Analysis Overview
SHA256
0c336bb9258f45ded239bfd2a721a779c3a467cfd177d9ab75841d6eb61d2a8a
Threat Level: Known bad
The file XClient.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Drops startup file
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 11:07
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 11:07
Reported
2024-05-31 12:12
Platform
win10v2004-20240426-en
Max time kernel
49s
Max time network
51s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AMD Graphics Manager = "C:\\Users\\Admin\\AppData\\Roaming\\AMD Graphics Manager" | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4664 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | C:\Windows\System32\schtasks.exe |
| PID 4664 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AMD Graphics Manager" /tr "C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 160.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 91.92.241.69:5555 | tcp | |
| US | 8.8.8.8:53 | 69.241.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
memory/4664-0-0x00007FFF0F373000-0x00007FFF0F375000-memory.dmp
memory/4664-1-0x00000000004C0000-0x00000000004D6000-memory.dmp
memory/4664-5-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp
memory/4664-6-0x000000001C990000-0x000000001CCE0000-memory.dmp
memory/4664-7-0x00007FFF0F373000-0x00007FFF0F375000-memory.dmp
memory/4664-8-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp
C:\Users\Admin\Desktop\ConvertRedo.ps1xml
| MD5 | 13daae583e2fe64ececed044df32def7 |
| SHA1 | 156cc09516932c67a74a7b50543ed0e379d9d49f |
| SHA256 | f9191596b5ad32609bd9a9f384fe9352b772708c6ec9e097359bdf2070541dca |
| SHA512 | ad07f3494fd743c6216ca359a7b3a67290b6f911fc8834dea606d99e0c2ac69914136f5b62e441490b564b152b6fcc46dcbcf6f1b4aacc15d13ecd2fbfbc665a |
C:\Users\Admin\Desktop\ConvertToInstall.midi
| MD5 | 011e27a735e2dce6cafa12cb122ef336 |
| SHA1 | f43d4cafc415524344949bc6c80ff486f7a5b038 |
| SHA256 | cab9399cf8727bb3c1d96d68def6e606b37dff0d42d36c68ca329cd96b9a8dd5 |
| SHA512 | 6616782564ec78cacc17b401ecad03e57176f14ea560474eb26e41a2572b590a1da8dcbc246f0147d42482554aa99fb1351c79e284d95a6327495dbf952acf8d |
C:\Users\Admin\Desktop\DebugRemove.mp4v
| MD5 | 7fe219c0a48434151981a6cb5445763e |
| SHA1 | 68068dd0777e2a9073950de9055878d0eb050334 |
| SHA256 | be62bc14f014915ce2486b7f40d2399717d49741ca81c57caf2d3987830bf5b5 |
| SHA512 | 983f76bf034da19a0b282f2380138abf84154a0c00e6e3bb75c46b3b617cb62d81e42f6da54d2dc83dac9669db33afb335f7f1599e6ee076caea7114a598f7e7 |
C:\Users\Admin\Desktop\EnableOptimize.svg
| MD5 | ef786e6b01fe700a0383ceb0cbba8ab0 |
| SHA1 | e41bddbeaa6ba3d009f88b1af99e641153ed6636 |
| SHA256 | 08f94ae3fc496775983310b2c15386845bdb7e66bc02c4ba51f95eff1e9520cc |
| SHA512 | c5193b0ec3cd26cc49fc34f77d1e2d689ae5926cd65cdf81b830332e580d04efc9ff3bb7403cc68c72d42beea97bed66b1be651f71fa7bec0e9904ed9ff2484f |
C:\Users\Admin\Desktop\EnableInvoke.search-ms
| MD5 | db8360e76d053ab9656c3ccf4a053cbd |
| SHA1 | 2f5af1bb69a4bb96ec42290c6a9ce517afee3953 |
| SHA256 | d65b707a15b28f15c25769e99dfb763037cf81cb45273a23b116a1f7bbe96aeb |
| SHA512 | 295da8381b39a76fce7275c8e7d7a55f347dacc9da0af1015111e03867fd141ab1b5137413516763d13ce282fc748a807517b4aeb88f2e964a831eadd7f1e7b5 |
C:\Users\Admin\Desktop\DisableExit.vstm
| MD5 | 43e39f8bcede388cb8166e9179fbb71a |
| SHA1 | d27f7397a75ff85b23374ec01f71d53ca622f2c0 |
| SHA256 | 3fef85837c11df00389945e23a8e5d21ed8164760a4f24d88468f2a012d871d6 |
| SHA512 | 2545e4bea2c4c202f8dc87bcf152c37d4657b4ac4ce7ca74daa3598a82463788ca315d24e13dcfa3a5a4b16c757bd3c6ec1972e3f2d9b708791a1265fa0fd0b8 |
C:\Users\Admin\Desktop\DisableConnect.ram
| MD5 | 56a07b258dab2208b9814fa70d5e2586 |
| SHA1 | c46c21af0e74167e996e53aa0c3d2686ea87de96 |
| SHA256 | bc46e7b72936400a397bb5bf26dbb5d8c872aa46ec08c9ba85a190c4a474653d |
| SHA512 | 8e760305dffa60d4d96b34b3c95346b0554ba254633d701e240fd715743885654879cf79558556a73d3f7ff29afa97d4983bd5d4470d262ee03242f79c9d3232 |
C:\Users\Admin\Desktop\GroupEnable.edrwx
| MD5 | 9c6018eb022f8db4a01dff92f2904493 |
| SHA1 | 8012e593408b6449e6a273ae794ce0636dd140d4 |
| SHA256 | 559f3200314c11efe517b13746913ad0f51347f4bd0cf4028149e69c4d6370ef |
| SHA512 | f976b8d053d13d47552575ef9c6b93ff6b1fa48f984e785f4c72b24dec83aa3e1b0c99ef8d611f2dc6dec5d180b2a982a4ce2d224c77a9ea013394b91449fc0c |
C:\Users\Admin\Desktop\HideRedo.exe
| MD5 | b526c7ab83e008c61e5ff61ad0d083ee |
| SHA1 | 4fb80a81f47187d96f73ef860cdc4bf309d30fa9 |
| SHA256 | ca2b100f84ce72b506abce33f69d95b1b1c06c81f2272d965e23d8929db68a94 |
| SHA512 | 0e68e3d26ebfaa772e6cd2d381ef88b3a3a97ee89c2d0c1f780d633664e2f1d8c5118b3ff53a2635a9d2dbab862af88aff0bd9ac317532018d5fd71c3c5eea55 |
C:\Users\Admin\Desktop\RegisterRevoke.avi
| MD5 | dd37ba32ba123c1275d7b1ca522603af |
| SHA1 | 7d18fb57788eedc86107e6f0ade432f41f82843f |
| SHA256 | a4effcb67215e5ca3c032be18125c42373ec22d1ee886a2e2ecb71d0d1506c1c |
| SHA512 | 2f31788691fa5f8f630fb115f0f782c98f0b45ac84d07483b6001791c7812095f29b29eba96851c9ba941f96491b4924d5a12245c79c954adb8b35d32a4388f7 |
C:\Users\Admin\Desktop\RedoMeasure.m1v
| MD5 | 4905e7d4a1c12366e4535695a936cdc0 |
| SHA1 | cd6a3ac5757134a5e197f8203dbf5f14cc0d2c4e |
| SHA256 | c112f59cc9066d8bf2dd9246186ce390bb3d1653556e6e3b3ea4760ce2f076aa |
| SHA512 | 4b77c6363ee9448e18273e81365143818bffbd17e71e6351761cb284c8c9c059d6db05ed7dfd36dc9a5b3ae41ca241bda8f5eaf886932d11ac41f31a5458ab22 |
C:\Users\Admin\Desktop\RepairCompress.mp4
| MD5 | ce27f762b22f82646224ca917c0609c9 |
| SHA1 | 432426491711977c1291a036afd13097e2261991 |
| SHA256 | dd71788e2169573797f0c1f137e77857dd23a4f0d81f48eec898ce6118a17fc6 |
| SHA512 | 13b842faeb25c94e1a58a902de47cf1d935fc9ee652a2fe7c087be49a7327b0f6dc0ccbe6ff60ebab54043c6c35c97fc0ed42318ba491ab1d29b140e04c8ecb5 |
C:\Users\Admin\Desktop\OpenBlock.M2V
| MD5 | 63b1ae3cc5b45806ca2614c48beaf2ff |
| SHA1 | c08e6679c379bf8f42dfb252e44f4c4499494635 |
| SHA256 | 7fe4d55c02deb1130669c01720de4fc1208a88c8f210278408fe9de08829df1e |
| SHA512 | 8d49d2c7379e1fab7de8453b2ff3508c699c61026b82801682003a143438311e9e81a90c3d496c4b4630eb2a4ab5436221d3d655b39e0de80134be7bda657445 |
C:\Users\Admin\Desktop\JoinTest.bmp
| MD5 | 8d4e7c7fccaec523b2c2a028db1ae72c |
| SHA1 | f6838997f44a05731493695012af1adc6df42675 |
| SHA256 | d4239200acea76100af25441ca60d9097927819e392e61aca58e79797fbcf955 |
| SHA512 | af2908cec589b15a46e45721ff3c5499d4408ab710edcd7bc046109444bfb6c337eb3e8d589717c048b7351c15df3841960b2f8713172a1b71f2e046305c3340 |
C:\Users\Admin\Desktop\UnpublishRegister.rtf
| MD5 | f42f79db66b8bcc199d80c7b80248e9b |
| SHA1 | c07bbdbf503e6f533c7a8f245710b491c30e7d5d |
| SHA256 | c0483e1d02a870dd5cb797d4db7098947e67af536b2527bec678f7679b734fbc |
| SHA512 | a090f60f336ed3e7a2e1d9d35f46e4b5fbe85db6467432d3401dddf9b522508a3f529683954e02a3e94c55a6f7ed52de8b84179f924c8cb89cee2b159828a440 |
C:\Users\Admin\Desktop\UnregisterOut.xhtml
| MD5 | 2960bd37980b8e3f6be10b907b1bad28 |
| SHA1 | 510ea032688cfdd2ef15b85872796cce3b3e6e4b |
| SHA256 | 0bc531b6624382f793a215ba2556a5c2d1592b3a996c671ac5a277045ab94385 |
| SHA512 | 3b77bc85df531ea98389c4ba566b5c5a3b585579c27963b0d11b40a080e7ec73a19cc4988830dbf38141047b8a5d6bf344ffc5d02aec8bf01490582c1e634f3d |
C:\Users\Admin\Desktop\StartEnable.xla
| MD5 | 03d3229fdd728c38c98564f180e59b7d |
| SHA1 | 8080eaac01f61d991c0d3ceb075bd8e1939197f4 |
| SHA256 | b783b6d6048d2afe1166e4131e0833f3eda9dd2b9589a470124e2f49395c1830 |
| SHA512 | 99a4f0034c615f78e66a29cd520d9ea0450b0e61f36ee4e567b2bcd871bb47be46ffbf631b18aad23bd9af63379717ae5b33ca72249a96ed5764611289e8625a |
C:\Users\Admin\Desktop\SplitResume.xlsb
| MD5 | 3d5c692b17169e3e7452b1498d9dc9d1 |
| SHA1 | c5cf29c5fc38af06951d368434356485e5d4d885 |
| SHA256 | b8dae58ff3fd3dd27ee036d8856c3796e60688ff4555fb031c6f16d1d4671bb0 |
| SHA512 | 631b73b60f9c2c9ca2cebe0bb758ac12007c461673d9ff9f2eb13bbfb2685d5c3eb44b9dda890fad3dd1eaeb9799bdd0b99efa090ea4220700e248acc074619d |
C:\Users\Admin\Desktop\SaveUnpublish.pptm
| MD5 | 04b4c6f58e79429a389b5fa2dff7327e |
| SHA1 | 2142454a3812e2f6eb94db3ab17a76919ac805ea |
| SHA256 | 7e605915c8e740624d72b43758337558fcb122e3469af9a76d0ee56b409c0526 |
| SHA512 | ab3bb4593f4834a34324981021bb7680c128ac84084af57ffad327181b80b0fb9bbf1a68f36029f818362c403e9623263e17c423b598761b39bd01bd21ed1134 |
C:\Users\Admin\Desktop\WriteBackup.sys
| MD5 | 071a784c0218e5797f33e089cb73df12 |
| SHA1 | 408c61221db6c2288e68afcf3e1821a10324b08e |
| SHA256 | d4b473dab850188de65ebd3f6474cdc261d22fe1c548261c2df6f99cf21fe02f |
| SHA512 | ed6b481d6a7f343e25363b7af07911933d67d3d19f98bb0ed7d846ce3328fe62602be936c6aacac0c5d563d664c5d90cdd2741fe182b7ae526f2b03cfa381cd0 |
C:\Users\Admin\Desktop\CloseSubmit.xml
| MD5 | 0355f1bce4ff09872c95fdbd917308ef |
| SHA1 | 3e59965a635a6a90470c72531ca0c58d3eee0150 |
| SHA256 | 7db497d4a400e6ae03f52ae04c790897b4cb7f39b969994c30f88e015befac2f |
| SHA512 | 8dd3bfb5d12d63621607febec356fd6b1a57012a2bd9e707583c0cb9a03e5bdc77ee4d7ce6711a3c9148fde1783f7d6ac506c25ab8f9dc90bfe4e5f6bc36fd08 |
C:\Users\Admin\Desktop\ApproveSearch.vsw
| MD5 | ccfc02fb9d15327232037daf7e71c83c |
| SHA1 | 19dcd73715035b6f7a68356cf3c28a5411b8dd91 |
| SHA256 | e70675a05005f2167480e201f7db4ec3923afc383275a4a2fe48af8530f0af83 |
| SHA512 | 4ee99a6d0d4c2771c14c1bc9c4bc514fbd96e58d58f277f447e5149f407876f6d66caa82b079ffb5f7752356f7ad2020a991d632370d4b6f35efa9f025e06dbf |
C:\Users\Admin\Desktop\ConfirmStart.cr2
| MD5 | dbf07c66680e1aec829703ae1b1371dd |
| SHA1 | 17217def413ed8685b5163e4e8cf414ba86a8576 |
| SHA256 | 44bbd6b54c023d896923437066cff3f51f497db369de3cc926c2a2c3e80308c9 |
| SHA512 | 846aa32f2c0c6b0984d6bf1befcc8d78fff47f7479e7d83118f385c7fab58d6797cd7a366c844c6eb98818d4f1b8028a9040f91ee822fe21c8d7437459fa6d28 |
C:\Users\Admin\Desktop\ExitCopy.gif
| MD5 | c16e59999345a206a4ecf71449a7495e |
| SHA1 | 49d8a76c0d80cdce5e41381a12fde978a707f82d |
| SHA256 | 1816d0c8f0142386fe99dbd4cce608ac6b457971bef2a816569b8bd2c4c7ffc6 |
| SHA512 | 1c172bd95452a2bf237e4c37b0e41a48ce6d349196aa9d243f524ff1158a7481869f4c7b2e70582fbb1a53a5932bbc28917b848157b7deca4d47117d9d8f572a |
C:\Users\Admin\Desktop\MoveInvoke.cfg
| MD5 | ed0f27e010cb15bb2d671e69f92e90ae |
| SHA1 | 89b66b31423842018b577d0bbed0131853654205 |
| SHA256 | 66af501897f25b3338cc1b9df2fba2fa4102d7fa51d1249e4527ec50d0994396 |
| SHA512 | 39b8e550f46ca2725e9f25d3e3ef09d5ac03ab9989a68775accb177bd3fd2cec4c27acd016491d74ae144c09d93812632bbc1f0d6e6615d0d6774b20b68c04b3 |
C:\Users\Admin\Desktop\SetUninstall.midi
| MD5 | 19e6ac0c825cd5729d59b0b49bc4eacb |
| SHA1 | cbaf4f6cadb5557988645a2d542bce715e016b0a |
| SHA256 | 7384a0fc1c8b67d88d3ecbb698cb36b8bc2a18bb632411b126192f64a7271fe4 |
| SHA512 | 98f7368f9a66ad044850cf515c3bf44811edec2ef3f697353c8792d7f67af36c5231f2a21234314067cc9358c8ebb4c4e234beceedf02937da8c6aefc33969f5 |
C:\Users\Admin\Desktop\SwitchWatch.xsl
| MD5 | 98400ef5a5ae00de992ca91ae39e508f |
| SHA1 | 65aa18d289983532f55cb5e150735f6e826a2f7c |
| SHA256 | 3f4992b833b2593a5d246f1324ef202c8ceef3263d192aa813e59001ff883b16 |
| SHA512 | 92f6edc21e0ea904895f3beddfe0b23cb8340723edb846798a6323009b9712fb6eea13d253aa4c886bd6ecdc66e45b39cbb35254ac1e10aff4a11b5bf7eb4e73 |
C:\Users\Admin\Desktop\PopLock.mht
| MD5 | de2db85b12821f63cdd8137f6e9c6384 |
| SHA1 | 4d30396365663681d102d25e4394cd9eb1b7c755 |
| SHA256 | 43b952b5580e1fdbbd33bce83d028e08a92cdd7cd461737e396c020683b14424 |
| SHA512 | edaccdf54776aebd1785633671c800ef0ec61ec830aa1c955b45b74afee837a9651eaa7abeb41d3243ca18ebddd123e3adefeaace49ff4d7c1e724bcbe1c5f68 |
C:\Users\Public\Desktop\Microsoft Edge.lnk
| MD5 | 5e3a30e37211dc112d71db9ce256aa91 |
| SHA1 | 9e445a33e5b380161803895c03fbc14c255b1cf2 |
| SHA256 | 07594c10497d5ac5d30c14d5145852e9968fd1db9697d2bbbfd3168a650443d8 |
| SHA512 | fa3480cd370b922ca2424bcc27de7cb412a0279e414341e4f43a7e0f0a6c9fca38fd7cf9efb38073e71003fc1a9e2ecf48605ea80adcbdd0a47457fe6b5564ad |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | 248891795954a5044110d8a8ffcc47c0 |
| SHA1 | 6a689619d173927e7cd9d68fe82c4488a8e48fd7 |
| SHA256 | f8c95cfbfb7212fa48f0ab9954ba8866524a2ababd73b05781a8e5d8110afe40 |
| SHA512 | 9b6ceffc55b4d9fbcf3ce9deb0a2f7b711c5d11fe2426077da8265560c8ec4af10d8f0acb10ab5b8628c1564d847dfd7e3d73d0f268761e7c620f710777c9c6f |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | dfa804ee98966419e5e7b317c173e318 |
| SHA1 | 06a25fd8eea568f548faac07b447f0e9088fa2de |
| SHA256 | 2a04d769c5da8ac9966237207d9e1ea04601484bc29e27cb075f93720f49b2d8 |
| SHA512 | 53264478963ef31705813e76a45771c3321036defeff8e6f6d9e4ab951b0027727787d21a1b6dadc92c69bdaf36200ca04835fb2210c99b7251e8a904730a9cb |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 7313a00b87207b6bcbbff5f194100ab1 |
| SHA1 | 1f73f56a1f4aa0b42c918ab3aeecb94ccd455972 |
| SHA256 | c78509048450c9889ef9c8de63243d92c7592654698a9a1d1a12d3060abd168b |
| SHA512 | 8a53cd306d7eaeca1026bea54e5f4848b5af7f3b302027776d274c1611ffbd66cbb03beb26522a0c6ad34b21c94e9f7939de68e323b49690c7c6d8b4d62010b7 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 20ab116fcbdf4080137353e62641da2a |
| SHA1 | a84091901e19ad4aa2abd98e2c4b9cad30075730 |
| SHA256 | 0a1c5ea0a34c8d12d3d03990179bb491134c4f8be12da52517f26e032f54ffcd |
| SHA512 | c50c964bf5fd6b757c81dbd204d68f88007380c1a224b3e80b0074e6586b1ba19b664e73b2eadcdd30a3ada9d94aa515751420b7b818f160d67234724c3dd241 |