Analysis

  • max time kernel
    43s
  • max time network
    44s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240730-en
  • resource tags

    arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-08-2024 20:43

Errors

Reason
Machine shutdown

General

  • Target

    XClient.exe

  • Size

    80KB

  • MD5

    bfa950b37b6a4f8de71af861e677a8b4

  • SHA1

    2ee40bfbf2964d92c82256e5924169295dfdd225

  • SHA256

    07f94f8f6061ba95899914496edc5854aa810de56797d9004875276d60e21ade

  • SHA512

    235b514fac01b24edaef3aeb4209676789b6ba9264a8798cb7ae48c26d2455cdd8f254e92bbba688535acb69fd77b3c0a0a549cf97ece84c235cc74f72234e1a

  • SSDEEP

    1536:EI5NuEGJkEtydWqZQSp1eS+b59gxzhfxdl/5m6qeo//3Oy/4IK4Dax5:Eg1GhtktQGAS+b59cJ4eA/OlINDab

Malware Config

Extracted

Family

xworm

C2

full-self.gl.at.ply.gg:45212

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1308
    • C:\Windows\SYSTEM32\shutdown.exe
      shutdown.exe /f /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3a17855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4068

Network

  • flag-us
    DNS
    full-self.gl.at.ply.gg
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    full-self.gl.at.ply.gg
    IN A
    Response
    full-self.gl.at.ply.gg
    IN A
    147.185.221.21
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    self.events.data.microsoft.com
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdwus08.westus.cloudapp.azure.com
    onedscolprdwus08.westus.cloudapp.azure.com
    IN A
    20.189.173.9
  • flag-us
    DNS
    21.221.185.147.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.221.185.147.in-addr.arpa
    IN PTR
    Response
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    1.3kB
    13.5kB
    18
    24
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    148.1kB
    3.2kB
    115
    63
  • 8.8.8.8:53
    full-self.gl.at.ply.gg
    dns
    XClient.exe
    210 B
    368 B
    3
    3

    DNS Request

    full-self.gl.at.ply.gg

    DNS Response

    147.185.221.21

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    20.189.173.9

  • 8.8.8.8:53
    21.221.185.147.in-addr.arpa
    dns
    73 B
    130 B
    1
    1

    DNS Request

    21.221.185.147.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    d0a4a3b9a52b8fe3b019f6cd0ef3dad6

    SHA1

    fed70ce7834c3b97edbd078eccda1e5effa527cd

    SHA256

    21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

    SHA512

    1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    e23ced1dc16414575a8061ae4b27f6ea

    SHA1

    649c5b525058931aad3443ec798767fdf4e36020

    SHA256

    3c8216946f767c8bc75cd37073419bc3e3a4130b44974e8c2185d3e09546d01a

    SHA512

    93c4c6d1327a335d0f3d1cf67cd65b2a9ef0011c24df88a16552e02d069c481e7c10aef0cef1078fad60cd79b99763befa00f25ff12b3ab10a7a8fa617a73cb8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    cb9070f7a07a5d3fc17121852bff6953

    SHA1

    1932f99c2039a98cf0d65bca0f882dde0686fc11

    SHA256

    6c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac

    SHA512

    97b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvcqiboi.xct.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/2912-1-0x00007FF8B16B3000-0x00007FF8B16B5000-memory.dmp

    Filesize

    8KB

  • memory/2912-54-0x00007FF8B16B0000-0x00007FF8B2172000-memory.dmp

    Filesize

    10.8MB

  • memory/2912-0-0x00000000009A0000-0x00000000009BA000-memory.dmp

    Filesize

    104KB

  • memory/2912-53-0x00007FF8B16B0000-0x00007FF8B2172000-memory.dmp

    Filesize

    10.8MB

  • memory/2912-52-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

    Filesize

    48KB

  • memory/2912-51-0x00007FF8B16B0000-0x00007FF8B2172000-memory.dmp

    Filesize

    10.8MB

  • memory/4548-11-0x00007FF8B16B0000-0x00007FF8B2172000-memory.dmp

    Filesize

    10.8MB

  • memory/4548-18-0x00007FF8B16B0000-0x00007FF8B2172000-memory.dmp

    Filesize

    10.8MB

  • memory/4548-15-0x00007FF8B16B0000-0x00007FF8B2172000-memory.dmp

    Filesize

    10.8MB

  • memory/4548-14-0x00007FF8B16B0000-0x00007FF8B2172000-memory.dmp

    Filesize

    10.8MB

  • memory/4548-13-0x00007FF8B16B0000-0x00007FF8B2172000-memory.dmp

    Filesize

    10.8MB

  • memory/4548-12-0x00007FF8B16B0000-0x00007FF8B2172000-memory.dmp

    Filesize

    10.8MB

  • memory/4548-2-0x0000027743940000-0x0000027743962000-memory.dmp

    Filesize

    136KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.