Analysis
-
max time kernel
72s -
max time network
70s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 12:42
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
60KB
-
MD5
0f803689398c092ad9ae274d5c7507d6
-
SHA1
693161863fa62cb65e7f3102d55087a9bf816889
-
SHA256
0c336bb9258f45ded239bfd2a721a779c3a467cfd177d9ab75841d6eb61d2a8a
-
SHA512
1fed05b278b8243c1e45c34a1eca78492fb24d18296feac978bd54528359d2c07a783bff434921a26a96ba122a8dc9da6d00b9cdda09c6c8569910d0472080f8
-
SSDEEP
1536:b5GHtqKStfgDGVHc08kbsXHZBgGOq+k6Z:lGNqrIDK8kbsXLOq+bZ
Malware Config
Extracted
xworm
91.92.241.69:5555
-
Install_directory
%AppData%
-
install_file
AMD Graphics Manager.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3904-0-0x0000000000300000-0x0000000000316000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\AMD Graphics Manager family_xworm -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk XClient.exe -
Executes dropped EXE 1 IoCs
Processes:
AMD Graphics Managerpid process 3052 AMD Graphics Manager -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\AMD Graphics Manager = "C:\\Users\\Admin\\AppData\\Roaming\\AMD Graphics Manager" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
XClient.exeAMD Graphics Managerdescription pid process Token: SeDebugPrivilege 3904 XClient.exe Token: SeDebugPrivilege 3052 AMD Graphics Manager -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 1600 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
XClient.exedescription pid process target process PID 3904 wrote to memory of 1392 3904 XClient.exe schtasks.exe PID 3904 wrote to memory of 1392 3904 XClient.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AMD Graphics Manager" /tr "C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"2⤵
- Creates scheduled task(s)
PID:1392
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1600
-
C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD518951ad4190ed728ba23e932e0c6e0db
SHA1fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0
SHA25666607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915
SHA512a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff
-
Filesize
60KB
MD50f803689398c092ad9ae274d5c7507d6
SHA1693161863fa62cb65e7f3102d55087a9bf816889
SHA2560c336bb9258f45ded239bfd2a721a779c3a467cfd177d9ab75841d6eb61d2a8a
SHA5121fed05b278b8243c1e45c34a1eca78492fb24d18296feac978bd54528359d2c07a783bff434921a26a96ba122a8dc9da6d00b9cdda09c6c8569910d0472080f8