Overview
overview
10Static
static
10XClient.exe
windows10-1703-x64
XClient.exe
windows7-x64
XClient.exe
windows10-1703-x64
XClient.exe
windows10-2004-x64
XClient.exe
windows11-21h2-x64
XClient.exe
android-10-x64
XClient.exe
android-10-x64
XClient.exe
android-11-x64
XClient.exe
android-13-x64
XClient.exe
android-9-x86
XClient.exe
macos-10.15-amd64
4XClient.exe
macos-10.15-amd64
1XClient.exe
ubuntu-22.04-amd64
XClient.exe
debian-12-armhf
XClient.exe
debian-12-mipsel
XClient.exe
debian-9-armhf
XClient.exe
debian-9-mips
XClient.exe
debian-9-mipsel
XClient.exe
ubuntu-18.04-amd64
XClient.exe
ubuntu-20.04-amd64
XClient.exe
ubuntu-22.04-amd64
XClient.exe
ubuntu-24.04-amd64
Analysis
-
max time kernel
43s -
max time network
44s -
platform
windows11-21h2_x64 -
resource
win11-20240730-en -
resource tags
arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-08-2024 20:43
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
XClient.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral5
Sample
XClient.exe
Resource
win11-20240730-en
Behavioral task
behavioral6
Sample
XClient.exe
Resource
android-x64-20240624-en
Behavioral task
behavioral7
Sample
XClient.exe
Resource
android-x64-20240624-en
Behavioral task
behavioral8
Sample
XClient.exe
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral9
Sample
XClient.exe
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral10
Sample
XClient.exe
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral11
Sample
XClient.exe
Resource
macos-20240711.1-en
Behavioral task
behavioral12
Sample
XClient.exe
Resource
macos-20240711.1-en
Behavioral task
behavioral13
Sample
XClient.exe
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral14
Sample
XClient.exe
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral15
Sample
XClient.exe
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral16
Sample
XClient.exe
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral17
Sample
XClient.exe
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral18
Sample
XClient.exe
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral19
Sample
XClient.exe
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral20
Sample
XClient.exe
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral21
Sample
XClient.exe
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral22
Sample
XClient.exe
Resource
ubuntu2404-amd64-20240729-en
Errors
General
-
Target
XClient.exe
-
Size
80KB
-
MD5
bfa950b37b6a4f8de71af861e677a8b4
-
SHA1
2ee40bfbf2964d92c82256e5924169295dfdd225
-
SHA256
07f94f8f6061ba95899914496edc5854aa810de56797d9004875276d60e21ade
-
SHA512
235b514fac01b24edaef3aeb4209676789b6ba9264a8798cb7ae48c26d2455cdd8f254e92bbba688535acb69fd77b3c0a0a549cf97ece84c235cc74f72234e1a
-
SSDEEP
1536:EI5NuEGJkEtydWqZQSp1eS+b59gxzhfxdl/5m6qeo//3Oy/4IK4Dax5:Eg1GhtktQGAS+b59cJ4eA/OlINDab
Malware Config
Extracted
xworm
full-self.gl.at.ply.gg:45212
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral5/memory/2912-0-0x00000000009A0000-0x00000000009BA000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4548 powershell.exe 3020 powershell.exe 4996 powershell.exe 1308 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2326217578-3761199233-1872589011-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4548 powershell.exe 4548 powershell.exe 3020 powershell.exe 3020 powershell.exe 4996 powershell.exe 4996 powershell.exe 1308 powershell.exe 1308 powershell.exe 2912 XClient.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2912 XClient.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 2912 XClient.exe Token: SeShutdownPrivilege 2592 shutdown.exe Token: SeRemoteShutdownPrivilege 2592 shutdown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2912 XClient.exe 4068 LogonUI.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2912 wrote to memory of 4548 2912 XClient.exe 83 PID 2912 wrote to memory of 4548 2912 XClient.exe 83 PID 2912 wrote to memory of 3020 2912 XClient.exe 85 PID 2912 wrote to memory of 3020 2912 XClient.exe 85 PID 2912 wrote to memory of 4996 2912 XClient.exe 87 PID 2912 wrote to memory of 4996 2912 XClient.exe 87 PID 2912 wrote to memory of 1308 2912 XClient.exe 89 PID 2912 wrote to memory of 1308 2912 XClient.exe 89 PID 2912 wrote to memory of 2592 2912 XClient.exe 92 PID 2912 wrote to memory of 2592 2912 XClient.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /s /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a17855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4068
Network
-
Remote address:8.8.8.8:53Requestfull-self.gl.at.ply.ggIN AResponsefull-self.gl.at.ply.ggIN A147.185.221.21
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestself.events.data.microsoft.comIN AResponseself.events.data.microsoft.comIN CNAMEself-events-data.trafficmanager.netself-events-data.trafficmanager.netIN CNAMEonedscolprdwus08.westus.cloudapp.azure.comonedscolprdwus08.westus.cloudapp.azure.comIN A20.189.173.9
-
Remote address:8.8.8.8:53Request21.221.185.147.in-addr.arpaIN PTRResponse
-
1.3kB 13.5kB 18 24
-
148.1kB 3.2kB 115 63
-
210 B 368 B 3 3
DNS Request
full-self.gl.at.ply.gg
DNS Response
147.185.221.21
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
self.events.data.microsoft.com
DNS Response
20.189.173.9
-
73 B 130 B 1 1
DNS Request
21.221.185.147.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
Filesize
944B
MD5e23ced1dc16414575a8061ae4b27f6ea
SHA1649c5b525058931aad3443ec798767fdf4e36020
SHA2563c8216946f767c8bc75cd37073419bc3e3a4130b44974e8c2185d3e09546d01a
SHA51293c4c6d1327a335d0f3d1cf67cd65b2a9ef0011c24df88a16552e02d069c481e7c10aef0cef1078fad60cd79b99763befa00f25ff12b3ab10a7a8fa617a73cb8
-
Filesize
944B
MD5cb9070f7a07a5d3fc17121852bff6953
SHA11932f99c2039a98cf0d65bca0f882dde0686fc11
SHA2566c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac
SHA51297b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82