6bb046eae00707e7179ae2820d9b6501860c57f94cab6a892378f1c6ff420587

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 21:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

XClient_obfuscated.exe
Size

4.5MB
MD5

cec3ccca408360dc5d69fb5fe7532a82
SHA1

53bb55b9b6a4fa1013e015d97ae94e64b6771715
SHA256

6bb046eae00707e7179ae2820d9b6501860c57f94cab6a892378f1c6ff420587
SHA512

46be13bf806bca97691e3fb4479db4dcad874bafa31220c6669becf16bd08197075d5cdd0b7f458cc823960b0207b72cd141ddbc05fad652cb544e0cbf9c12cb
SSDEEP

98304:BrIafpKrJ3I25y1su2UVTbIqlK4TnO+FDprqAgIQ/Jmoj+XKCt4G7sTIrIq83:xpKrJ+1iIbZg4TvdQNm5XKCt77sTIr

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4576	XClient_obfuscated.exe
4576	XClient_obfuscated.exe
4576	XClient_obfuscated.exe
4576	XClient_obfuscated.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XClient_obfuscated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XClient_obfuscated.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3380	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3380	taskmgr.exe
Token: SeSystemProfilePrivilege	3380	taskmgr.exe
Token: SeCreateGlobalPrivilege	3380	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4576	4856	XClient_obfuscated.exe	84
PID 4856 wrote to memory of 4576	4856	XClient_obfuscated.exe	84
PID 4856 wrote to memory of 4576	4856	XClient_obfuscated.exe	84

C:\Users\Admin\AppData\Local\Temp\XClient_obfuscated.exe
"C:\Users\Admin\AppData\Local\Temp\XClient_obfuscated.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\XClient_obfuscated.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient_obfuscated.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4576

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48562\VCRUNTIME140.dll

Filesize
74KB

MD5
31ce620cb32ac950d31e019e67efc638

SHA1
eaf02a203bc11d593a1adb74c246f7a613e8ef09

SHA256
1e0f8f7f13502f5cee17232e9bebca7b44dd6ec29f1842bb61033044c65b2bbf

SHA512
603e8dceda4cb5b3317020e71f1951d01ace045468eaf118b422f4f44b8b6b2794f5002ea2e3fe9107c222e4cb55b932ed0d897a1871976d75f8ee10d5d12374

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_bz2.pyd

Filesize
66KB

MD5
216f736db1b110548da2f8f21c381412

SHA1
da3781dfe8f6b3bdacc92f82c330cc26248b6b5d

SHA256
ce4f48bdc1f6144b4bcb288896392867176a2b5f10efbfbc2d5454e14cde61ce

SHA512
3bea7426995833f37996468ca3d122c4c182cfcde6f6469d51c211624baa169daacd20101abb1ce8ba50b46fd9f25d1bf1f5e913ebfbea600a5d7ad557f33544

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_decimal.pyd

Filesize
186KB

MD5
64075bc3bb3d8ecfb34938f24ae4077e

SHA1
9427093b25c208f7fe2d993543bf94cf25620023

SHA256
0c12e6598ce23e43fc00d34a86c6be6b49eedc33b676c5596483491a215bc670

SHA512
2fb3338a40364d390a14f0b32396378448b2c7f5a688423a98eae44d2a99ade505012949abc406a54f7b1094ca92f7dc2f5c930c81c2ed45076712edf74cb059

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_hashlib.pyd

Filesize
43KB

MD5
f9f0589c4d853060b62b1e83b3c6e8f8

SHA1
11d474d1a0006c0f8746187ed575d2923fdf3b01

SHA256
600ff18011b09cf9d49660dd7f58601ef438a921c1732054fdc5f312425c55e1

SHA512
ee3ef23cf79cd3782a84214548db2bb394e256db5f7e60d00ef6d62fad191d4654b889588ebd0da8cfbee0154ff3df362f2b1a76370e437edfcb398ba7982c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_lzma.pyd

Filesize
139KB

MD5
4a42b4f058c2e58eb3ab47e0166259cc

SHA1
4a55098dbffd59c651b862c2e610961b20f3b9da

SHA256
adddfd498ed73729af21bc139c421411aa40fa9000da1054c1ed73be6b2c8f56

SHA512
dd68e0a20a58c127a91406e7dfbb20f473635974fec15de0e678101241272c70ea7335e3e0cf990bef200d29f73adc519701989992ab55b53894c6d3133df52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_socket.pyd

Filesize
63KB

MD5
c7191cfe1da82b09fbedb5ea207397c5

SHA1
894199e61d3aa786ce2f5f2e159e8a9d6ffc1f68

SHA256
006c61209b77985aae77a8883293be2ac1e3f3913d6d436e16088311135f5bc2

SHA512
c6b35f1573fdea5a51b636243f171a2021b93f29092fc46a2c0717cf2f2ce187c77598c203b3c5fa225936e01fc81d957ae684fc9b5b2ecc70bc010ef9a64f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\base_library.zip

Filesize
858KB

MD5
e390f6f8210ec8f625e41d032892a555

SHA1
1942cd3974970e436f51d08284d216af91bd563f

SHA256
072a34a29da732afb01237adcc33198842edd473d014cf6b7f0ee3285f8b42d4

SHA512
b577eee901ce55fcc63403caa782a6f36dc20c18894508f78cac7d0d03c5ce0771bd4671525d7f0b5a86bf0afe0b09afea38d4e07767a8154ccc8cc27b3a295b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\libcrypto-1_1.dll

Filesize
2.2MB

MD5
31c2130f39942ac41f99c77273969cd7

SHA1
540edcfcfa75d0769c94877b451f5d0133b1826c

SHA256
dd55258272eeb8f2b91a85082887463d0596e992614213730000b2dbc164bcad

SHA512
cb4e0b90ea86076bd5c904b46f6389d0fd4afffe0bd3a903c7ff0338c542797063870498e674f86d58764cdbb73b444d1df4b4aa64f69f99b224e86ddaf74bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\python310.dll

Filesize
3.9MB

MD5
87bb8d7f9f22e11d2a3c196ee9bf36a5

SHA1
45dfcb22987f5a20a9b32410336c0d097ca91b35

SHA256
1269f15b1c8daa25af81e6ad22f9bcebfd2c76aec81c18c6d800460b7105bf98

SHA512
75bb2ae36b693e2a1e5ba003503d07ba975f9436fb3da9bf3fc4087a281cb172fa9bd13ad6fc27a62f796af6cbe0c800e2a169c65949a96bd4d0e150f4858288

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\select.pyd

Filesize
22KB

MD5
0b16458372bde0b85e84ce467cfc8c95

SHA1
a3ee99f69f0e5ffae36686af479ead1102c2a0a6

SHA256
bc9531896aee675fd8ae0fd2805524b5e9ce921dd5365145b9f32141604082db

SHA512
727cda4aa085c1af0ce3a9a3a6833057b255678666b2f00dca4f737f322a7cc02cd896ef3353bf9add02faf53b90ce6344e85860cc35da969fcee085c2f210bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\unicodedata.pyd

Filesize
1.1MB

MD5
9f0d733a0c240692270fb45ad30028df

SHA1
da06251cae9c6e4c7179ec9e9a67ac6cc1691077

SHA256
0c4342f33bd82f4840e293f5115ed0e87ec4409c5d8c78e43161fa3d60fa235a

SHA512
c72988875256eb1cea0e95a15f3731e95d847eacb52c5cb03b65e41ddc64b2591d34ea499f6e71ed203cf37f6ee09697708acf64d9e37cc4d1d37cb86de9c52b

Download Submit
memory/3380-32-0x000001DA6B2F0000-0x000001DA6B2F1000-memory.dmp

Filesize
4KB

Download
memory/3380-27-0x000001DA6B2F0000-0x000001DA6B2F1000-memory.dmp

Filesize
4KB

Download
memory/3380-28-0x000001DA6B2F0000-0x000001DA6B2F1000-memory.dmp

Filesize
4KB

Download
memory/3380-26-0x000001DA6B2F0000-0x000001DA6B2F1000-memory.dmp

Filesize
4KB

Download
memory/3380-38-0x000001DA6B2F0000-0x000001DA6B2F1000-memory.dmp

Filesize
4KB

Download
memory/3380-37-0x000001DA6B2F0000-0x000001DA6B2F1000-memory.dmp

Filesize
4KB

Download
memory/3380-36-0x000001DA6B2F0000-0x000001DA6B2F1000-memory.dmp

Filesize
4KB

Download
memory/3380-35-0x000001DA6B2F0000-0x000001DA6B2F1000-memory.dmp

Filesize
4KB

Download
memory/3380-34-0x000001DA6B2F0000-0x000001DA6B2F1000-memory.dmp

Filesize
4KB

Download
memory/3380-33-0x000001DA6B2F0000-0x000001DA6B2F1000-memory.dmp

Filesize
4KB

Download