Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-1703-x64

10

XClient.exe

windows10-2004-x64

10

XClient.exe

windows11-21h2-x64

10

XClient.exe

macos-10.15-amd64

1

XClient.exe

macos-10.15-amd64

4

XClient.exe

ubuntu-18.04-amd64

XClient.exe

debian-9-armhf

XClient.exe

debian-9-mips

XClient.exe

debian-9-mipsel

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-08-2024 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    80KB

  • MD5

    bfa950b37b6a4f8de71af861e677a8b4

  • SHA1

    2ee40bfbf2964d92c82256e5924169295dfdd225

  • SHA256

    07f94f8f6061ba95899914496edc5854aa810de56797d9004875276d60e21ade

  • SHA512

    235b514fac01b24edaef3aeb4209676789b6ba9264a8798cb7ae48c26d2455cdd8f254e92bbba688535acb69fd77b3c0a0a549cf97ece84c235cc74f72234e1a

  • SSDEEP

    1536:EI5NuEGJkEtydWqZQSp1eS+b59gxzhfxdl/5m6qeo//3Oy/4IK4Dax5:Eg1GhtktQGAS+b59cJ4eA/OlINDab

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

full-self.gl.at.ply.gg:45212

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    ad5cd538ca58cb28ede39c108acb5785

    SHA1

    1ae910026f3dbe90ed025e9e96ead2b5399be877

    SHA256

    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

    SHA512

    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    2e9dd95184cea977731903f90865d9ef

    SHA1

    9ecb89cef9506ed83a9724d49b378333209368fc

    SHA256

    4ca225427114b0363e6db736efd5c1c95212262c2734a1e339aa1c1c7630def3

    SHA512

    ba241d9a5f05bfc5f75513f9723548336b588376eaedb8a552f9dd25628d0d365b76ce0020eaaf9695ecfe376c976d5e4f4f42374431b22f28ed54902af48986

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    92ad4c817e941a23e7a341723de73add

    SHA1

    7d0a1cbec514a212982fa24f4a53f018757d83a9

    SHA256

    d3cc2fb1a6040a5b247e1b8f42e3a6dcdf77f885d7835ad0ea4a0e5a98d98db9

    SHA512

    6e7715b8093434e8b07ad23527142851009b3a30d2e8c8d55e642a280eea3d3a95050436d3e3e3656c8e8a460871f5abc1ffc10837bd593fd6d9af92f3a4be12

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    b68364f7d675a42673c36b9213943cb1

    SHA1

    a62993ff4f19bb3879db0a57ce7d6dd1c6746221

    SHA256

    7a2931e4b168de60385ad79c234d4d7640fd25bd060e6606096f40d67fbeca26

    SHA512

    618f6c8d299d1fec3c6a8cffee9b0776e4fcedb16c2ebc42553fc0aa8eb19806d8a7cd875a4174983eefee48b330d9693126c8b544a0b22573e5248a19f8d9fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ceyac0f2.fsl.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/700-10-0x00000253FE0B0000-0x00000253FE126000-memory.dmp

    Filesize

    472KB

    Download

  • memory/700-12-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/700-11-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/700-41-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/700-51-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/700-52-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/700-9-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/700-6-0x00000253E5A10000-0x00000253E5A32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3288-0-0x0000000000F40000-0x0000000000F5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3288-1-0x00007FF8C3953000-0x00007FF8C3954000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3288-184-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3288-185-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp

    Filesize

    9.9MB

    Download