Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 12:47
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
60KB
-
MD5
0f803689398c092ad9ae274d5c7507d6
-
SHA1
693161863fa62cb65e7f3102d55087a9bf816889
-
SHA256
0c336bb9258f45ded239bfd2a721a779c3a467cfd177d9ab75841d6eb61d2a8a
-
SHA512
1fed05b278b8243c1e45c34a1eca78492fb24d18296feac978bd54528359d2c07a783bff434921a26a96ba122a8dc9da6d00b9cdda09c6c8569910d0472080f8
-
SSDEEP
1536:b5GHtqKStfgDGVHc08kbsXHZBgGOq+k6Z:lGNqrIDK8kbsXLOq+bZ
Malware Config
Extracted
xworm
91.92.241.69:5555
-
Install_directory
%AppData%
-
install_file
AMD Graphics Manager.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1276-1-0x0000000000DA0000-0x0000000000DB6000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk XClient.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\AMD Graphics Manager = "C:\\Users\\Admin\\AppData\\Roaming\\AMD Graphics Manager" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XClient.exedescription pid process Token: SeDebugPrivilege 1276 XClient.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
XClient.exedescription pid process target process PID 1276 wrote to memory of 2204 1276 XClient.exe schtasks.exe PID 1276 wrote to memory of 2204 1276 XClient.exe schtasks.exe PID 1276 wrote to memory of 2204 1276 XClient.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AMD Graphics Manager" /tr "C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"2⤵
- Creates scheduled task(s)
PID:2204
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F9C61D30-1092-42C9-A435-20EFC0B8E938} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵PID:1588