Analysis Overview
SHA256
73a25e9ea9ab8041e1cf327ec49c93fccb61b740c671342d0988b4aea4234a0f
Threat Level: Known bad
The file XClient (1).exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Xworm family
Loads dropped DLL
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-09 21:31
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 21:31
Reported
2024-06-09 21:42
Platform
win7-20240419-en
Max time kernel
161s
Max time network
161s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XClient (1).exe
"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x53c
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.ip.gl.ply.gg | udp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
Files
memory/2220-0-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp
memory/2220-1-0x0000000000F60000-0x0000000000F6E000-memory.dmp
memory/2220-2-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp
memory/2220-3-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp
memory/2220-4-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp
memory/2220-5-0x0000000000B40000-0x0000000000B4C000-memory.dmp
memory/2220-6-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp
memory/1900-7-0x0000000002D90000-0x0000000002D91000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 21:31
Reported
2024-06-09 21:42
Platform
win10-20240404-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XClient (1).exe
"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae4055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.ip.gl.ply.gg | udp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/5036-0-0x00007FFDC0CF3000-0x00007FFDC0CF4000-memory.dmp
memory/5036-1-0x00000000004A0000-0x00000000004AE000-memory.dmp
memory/5036-2-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp
memory/5036-3-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp
memory/5036-4-0x0000000002580000-0x000000000258C000-memory.dmp
memory/5036-5-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-09 21:31
Reported
2024-06-09 21:43
Platform
win10v2004-20240508-en
Max time kernel
192s
Max time network
194s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "137" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XClient (1).exe
"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4432,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3952855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.ip.gl.ply.gg | udp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
Files
memory/2080-0-0x00007FFDA3233000-0x00007FFDA3235000-memory.dmp
memory/2080-1-0x0000000000640000-0x000000000064E000-memory.dmp
memory/2080-2-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp
memory/2080-3-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp
memory/2080-4-0x0000000000F30000-0x0000000000F3C000-memory.dmp
memory/2080-5-0x0000000002830000-0x000000000283C000-memory.dmp
memory/2080-6-0x000000001D060000-0x000000001D588000-memory.dmp
memory/2080-7-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-09 21:31
Reported
2024-06-09 21:50
Platform
win11-20240508-en
Max time kernel
581s
Max time network
601s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 240 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | C:\Windows\SYSTEM32\CMD.EXE |
| PID 240 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | C:\Windows\SYSTEM32\CMD.EXE |
| PID 3012 wrote to memory of 2468 | N/A | C:\Windows\SYSTEM32\CMD.EXE | C:\Windows\system32\whoami.exe |
| PID 3012 wrote to memory of 2468 | N/A | C:\Windows\SYSTEM32\CMD.EXE | C:\Windows\system32\whoami.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XClient (1).exe
"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D0
C:\Windows\SYSTEM32\CMD.EXE
"CMD.EXE"
C:\Windows\system32\whoami.exe
whoami
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.ip.gl.ply.gg | udp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| IE | 52.111.236.21:443 | tcp | |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
| US | 147.185.221.20:17450 | 20.ip.gl.ply.gg | tcp |
Files
memory/240-0-0x00007FF949803000-0x00007FF949805000-memory.dmp
memory/240-1-0x0000000000FE0000-0x0000000000FEE000-memory.dmp
memory/240-2-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/240-3-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/240-4-0x0000000003110000-0x000000000311C000-memory.dmp
memory/240-5-0x000000001C0B0000-0x000000001C0EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp576.tmp
| MD5 | 1b942faa8e8b1008a8c3c1004ba57349 |
| SHA1 | cd99977f6c1819b12b33240b784ca816dfe2cb91 |
| SHA256 | 555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc |
| SHA512 | 5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43 |
memory/240-10-0x000000001D9A0000-0x000000001DA2E000-memory.dmp
memory/240-11-0x000000001CC50000-0x000000001CC86000-memory.dmp
memory/240-12-0x000000001C150000-0x000000001C15A000-memory.dmp
memory/240-13-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/240-14-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/240-15-0x000000001CCF0000-0x000000001CCFA000-memory.dmp
memory/240-16-0x000000001CD00000-0x000000001CD0A000-memory.dmp