Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    595s
  • max time network
    592s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 21:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    74KB

  • MD5

    c993fe2aacb27cf417f04ec1a2a7a0b9

  • SHA1

    05b88b752cb79c86475691b4627faf8f1610d842

  • SHA256

    fcd2edc86826bb43a8c5b0e98ea719fa311a85234c620cbb69a35112a5699e55

  • SHA512

    8542a911dcb3839ff28a22d9285ca1494c1dedc5b2dcba07954939149d39e4f47a6a2b76b1a8db756309cc3b261fde03f903f55987868882c46cfe60b1513fb0

  • SSDEEP

    1536:64S6Usxc2MdQHrL/L91JtmUbZGzaOa+Z4E6ORmp3jRO5+48cVo:6VMxc2nLL/R1J8UbZfOaXgRG3jROEl

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

tr3.localto.net:44953

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchhost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3260
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2320
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchhost" /tr "C:\ProgramData\svchhost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1904
  • C:\ProgramData\svchhost.exe
    C:\ProgramData\svchhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1348
  • C:\ProgramData\svchhost.exe
    C:\ProgramData\svchhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4632
  • C:\ProgramData\svchhost.exe
    C:\ProgramData\svchhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4828
  • C:\ProgramData\svchhost.exe
    C:\ProgramData\svchhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1508
  • C:\ProgramData\svchhost.exe
    C:\ProgramData\svchhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4860
  • C:\ProgramData\svchhost.exe
    C:\ProgramData\svchhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:960
  • C:\ProgramData\svchhost.exe
    C:\ProgramData\svchhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3672
  • C:\ProgramData\svchhost.exe
    C:\ProgramData\svchhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2696
  • C:\ProgramData\svchhost.exe
    C:\ProgramData\svchhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2212
  • C:\ProgramData\svchhost.exe
    C:\ProgramData\svchhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\svchhost.exe
    Filesize

    74KB

    MD5

    c993fe2aacb27cf417f04ec1a2a7a0b9

    SHA1

    05b88b752cb79c86475691b4627faf8f1610d842

    SHA256

    fcd2edc86826bb43a8c5b0e98ea719fa311a85234c620cbb69a35112a5699e55

    SHA512

    8542a911dcb3839ff28a22d9285ca1494c1dedc5b2dcba07954939149d39e4f47a6a2b76b1a8db756309cc3b261fde03f903f55987868882c46cfe60b1513fb0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchhost.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    3a6bad9528f8e23fb5c77fbd81fa28e8

    SHA1

    f127317c3bc6407f536c0f0600dcbcf1aabfba36

    SHA256

    986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

    SHA512

    846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    e3b6cc0fbea08a0831f0026a696db8b8

    SHA1

    4e32202d4700061cfd80d55e42798131c9f530d4

    SHA256

    3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

    SHA512

    6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    e5663972c1caaba7088048911c758bf3

    SHA1

    3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

    SHA256

    9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

    SHA512

    ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iivszaar.byx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4600-1-0x0000000000630000-0x0000000000648000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4600-2-0x00007FF9E1360000-0x00007FF9E1E21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4600-0-0x00007FF9E1363000-0x00007FF9E1365000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4600-56-0x00007FF9E1360000-0x00007FF9E1E21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4600-55-0x00007FF9E1363000-0x00007FF9E1365000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4672-13-0x0000020BC2520000-0x0000020BC2542000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4672-17-0x00007FF9E1360000-0x00007FF9E1E21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4672-15-0x00007FF9E1360000-0x00007FF9E1E21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4672-14-0x00007FF9E1360000-0x00007FF9E1E21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4672-3-0x00007FF9E1360000-0x00007FF9E1E21000-memory.dmp

    Filesize

    10.8MB

    Download