243d92c7592654698a9a1d1a12d3060abd168b
SHA5128a53cd306d7eaeca1026bea54e5f4848b5af7f3b302027776d274c1611ffbd66cbb03beb26522a0c6ad34b21c94e9f7939de68e323b49690c7c6d8b4d62010b7
-
Filesize
2KB
MD520ab116fcbdf4080137353e62641da2a
SHA1a84091901e19ad4aa2abd98e2c4b9cad30075730
SHA2560a1c5ea0a34c8d12d3d03990179bb491134c4f8be12da52517f26e032f54ffcd
SHA512c50c964bf5fd6b757c81dbd204d68f88007380c1a224b3e80b0074e6586b1ba19b664e73b2eadcdd30a3ada9d94aa515751420b7b818f160d67234724c3dd241
-
Filesize
2KB
MD55e3a30e37211dc112d71db9ce256aa91
SHA19e445a33e5b380161803895c03fbc14c255b1cf2
SHA25607594c10497d5ac5d30c14d5145852e9968fd1db9697d2bbbfd3168a650443d8
SHA512fa3480cd370b922ca2424bcc27de7cb412a0279e414341e4f43a7e0f0a6c9fca38fd7cf9efb38073e71003fc1a9e2ecf48605ea80adcbdd0a47457fe6b5564ad
-
Filesize
923B
MD5dfa804ee98966419e5e7b317c173e318
SHA106a25fd8eea568f548faac07b447f0e9088fa2de
SHA2562a04d769c5da8ac9966237207d9e1ea04601484bc29e27cb075f93720f49b2d8
SHA51253264478963ef31705813e76a45771c3321036defeff8e6f6d9e4ab951b0027727787d21a1b6dadc92c69bdaf36200ca04835fb2210c99b7251e8a904730a9cb