Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-1703-x64

10

XClient.exe

windows10-2004-x64

10

XClient.exe

windows11-21h2-x64

10

XClient.exe

macos-10.15-amd64

4

XClient.exe

macos-10.15-amd64

1

XClient.exe

ubuntu-18.04-amd64

XClient.exe

debian-9-armhf

XClient.exe

debian-9-mips

XClient.exe

debian-9-mipsel

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-08-2024 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    80KB

  • MD5

    bfa950b37b6a4f8de71af861e677a8b4

  • SHA1

    2ee40bfbf2964d92c82256e5924169295dfdd225

  • SHA256

    07f94f8f6061ba95899914496edc5854aa810de56797d9004875276d60e21ade

  • SHA512

    235b514fac01b24edaef3aeb4209676789b6ba9264a8798cb7ae48c26d2455cdd8f254e92bbba688535acb69fd77b3c0a0a549cf97ece84c235cc74f72234e1a

  • SSDEEP

    1536:EI5NuEGJkEtydWqZQSp1eS+b59gxzhfxdl/5m6qeo//3Oy/4IK4Dax5:Eg1GhtktQGAS+b59cJ4eA/OlINDab

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

full-self.gl.at.ply.gg:45212

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    ad5cd538ca58cb28ede39c108acb5785

    SHA1

    1ae910026f3dbe90ed025e9e96ead2b5399be877

    SHA256

    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

    SHA512

    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c9d2d982f58762f36d556e55bc7a8966

    SHA1

    d4ebcdeb595dbe5e1c80b5caf5210802a11151e4

    SHA256

    806a7753fda5402ac4cada9a09ad48f36593fc347b28fb705c44bb54260f8e7e

    SHA512

    0d4d60ba865d0c2fe487ca16e450031b56cafee3a9788454543e31ad8feded9949ece60a0efb5d6e3dc9fdd60b55b6696a2dff3554b6c3f893e7e233e1643db9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    5aede25c2e87714e8f02bb2d0d549e82

    SHA1

    a2ae9793a44cb424f74522f402b58ead7e9d08fe

    SHA256

    cc20e8fb0b0c99c42a590a18f634f4cafb8f0c5a5e15a90d73f8fb9c0444e1a4

    SHA512

    184b564ecab43f983369f548c29404189561c658378babb50b95d4aac8cff488f6a886b7e8440c65534875aa359ad8631d0e37b384cb63600067ed7a2ff2fb97

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    e62b5afeec365bc5f0596b5cbb6a9939

    SHA1

    91ac3bfaa3c01b602786ee891e2cc06476a7a58a

    SHA256

    ee388c0bb9a0bc9a8c773f7b5bbd86f9b561d04d76f1777a5b75aa278fa81676

    SHA512

    497db3eade26cb2904e674af7ef4710a4b4d553290223ecc9cc1a1a4f2eb09a0056efaa3943211ed697c55c5ccd4858400f890bd19230a96c69aa3e9e7182d80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1db4z015.vu1.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/2356-1-0x0000000000170000-0x000000000018A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2356-185-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2356-184-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2356-0-0x00007FF862F13000-0x00007FF862F14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4372-10-0x000001A25B1B0000-0x000001A25B226000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4372-52-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4372-51-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4372-41-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4372-20-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4372-11-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4372-9-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4372-6-0x000001A25AFD0000-0x000001A25AFF2000-memory.dmp

    Filesize

    136KB

    Download