Analysis Overview
SHA256
34b9641ff8a9253a24746b274a5f74507c6dc6df509b084bba2533eb90402e39
Threat Level: Known bad
The file XClient.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Xworm family
Loads dropped DLL
Unsigned PE
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-21 13:23
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 13:23
Reported
2024-06-21 13:24
Platform
win11-20240611-en
Max time kernel
77s
Max time network
79s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 852 wrote to memory of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | C:\Windows\SYSTEM32\CMD.EXE |
| PID 852 wrote to memory of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | C:\Windows\SYSTEM32\CMD.EXE |
| PID 852 wrote to memory of 248 | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | C:\Windows\system32\cmd.exe |
| PID 852 wrote to memory of 248 | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | C:\Windows\system32\cmd.exe |
| PID 248 wrote to memory of 3828 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 248 wrote to memory of 3828 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SYSTEM32\CMD.EXE
"CMD.EXE"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp997D.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.20:33360 | tcp | |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.20:33360 | tcp | |
| US | 147.185.221.20:33360 | tcp | |
| US | 147.185.221.20:33360 | tcp |
Files
memory/852-0-0x00007FF9A5473000-0x00007FF9A5475000-memory.dmp
memory/852-1-0x0000000000960000-0x000000000096E000-memory.dmp
memory/852-2-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp
memory/852-3-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp
memory/852-4-0x0000000002BB0000-0x0000000002BBA000-memory.dmp
memory/852-5-0x000000001C580000-0x000000001C5BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2296.tmp
| MD5 | 1b942faa8e8b1008a8c3c1004ba57349 |
| SHA1 | cd99977f6c1819b12b33240b784ca816dfe2cb91 |
| SHA256 | 555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc |
| SHA512 | 5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43 |
memory/852-10-0x000000001BD90000-0x000000001BD9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp997D.tmp.bat
| MD5 | 81fd49c94c17192925857e1602d3b251 |
| SHA1 | 9db958438cf876ab091a718e4df6127b15b13686 |
| SHA256 | d19495b077eea49a1f226099d93412c1c76e5bf7d98d0ec6926c8def99df2cc2 |
| SHA512 | 31dc1c9919918b58028c59b7d41cbe7d296327294865f095b0373cfb2f284e71904d97a106ff2bf056a602145dbec1e7b53a668dc95d57e19a393b119ceeedf0 |
memory/852-15-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp