Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 20:59

General

  • Target

    XClient.exe

  • Size

    80KB

  • MD5

    bfa950b37b6a4f8de71af861e677a8b4

  • SHA1

    2ee40bfbf2964d92c82256e5924169295dfdd225

  • SHA256

    07f94f8f6061ba95899914496edc5854aa810de56797d9004875276d60e21ade

  • SHA512

    235b514fac01b24edaef3aeb4209676789b6ba9264a8798cb7ae48c26d2455cdd8f254e92bbba688535acb69fd77b3c0a0a549cf97ece84c235cc74f72234e1a

  • SSDEEP

    1536:EI5NuEGJkEtydWqZQSp1eS+b59gxzhfxdl/5m6qeo//3Oy/4IK4Dax5:Eg1GhtktQGAS+b59cJ4eA/OlINDab

Malware Config

Extracted

Family

xworm

C2

full-self.gl.at.ply.gg:45212

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748

Network

  • flag-us
    DNS
    full-self.gl.at.ply.gg
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    full-self.gl.at.ply.gg
    IN A
    Response
    full-self.gl.at.ply.gg
    IN A
    147.185.221.21
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    522 B
    212 B
    5
    5
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    430 B
    172 B
    3
    4
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    426 B
    172 B
    3
    4
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    430 B
    172 B
    3
    4
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    426 B
    172 B
    3
    4
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    2.5kB
    52 B
    11
    1
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    1.9kB
    52 B
    9
    1
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    1.9kB
    52 B
    9
    1
  • 147.185.221.21:45212
    full-self.gl.at.ply.gg
    XClient.exe
    1.9kB
    52 B
    9
    1
  • 8.8.8.8:53
    full-self.gl.at.ply.gg
    dns
    XClient.exe
    68 B
    84 B
    1
    1

    DNS Request

    full-self.gl.at.ply.gg

    DNS Response

    147.185.221.21

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    650f240a6628ff1f30616baa90dc7f30

    SHA1

    c3977d7efd30a8752ee74c1cc1c6250c26dcffd0

    SHA256

    def4b8fa1782da53f8bd39b3fb9fc0402057f3f2f2f922a86326a883f9b35e2f

    SHA512

    4b06301d5e11f4b428ec1702afdc67a402b31ba270f91359e185a1a7a17a0dd7e63209da50f8b8cc387103b13a3dfa0377c8cd00da1c572f42c8a4d186a12369

  • memory/576-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

    Filesize

    4KB

  • memory/576-1-0x0000000000350000-0x000000000036A000-memory.dmp

    Filesize

    104KB

  • memory/576-28-0x000000001AC20000-0x000000001ACA0000-memory.dmp

    Filesize

    512KB

  • memory/576-29-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

    Filesize

    4KB

  • memory/576-30-0x000000001AC20000-0x000000001ACA0000-memory.dmp

    Filesize

    512KB

  • memory/608-15-0x0000000002870000-0x0000000002878000-memory.dmp

    Filesize

    32KB

  • memory/608-14-0x000000001B4B0000-0x000000001B792000-memory.dmp

    Filesize

    2.9MB

  • memory/2408-6-0x0000000002CA0000-0x0000000002D20000-memory.dmp

    Filesize

    512KB

  • memory/2408-7-0x000000001B660000-0x000000001B942000-memory.dmp

    Filesize

    2.9MB

  • memory/2408-8-0x00000000029F0000-0x00000000029F8000-memory.dmp

    Filesize

    32KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.