Analysis

  • max time kernel
    49s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 11:07

General

  • Target

    XClient.exe

  • Size

    60KB

  • MD5

    0f803689398c092ad9ae274d5c7507d6

  • SHA1

    693161863fa62cb65e7f3102d55087a9bf816889

  • SHA256

    0c336bb9258f45ded239bfd2a721a779c3a467cfd177d9ab75841d6eb61d2a8a

  • SHA512

    1fed05b278b8243c1e45c34a1eca78492fb24d18296feac978bd54528359d2c07a783bff434921a26a96ba122a8dc9da6d00b9cdda09c6c8569910d0472080f8

  • SSDEEP

    1536:b5GHtqKStfgDGVHc08kbsXHZBgGOq+k6Z:lGNqrIDK8kbsXLOq+bZ

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %AppData%

  • install_file

    AMD Graphics Manager.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AMD Graphics Manager" /tr "C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"
      2⤵
      • Creates scheduled task(s)
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\ApproveSearch.vsw

    Filesize

    764KB

    MD5

    ccfc02fb9d15327232037daf7e71c83c

    SHA1

    19dcd73715035b6f7a68356cf3c28a5411b8dd91

    SHA256

    e70675a05005f2167480e201f7db4ec3923afc383275a4a2fe48af8530f0af83

    SHA512

    4ee99a6d0d4c2771c14c1bc9c4bc514fbd96e58d58f277f447e5149f407876f6d66caa82b079ffb5f7752356f7ad2020a991d632370d4b6f35efa9f025e06dbf

  • C:\Users\Admin\Desktop\CloseSubmit.xml

    Filesize

    666KB

    MD5

    0355f1bce4ff09872c95fdbd917308ef

    SHA1

    3e59965a635a6a90470c72531ca0c58d3eee0150

    SHA256

    7db497d4a400e6ae03f52ae04c790897b4cb7f39b969994c30f88e015befac2f

    SHA512

    8dd3bfb5d12d63621607febec356fd6b1a57012a2bd9e707583c0cb9a03e5bdc77ee4d7ce6711a3c9148fde1783f7d6ac506c25ab8f9dc90bfe4e5f6bc36fd08

  • C:\Users\Admin\Desktop\ConfirmStart.cr2

    Filesize

    724KB

    MD5

    dbf07c66680e1aec829703ae1b1371dd

    SHA1

    17217def413ed8685b5163e4e8cf414ba86a8576

    SHA256

    44bbd6b54c023d896923437066cff3f51f497db369de3cc926c2a2c3e80308c9

    SHA512

    846aa32f2c0c6b0984d6bf1befcc8d78fff47f7479e7d83118f385c7fab58d6797cd7a366c844c6eb98818d4f1b8028a9040f91ee822fe21c8d7437459fa6d28

  • C:\Users\Admin\Desktop\ConvertRedo.ps1xml

    Filesize

    313KB

    MD5

    13daae583e2fe64ececed044df32def7

    SHA1

    156cc09516932c67a74a7b50543ed0e379d9d49f

    SHA256

    f9191596b5ad32609bd9a9f384fe9352b772708c6ec9e097359bdf2070541dca

    SHA512

    ad07f3494fd743c6216ca359a7b3a67290b6f911fc8834dea606d99e0c2ac69914136f5b62e441490b564b152b6fcc46dcbcf6f1b4aacc15d13ecd2fbfbc665a

  • C:\Users\Admin\Desktop\ConvertToInstall.midi

    Filesize

    372KB

    MD5

    011e27a735e2dce6cafa12cb122ef336

    SHA1

    f43d4cafc415524344949bc6c80ff486f7a5b038

    SHA256

    cab9399cf8727bb3c1d96d68def6e606b37dff0d42d36c68ca329cd96b9a8dd5

    SHA512

    6616782564ec78cacc17b401ecad03e57176f14ea560474eb26e41a2572b590a1da8dcbc246f0147d42482554aa99fb1351c79e284d95a6327495dbf952acf8d

  • C:\Users\Admin\Desktop\DebugRemove.mp4v

    Filesize

    646KB

    MD5

    7fe219c0a48434151981a6cb5445763e

    SHA1

    68068dd0777e2a9073950de9055878d0eb050334

    SHA256

    be62bc14f014915ce2486b7f40d2399717d49741ca81c57caf2d3987830bf5b5

    SHA512

    983f76bf034da19a0b282f2380138abf84154a0c00e6e3bb75c46b3b617cb62d81e42f6da54d2dc83dac9669db33afb335f7f1599e6ee076caea7114a598f7e7

  • C:\Users\Admin\Desktop\DisableConnect.ram

    Filesize

    391KB

    MD5

    56a07b258dab2208b9814fa70d5e2586

    SHA1

    c46c21af0e74167e996e53aa0c3d2686ea87de96

    SHA256

    bc46e7b72936400a397bb5bf26dbb5d8c872aa46ec08c9ba85a190c4a474653d

    SHA512

    8e760305dffa60d4d96b34b3c95346b0554ba254633d701e240fd715743885654879cf79558556a73d3f7ff29afa97d4983bd5d4470d262ee03242f79c9d3232

  • C:\Users\Admin\Desktop\DisableExit.vstm

    Filesize

    626KB

    MD5

    43e39f8bcede388cb8166e9179fbb71a

    SHA1

    d27f7397a75ff85b23374ec01f71d53ca622f2c0

    SHA256

    3fef85837c11df00389945e23a8e5d21ed8164760a4f24d88468f2a012d871d6

    SHA512

    2545e4bea2c4c202f8dc87bcf152c37d4657b4ac4ce7ca74daa3598a82463788ca315d24e13dcfa3a5a4b16c757bd3c6ec1972e3f2d9b708791a1265fa0fd0b8

  • C:\Users\Admin\Desktop\EnableInvoke.search-ms

    Filesize

    431KB

    MD5

    db8360e76d053ab9656c3ccf4a053cbd

    SHA1

    2f5af1bb69a4bb96ec42290c6a9ce517afee3953

    SHA256

    d65b707a15b28f15c25769e99dfb763037cf81cb45273a23b116a1f7bbe96aeb

    SHA512

    295da8381b39a76fce7275c8e7d7a55f347dacc9da0af1015111e03867fd141ab1b5137413516763d13ce282fc748a807517b4aeb88f2e964a831eadd7f1e7b5

  • C:\Users\Admin\Desktop\EnableOptimize.svg

    Filesize

    568KB

    MD5

    ef786e6b01fe700a0383ceb0cbba8ab0

    SHA1

    e41bddbeaa6ba3d009f88b1af99e641153ed6636

    SHA256

    08f94ae3fc496775983310b2c15386845bdb7e66bc02c4ba51f95eff1e9520cc

    SHA512

    c5193b0ec3cd26cc49fc34f77d1e2d689ae5926cd65cdf81b830332e580d04efc9ff3bb7403cc68c72d42beea97bed66b1be651f71fa7bec0e9904ed9ff2484f

  • C:\Users\Admin\Desktop\ExitCopy.gif

    Filesize

    1.1MB

    MD5

    c16e59999345a206a4ecf71449a7495e

    SHA1

    49d8a76c0d80cdce5e41381a12fde978a707f82d

    SHA256

    1816d0c8f0142386fe99dbd4cce608ac6b457971bef2a816569b8bd2c4c7ffc6

    SHA512

    1c172bd95452a2bf237e4c37b0e41a48ce6d349196aa9d243f524ff1158a7481869f4c7b2e70582fbb1a53a5932bbc28917b848157b7deca4d47117d9d8f572a

  • C:\Users\Admin\Desktop\GroupEnable.edrwx

    Filesize

    587KB

    MD5

    9c6018eb022f8db4a01dff92f2904493

    SHA1

    8012e593408b6449e6a273ae794ce0636dd140d4

    SHA256

    559f3200314c11efe517b13746913ad0f51347f4bd0cf4028149e69c4d6370ef

    SHA512

    f976b8d053d13d47552575ef9c6b93ff6b1fa48f984e785f4c72b24dec83aa3e1b0c99ef8d611f2dc6dec5d180b2a982a4ce2d224c77a9ea013394b91449fc0c

  • C:\Users\Admin\Desktop\HideRedo.exe

    Filesize

    450KB

    MD5

    b526c7ab83e008c61e5ff61ad0d083ee

    SHA1

    4fb80a81f47187d96f73ef860cdc4bf309d30fa9

    SHA256

    ca2b100f84ce72b506abce33f69d95b1b1c06c81f2272d965e23d8929db68a94

    SHA512

    0e68e3d26ebfaa772e6cd2d381ef88b3a3a97ee89c2d0c1f780d633664e2f1d8c5118b3ff53a2635a9d2dbab862af88aff0bd9ac317532018d5fd71c3c5eea55

  • C:\Users\Admin\Desktop\JoinTest.bmp

    Filesize

    607KB

    MD5

    8d4e7c7fccaec523b2c2a028db1ae72c

    SHA1

    f6838997f44a05731493695012af1adc6df42675

    SHA256

    d4239200acea76100af25441ca60d9097927819e392e61aca58e79797fbcf955

    SHA512

    af2908cec589b15a46e45721ff3c5499d4408ab710edcd7bc046109444bfb6c337eb3e8d589717c048b7351c15df3841960b2f8713172a1b71f2e046305c3340

  • C:\Users\Admin\Desktop\MoveInvoke.cfg

    Filesize

    705KB

    MD5

    ed0f27e010cb15bb2d671e69f92e90ae

    SHA1

    89b66b31423842018b577d0bbed0131853654205

    SHA256

    66af501897f25b3338cc1b9df2fba2fa4102d7fa51d1249e4527ec50d0994396

    SHA512

    39b8e550f46ca2725e9f25d3e3ef09d5ac03ab9989a68775accb177bd3fd2cec4c27acd016491d74ae144c09d93812632bbc1f0d6e6615d0d6774b20b68c04b3

  • C:\Users\Admin\Desktop\OpenBlock.M2V

    Filesize

    528KB

    MD5

    63b1ae3cc5b45806ca2614c48beaf2ff

    SHA1

    c08e6679c379bf8f42dfb252e44f4c4499494635

    SHA256

    7fe4d55c02deb1130669c01720de4fc1208a88c8f210278408fe9de08829df1e

    SHA512

    8d49d2c7379e1fab7de8453b2ff3508c699c61026b82801682003a143438311e9e81a90c3d496c4b4630eb2a4ab5436221d3d655b39e0de80134be7bda657445

  • C:\Users\Admin\Desktop\PopLock.mht

    Filesize

    783KB

    MD5

    de2db85b12821f63cdd8137f6e9c6384

    SHA1

    4d30396365663681d102d25e4394cd9eb1b7c755

    SHA256

    43b952b5580e1fdbbd33bce83d028e08a92cdd7cd461737e396c020683b14424

    SHA512

    edaccdf54776aebd1785633671c800ef0ec61ec830aa1c955b45b74afee837a9651eaa7abeb41d3243ca18ebddd123e3adefeaace49ff4d7c1e724bcbe1c5f68

  • C:\Users\Admin\Desktop\RedoMeasure.m1v

    Filesize

    293KB

    MD5

    4905e7d4a1c12366e4535695a936cdc0

    SHA1

    cd6a3ac5757134a5e197f8203dbf5f14cc0d2c4e

    SHA256

    c112f59cc9066d8bf2dd9246186ce390bb3d1653556e6e3b3ea4760ce2f076aa

    SHA512

    4b77c6363ee9448e18273e81365143818bffbd17e71e6351761cb284c8c9c059d6db05ed7dfd36dc9a5b3ae41ca241bda8f5eaf886932d11ac41f31a5458ab22

  • C:\Users\Admin\Desktop\RegisterRevoke.avi

    Filesize

    333KB

    MD5

    dd37ba32ba123c1275d7b1ca522603af

    SHA1

    7d18fb57788eedc86107e6f0ade432f41f82843f

    SHA256

    a4effcb67215e5ca3c032be18125c42373ec22d1ee886a2e2ecb71d0d1506c1c

    SHA512

    2f31788691fa5f8f630fb115f0f782c98f0b45ac84d07483b6001791c7812095f29b29eba96851c9ba941f96491b4924d5a12245c79c954adb8b35d32a4388f7

  • C:\Users\Admin\Desktop\RepairCompress.mp4

    Filesize

    509KB

    MD5

    ce27f762b22f82646224ca917c0609c9

    SHA1

    432426491711977c1291a036afd13097e2261991

    SHA256

    dd71788e2169573797f0c1f137e77857dd23a4f0d81f48eec898ce6118a17fc6

    SHA512

    13b842faeb25c94e1a58a902de47cf1d935fc9ee652a2fe7c087be49a7327b0f6dc0ccbe6ff60ebab54043c6c35c97fc0ed42318ba491ab1d29b140e04c8ecb5

  • C:\Users\Admin\Desktop\SaveUnpublish.pptm

    Filesize

    352KB

    MD5

    04b4c6f58e79429a389b5fa2dff7327e

    SHA1

    2142454a3812e2f6eb94db3ab17a76919ac805ea

    SHA256

    7e605915c8e740624d72b43758337558fcb122e3469af9a76d0ee56b409c0526

    SHA512

    ab3bb4593f4834a34324981021bb7680c128ac84084af57ffad327181b80b0fb9bbf1a68f36029f818362c403e9623263e17c423b598761b39bd01bd21ed1134

  • C:\Users\Admin\Desktop\SetUninstall.midi

    Filesize

    744KB

    MD5

    19e6ac0c825cd5729d59b0b49bc4eacb

    SHA1

    cbaf4f6cadb5557988645a2d542bce715e016b0a

    SHA256

    7384a0fc1c8b67d88d3ecbb698cb36b8bc2a18bb632411b126192f64a7271fe4

    SHA512

    98f7368f9a66ad044850cf515c3bf44811edec2ef3f697353c8792d7f67af36c5231f2a21234314067cc9358c8ebb4c4e234beceedf02937da8c6aefc33969f5

  • C:\Users\Admin\Desktop\SplitResume.xlsb

    Filesize

    274KB

    MD5

    3d5c692b17169e3e7452b1498d9dc9d1

    SHA1

    c5cf29c5fc38af06951d368434356485e5d4d885

    SHA256

    b8dae58ff3fd3dd27ee036d8856c3796e60688ff4555fb031c6f16d1d4671bb0

    SHA512

    631b73b60f9c2c9ca2cebe0bb758ac12007c461673d9ff9f2eb13bbfb2685d5c3eb44b9dda890fad3dd1eaeb9799bdd0b99efa090ea4220700e248acc074619d

  • C:\Users\Admin\Desktop\StartEnable.xla

    Filesize

    548KB

    MD5

    03d3229fdd728c38c98564f180e59b7d

    SHA1

    8080eaac01f61d991c0d3ceb075bd8e1939197f4

    SHA256

    b783b6d6048d2afe1166e4131e0833f3eda9dd2b9589a470124e2f49395c1830

    SHA512

    99a4f0034c615f78e66a29cd520d9ea0450b0e61f36ee4e567b2bcd871bb47be46ffbf631b18aad23bd9af63379717ae5b33ca72249a96ed5764611289e8625a

  • C:\Users\Admin\Desktop\SwitchWatch.xsl

    Filesize

    685KB

    MD5

    98400ef5a5ae00de992ca91ae39e508f

    SHA1

    65aa18d289983532f55cb5e150735f6e826a2f7c

    SHA256

    3f4992b833b2593a5d246f1324ef202c8ceef3263d192aa813e59001ff883b16

    SHA512

    92f6edc21e0ea904895f3beddfe0b23cb8340723edb846798a6323009b9712fb6eea13d253aa4c886bd6ecdc66e45b39cbb35254ac1e10aff4a11b5bf7eb4e73

  • C:\Users\Admin\Desktop\UnpublishRegister.rtf

    Filesize

    470KB

    MD5

    f42f79db66b8bcc199d80c7b80248e9b

    SHA1

    c07bbdbf503e6f533c7a8f245710b491c30e7d5d

    SHA256

    c0483e1d02a870dd5cb797d4db7098947e67af536b2527bec678f7679b734fbc

    SHA512

    a090f60f336ed3e7a2e1d9d35f46e4b5fbe85db6467432d3401dddf9b522508a3f529683954e02a3e94c55a6f7ed52de8b84179f924c8cb89cee2b159828a440

  • C:\Users\Admin\Desktop\UnregisterOut.xhtml

    Filesize

    411KB

    MD5

    2960bd37980b8e3f6be10b907b1bad28

    SHA1

    510ea032688cfdd2ef15b85872796cce3b3e6e4b

    SHA256

    0bc531b6624382f793a215ba2556a5c2d1592b3a996c671ac5a277045ab94385

    SHA512

    3b77bc85df531ea98389c4ba566b5c5a3b585579c27963b0d11b40a080e7ec73a19cc4988830dbf38141047b8a5d6bf344ffc5d02aec8bf01490582c1e634f3d

  • C:\Users\Admin\Desktop\WriteBackup.sys

    Filesize

    489KB

    MD5

    071a784c0218e5797f33e089cb73df12

    SHA1

    408c61221db6c2288e68afcf3e1821a10324b08e

    SHA256

    d4b473dab850188de65ebd3f6474cdc261d22fe1c548261c2df6f99cf21fe02f

    SHA512

    ed6b481d6a7f343e25363b7af07911933d67d3d19f98bb0ed7d846ce3328fe62602be936c6aacac0c5d563d664c5d90cdd2741fe182b7ae526f2b03cfa381cd0

  • C:\Users\Public\Desktop\Acrobat Reader DC.lnk

    Filesize

    2KB

    MD5

    248891795954a5044110d8a8ffcc47c0

    SHA1

    6a689619d173927e7cd9d68fe82c4488a8e48fd7

    SHA256

    f8c95cfbfb7212fa48f0ab9954ba8866524a2ababd73b05781a8e5d8110afe40

    SHA512

    9b6ceffc55b4d9fbcf3ce9deb0a2f7b711c5d11fe2426077da8265560c8ec4af10d8f0acb10ab5b8628c1564d847dfd7e3d73d0f268761e7c620f710777c9c6f

  • C:\Users\Public\Desktop\Firefox.lnk

    Filesize

    1000B

    MD5

    7313a00b87207b6bcbbff5f194100ab1

    SHA1

    1f73f56a1f4aa0b42c918ab3aeecb94ccd455972

    SHA256

    c78509048450c9889ef9c8de63243d92c7592654698a9a1d1a12d3060abd168b

    SHA512

    8a53cd306d7eaeca1026bea54e5f4848b5af7f3b302027776d274c1611ffbd66cbb03beb26522a0c6ad34b21c94e9f7939de68e323b49690c7c6d8b4d62010b7

  • C:\Users\Public\Desktop\Google Chrome.lnk

    Filesize

    2KB

    MD5

    20ab116fcbdf4080137353e62641da2a

    SHA1

    a84091901e19ad4aa2abd98e2c4b9cad30075730

    SHA256

    0a1c5ea0a34c8d12d3d03990179bb491134c4f8be12da52517f26e032f54ffcd

    SHA512

    c50c964bf5fd6b757c81dbd204d68f88007380c1a224b3e80b0074e6586b1ba19b664e73b2eadcdd30a3ada9d94aa515751420b7b818f160d67234724c3dd241

  • C:\Users\Public\Desktop\Microsoft Edge.lnk

    Filesize

    2KB

    MD5

    5e3a30e37211dc112d71db9ce256aa91

    SHA1

    9e445a33e5b380161803895c03fbc14c255b1cf2

    SHA256

    07594c10497d5ac5d30c14d5145852e9968fd1db9697d2bbbfd3168a650443d8

    SHA512

    fa3480cd370b922ca2424bcc27de7cb412a0279e414341e4f43a7e0f0a6c9fca38fd7cf9efb38073e71003fc1a9e2ecf48605ea80adcbdd0a47457fe6b5564ad

  • C:\Users\Public\Desktop\VLC media player.lnk

    Filesize

    923B

    MD5

    dfa804ee98966419e5e7b317c173e318

    SHA1

    06a25fd8eea568f548faac07b447f0e9088fa2de

    SHA256

    2a04d769c5da8ac9966237207d9e1ea04601484bc29e27cb075f93720f49b2d8

    SHA512

    53264478963ef31705813e76a45771c3321036defeff8e6f6d9e4ab951b0027727787d21a1b6dadc92c69bdaf36200ca04835fb2210c99b7251e8a904730a9cb

  • memory/4664-1-0x00000000004C0000-0x00000000004D6000-memory.dmp

    Filesize

    88KB

  • memory/4664-5-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

    Filesize

    10.8MB

  • memory/4664-7-0x00007FFF0F373000-0x00007FFF0F375000-memory.dmp

    Filesize

    8KB

  • memory/4664-6-0x000000001C990000-0x000000001CCE0000-memory.dmp

    Filesize

    3.3MB

  • memory/4664-0-0x00007FFF0F373000-0x00007FFF0F375000-memory.dmp

    Filesize

    8KB

  • memory/4664-8-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

    Filesize

    10.8MB