Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    184KB

  • MD5

    1e8e3d1ea4d6a65d0207186979832cb9

  • SHA1

    9c4626b99ede4ea3ea2a746d2e687caf9955698c

  • SHA256

    b41f48f860bd9d992029986c081ca5ddbb3adf91910bf11aee9af8606829e2a3

  • SHA512

    8e9a7c62c17274ba0956bf066eea75ce79466d8e04a53fda0176834dced8e97f9da4075bcc6b5f7bde78323ce9bb183878b28b95f1ba255a2a1d1676642a4edd

  • SSDEEP

    3072:nKPGNe+bZnCRZOTkdl4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvp:nKPCHbt0m+lgVqwlL

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/Xei4S8Yz

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d42b6da621e8df5674e26b799c8e2aa

    SHA1

    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

    SHA256

    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

    SHA512

    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    4970161af3af5fd3d0f5bdad3da90370

    SHA1

    6ed3452eeb4b2462580536bdc16eacac79ec633d

    SHA256

    fc139f174b19e9d14f22b77b3af02a7ac4f5a9bbcb2ca57a6a3831e4f160f2bd

    SHA512

    174e5af173ac84ecf69306c6e18b6c1c86968be5025d575499c0745e3d7ad77fbbf21268bfb65e7af7dcf1e7b05d64687112561ff772c7379bf7a345fe81eecd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    4165c906a376e655973cef247b5128f1

    SHA1

    c6299b6ab8b2db841900de376e9c4d676d61131e

    SHA256

    fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4

    SHA512

    15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f0sfw2rk.uga.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/428-0-0x00007FF8D81B3000-0x00007FF8D81B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/428-1-0x0000000000910000-0x0000000000944000-memory.dmp

    Filesize

    208KB

    Download

  • memory/428-57-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/428-58-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/468-13-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/468-14-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/468-17-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/468-12-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/468-2-0x000002905AC30000-0x000002905AC52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2352-52-0x000001EDAF870000-0x000001EDAFA8C000-memory.dmp

    Filesize

    2.1MB

    Download