Analysis Overview
SHA256
55c256c6d8ba0ed731f3fcfe5c2f25c0020b92167b1bc84cd286da660a64cce5
Threat Level: Known bad
The file XClient.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xworm
Detect Xworm Payload
Looks up external IP address via web service
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-09 21:12
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 21:12
Reported
2024-06-09 21:15
Platform
win7-20240508-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | lower-fisheries.gl.at.ply.gg | udp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
Files
memory/1712-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp
memory/1712-1-0x00000000009B0000-0x00000000009C0000-memory.dmp
memory/1712-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp
memory/1712-3-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp
memory/1712-4-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 21:12
Reported
2024-06-09 21:15
Platform
win10v2004-20240226-en
Max time kernel
29s
Max time network
142s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lower-fisheries.gl.at.ply.gg | udp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
| US | 147.185.221.18:45093 | lower-fisheries.gl.at.ply.gg | tcp |
Files
memory/1844-0-0x00007FFE8AC03000-0x00007FFE8AC05000-memory.dmp
memory/1844-1-0x0000000000B20000-0x0000000000B30000-memory.dmp
memory/1844-2-0x00007FFE8AC00000-0x00007FFE8B6C1000-memory.dmp
memory/1844-3-0x00007FFE8AC03000-0x00007FFE8AC05000-memory.dmp
memory/1844-4-0x00007FFE8AC00000-0x00007FFE8B6C1000-memory.dmp