Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 10:52
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240611-en
General
-
Target
XClient.exe
-
Size
63KB
-
MD5
1af87c02c7d2beea03afdebfb55d3b3b
-
SHA1
5e59b080f6a3bd74dff1522721ef2d2bbff5eb07
-
SHA256
fb060dbdb5d300443a7137bf675cee66ab9b99d5f19701937bef7390097c1c5d
-
SHA512
90b86b74f4e640591f5c22bb14e8817b44189e6c66a2d791583f7366d93920e0cd69193050b77cf3941a1a276e5567118b9e1acf23c7321799a5a41674db9f93
-
SSDEEP
1536:H/0TA/AoeFLZf+3Enr/eoPAabDUd3Rm4sKpL8Ioi68LgOnfCK5e:pWF9gM/eaAabDqRrsKKsLgOnfCK5e
Malware Config
Extracted
xworm
127.0.0.1:23386
cameras-happen.gl.at.ply.gg:23386
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2560-1-0x00000000010E0000-0x00000000010F6000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2972 powershell.exe 2712 powershell.exe 2640 powershell.exe 2592 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2712 powershell.exe 2640 powershell.exe 2592 powershell.exe 2972 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2560 XClient.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2560 XClient.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
XClient.exedescription pid process target process PID 2560 wrote to memory of 2712 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2712 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2712 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2640 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2640 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2640 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2592 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2592 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2592 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2972 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2972 2560 XClient.exe powershell.exe PID 2560 wrote to memory of 2972 2560 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55993730c159fd95348319d1991a64f3f
SHA112c8fb7e5837e7bc76e90877e846bb68fdf184fa
SHA2562f730fc059a636b68375a0638b59fd170153ce4a2c0003767d125d3f4b6e8896
SHA512e0ba21e70b73eb417c014e7136aeb6e7912e7ccad57a5338b7446a6dc124a6f93e05ed4199ba8648eab43428f5229b81b460502b7128de3922ff3fff7b85ecfb
-
memory/2560-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmpFilesize
4KB
-
memory/2560-1-0x00000000010E0000-0x00000000010F6000-memory.dmpFilesize
88KB
-
memory/2560-2-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmpFilesize
9.9MB
-
memory/2560-30-0x000007FEF5253000-0x000007FEF5254000-memory.dmpFilesize
4KB
-
memory/2560-31-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmpFilesize
9.9MB
-
memory/2640-14-0x000000001B600000-0x000000001B8E2000-memory.dmpFilesize
2.9MB
-
memory/2640-15-0x00000000020D0000-0x00000000020D8000-memory.dmpFilesize
32KB
-
memory/2712-7-0x000000001B6A0000-0x000000001B982000-memory.dmpFilesize
2.9MB
-
memory/2712-8-0x0000000002000000-0x0000000002008000-memory.dmpFilesize
32KB