Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 23:05
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240611-en
General
-
Target
XClient.exe
-
Size
71KB
-
MD5
b82626cc0347f048f8da43fb67033b74
-
SHA1
2a5ea2cc17682a0750b4d9f9ab84c53e20ab49c9
-
SHA256
da823b302bfe968cb38012247306efe78d3de49dfd2e46988222edd92bae4599
-
SHA512
434d1d159ef525ca5fce31d88499cce87e1d9620c906f465e245a711a6f44b6c85838d87d4c76f4efd2ae4364be3fdbb51e4e262dd3eab12b7ac0c528b8d123a
-
SSDEEP
1536:YSZYQ7TuBPAcJzvtC5mQWtKSEzhdAb0Yd/JFwNNm+2WOEjPQ59GRV:YSr8lEWtysb0YLFwNNm+ZOEjP3V
Malware Config
Extracted
xworm
runderscore00-25851.portmap.host:25851
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2168-1-0x0000000000320000-0x0000000000338000-memory.dmp family_xworm C:\ProgramData\svchost family_xworm behavioral1/memory/2620-9-0x0000000000A70000-0x0000000000A88000-memory.dmp family_xworm behavioral1/memory/2000-14-0x0000000001170000-0x0000000001188000-memory.dmp family_xworm behavioral1/memory/764-16-0x00000000002A0000-0x00000000002B8000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe -
Executes dropped EXE 3 IoCs
Processes:
svchostsvchostsvchostpid process 2620 svchost 2000 svchost 764 svchost -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
XClient.exepid process 2168 XClient.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
XClient.exesvchostsvchostsvchostdescription pid process Token: SeDebugPrivilege 2168 XClient.exe Token: SeDebugPrivilege 2168 XClient.exe Token: SeDebugPrivilege 2620 svchost Token: SeDebugPrivilege 2000 svchost Token: SeDebugPrivilege 764 svchost -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2168 XClient.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
XClient.exetaskeng.exedescription pid process target process PID 2168 wrote to memory of 2676 2168 XClient.exe schtasks.exe PID 2168 wrote to memory of 2676 2168 XClient.exe schtasks.exe PID 2168 wrote to memory of 2676 2168 XClient.exe schtasks.exe PID 2756 wrote to memory of 2620 2756 taskeng.exe svchost PID 2756 wrote to memory of 2620 2756 taskeng.exe svchost PID 2756 wrote to memory of 2620 2756 taskeng.exe svchost PID 2756 wrote to memory of 2000 2756 taskeng.exe svchost PID 2756 wrote to memory of 2000 2756 taskeng.exe svchost PID 2756 wrote to memory of 2000 2756 taskeng.exe svchost PID 2756 wrote to memory of 764 2756 taskeng.exe svchost PID 2756 wrote to memory of 764 2756 taskeng.exe svchost PID 2756 wrote to memory of 764 2756 taskeng.exe svchost -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2676
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8BBA8C58-6A21-4C06-AA1D-007FCF317FAC} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\ProgramData\svchostC:\ProgramData\svchost2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\ProgramData\svchostC:\ProgramData\svchost2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\ProgramData\svchostC:\ProgramData\svchost2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:764
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5b82626cc0347f048f8da43fb67033b74
SHA12a5ea2cc17682a0750b4d9f9ab84c53e20ab49c9
SHA256da823b302bfe968cb38012247306efe78d3de49dfd2e46988222edd92bae4599
SHA512434d1d159ef525ca5fce31d88499cce87e1d9620c906f465e245a711a6f44b6c85838d87d4c76f4efd2ae4364be3fdbb51e4e262dd3eab12b7ac0c528b8d123a