Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    63KB

  • MD5

    c2058bfb9380ae354b33da22fe97e02b

  • SHA1

    4b5fa6ec3a8516bd53e3c9f621fa87e29f3cc093

  • SHA256

    e1480985f20d0d0e34970f2e3cb53de25916914fe4a3c64e623c20d5761412dd

  • SHA512

    b04669a8a227b269401dfa71c7cce9b4f68906c69a758a951b383c6de6ff363cde0299850ead2401004ef6c4f2ef918096efb909472397dac7895c8fd4df5d82

  • SSDEEP

    1536:Q4ckojUwW22txOzlp0yDb+YqdJBGcf6yJJbiOhk4lW:QfvUwWJIb+LHBTBJQOhtlW

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/J9pCmv2b:123456789

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/J9pCmv2b

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    4f55f49c24533eebdcad31ba165c69c7

    SHA1

    222559c0cd0d8d1d0f88e1b346efe4119b3ddefe

    SHA256

    50e1c27d9b80e8ccfbf7c5fd2ca6df8e835c1912e7b29f05bc6a2f41b75c29aa

    SHA512

    51e4cf4554c9e3ef918a348ccc5d6c3165e075ee29af28e8742685b0c55f4a5ded51c41916757ad758dd6269bb9f1e00ec18e60b37f4ecbb0eea8aba91aed6f2

    Download Submit

  • memory/1784-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-1-0x0000000001250000-0x0000000001266000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1784-2-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1784-31-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-32-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1880-14-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1880-15-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2752-7-0x000000001B370000-0x000000001B652000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2752-8-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

    Download