Analysis
-
max time kernel
21s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 14:20
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
70KB
-
MD5
45a868fd095bf97ba50c936b00ecc995
-
SHA1
1ffaa4e2781766ce742ac06edc7ec98524d036dc
-
SHA256
5feb1e0d222f4739b4ad6734f4c817c683cebf5a9b3d9641827790a3f0fc3558
-
SHA512
3375aacb66c8c161cf75b6bcd03cd6c336f9af022c3cf4cf371f40b88ccf28ce0200c42a72a72b3a7d0aebdbcc1dc78cded10b8e6669ab8d602152341fad7ffa
-
SSDEEP
1536:/67XKajAKywh1pW2+knubbST0e56ai6XOKfhe9Y32:/IwK/hLW2bubbSxUa7OKZe9G2
Malware Config
Extracted
xworm
3.1
0.tcp.eu.ngrok.io:11713
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/1964-1-0x0000000000D90000-0x0000000000DA8000-memory.dmp family_xworm behavioral1/files/0x00110000000054ab-28.dat family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2648 powershell.exe 2544 powershell.exe 1740 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 6 0.tcp.eu.ngrok.io -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1196 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2648 powershell.exe 2544 powershell.exe 1740 powershell.exe 1964 XClient.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1964 XClient.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 1964 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1964 XClient.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2648 1964 XClient.exe 29 PID 1964 wrote to memory of 2648 1964 XClient.exe 29 PID 1964 wrote to memory of 2648 1964 XClient.exe 29 PID 1964 wrote to memory of 2544 1964 XClient.exe 31 PID 1964 wrote to memory of 2544 1964 XClient.exe 31 PID 1964 wrote to memory of 2544 1964 XClient.exe 31 PID 1964 wrote to memory of 1740 1964 XClient.exe 33 PID 1964 wrote to memory of 1740 1964 XClient.exe 33 PID 1964 wrote to memory of 1740 1964 XClient.exe 33 PID 1964 wrote to memory of 1196 1964 XClient.exe 35 PID 1964 wrote to memory of 1196 1964 XClient.exe 35 PID 1964 wrote to memory of 1196 1964 XClient.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
PID:1196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f14eb29987f153d8285bca31017134dc
SHA1b767c8583a9e48316b21cf26cb80a72c160e7f1a
SHA256b1c25dea25e5221e524235646599cc2c2cae616069b3cf1d3eeaafb7a4f5d509
SHA512468c6017e10006f0a4f3d37f2b520a5cc1f98ab9f1a3d782194687c4a8cd06c0aaa58feb4c3250cc1dac26c861902a518e150154a65bec2570079aadd4fc9db2
-
Filesize
70KB
MD545a868fd095bf97ba50c936b00ecc995
SHA11ffaa4e2781766ce742ac06edc7ec98524d036dc
SHA2565feb1e0d222f4739b4ad6734f4c817c683cebf5a9b3d9641827790a3f0fc3558
SHA5123375aacb66c8c161cf75b6bcd03cd6c336f9af022c3cf4cf371f40b88ccf28ce0200c42a72a72b3a7d0aebdbcc1dc78cded10b8e6669ab8d602152341fad7ffa