Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2024 22:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    41KB

  • MD5

    f065a5f352973e89b2e8d3efd79b98f8

  • SHA1

    6a9a84e0a11010262ea35790fcdf824193805c76

  • SHA256

    7b75950ae4eeabfdedafe9e3b14acee160a6ad932cbad66f71fe5bca32cc6405

  • SHA512

    b920e46653ec87748767e71e88593db3c6d25fcde1b63504a1718d438e383c15578fd9e5bae5665b040e0f3512566ec99322eb8f3b5a0fa2112934ad486a2006

  • SSDEEP

    768:2+ibOPCt0LxOg3XvgggzLJF5PG9pmE6vOwhF3EizW:2tbuCiL0WXvvgpFI9AE6vOwjF6

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

JYj1EIwWwj45bGVr

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4140
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:5100
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault77c7f045hbd22h4011ha027h414e1668ad75
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa1a3146f8,0x7ffa1a314708,0x7ffa1a314718
      2⤵
        PID:4864
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14104725550261551747,11877102410183814940,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        2⤵
          PID:3948
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14104725550261551747,11877102410183814940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4304
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,14104725550261551747,11877102410183814940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
          2⤵
            PID:1320
        • C:\Windows\System32\CompPkgSrv.exe
          C:\Windows\System32\CompPkgSrv.exe -Embedding
          1⤵
            PID:4872
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:4292
            • C:\Users\Admin\AppData\Roaming\XClient.exe
              C:\Users\Admin\AppData\Roaming\XClient.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:752
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:4428
              • C:\Users\Admin\AppData\Roaming\XClient.exe
                "C:\Users\Admin\AppData\Roaming\XClient.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2152
              • C:\Users\Admin\AppData\Roaming\XClient.exe
                "C:\Users\Admin\AppData\Roaming\XClient.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4128
              • C:\Users\Admin\AppData\Roaming\XClient.exe
                C:\Users\Admin\AppData\Roaming\XClient.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:776

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
                Filesize

                654B

                MD5

                2ff39f6c7249774be85fd60a8f9a245e

                SHA1

                684ff36b31aedc1e587c8496c02722c6698c1c4e

                SHA256

                e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                SHA512

                1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                Filesize

                152B

                MD5

                0446fcdd21b016db1f468971fb82a488

                SHA1

                726b91562bb75f80981f381e3c69d7d832c87c9d

                SHA256

                62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

                SHA512

                1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                Filesize

                61B

                MD5

                4df4574bfbb7e0b0bc56c2c9b12b6c47

                SHA1

                81efcbd3e3da8221444a21f45305af6fa4b71907

                SHA256

                e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

                SHA512

                78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                Filesize

                5KB

                MD5

                609a9cbf9f88b7f4f1f2a2abacc8cde3

                SHA1

                1acbc04be46856cb5aff1ca88ac8169044aaa394

                SHA256

                06346627aa6c88f7b89734f88ccda87e289c0ec386fdf394661b16437c5bb6e1

                SHA512

                b6366d82e3bd08be90e18b08072473960dcf93354a77c5fc0a9ba34c1e05c44b07737ee05f558cfb560e7640590934ece63afa7d882e321710575ca27c4677cd

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                Filesize

                8KB

                MD5

                fd15426e249a083b87254420763af5df

                SHA1

                ec793281667fccdf36cf5032f153b95079afc6a7

                SHA256

                4b30d40a421d63b8fa7b1c9bf668fd9a34ae9c7330c84b6a0cfba9f3f257f86b

                SHA512

                2ed9daee39affdd421965dc7f7f8e2a8bb1157bb9e18835b5b658a478620009cfb015fff397c49129372177abb26115b625867380b0120bd75dafcc3ea5f0f17

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                2e907f77659a6601fcc408274894da2e

                SHA1

                9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                SHA256

                385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                SHA512

                34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                eb1ad317bd25b55b2bbdce8a28a74a94

                SHA1

                98a3978be4d10d62e7411946474579ee5bdc5ea6

                SHA256

                9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

                SHA512

                d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                d8cb3e9459807e35f02130fad3f9860d

                SHA1

                5af7f32cb8a30e850892b15e9164030a041f4bd6

                SHA256

                2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

                SHA512

                045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_py5o1is0.4yf.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Roaming\XClient.exe
                Filesize

                41KB

                MD5

                f065a5f352973e89b2e8d3efd79b98f8

                SHA1

                6a9a84e0a11010262ea35790fcdf824193805c76

                SHA256

                7b75950ae4eeabfdedafe9e3b14acee160a6ad932cbad66f71fe5bca32cc6405

                SHA512

                b920e46653ec87748767e71e88593db3c6d25fcde1b63504a1718d438e383c15578fd9e5bae5665b040e0f3512566ec99322eb8f3b5a0fa2112934ad486a2006

                Download Submit

              • memory/2560-2-0x00007FFA208C0000-0x00007FFA21381000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2560-1-0x0000000000880000-0x0000000000890000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2560-0-0x00007FFA208C3000-0x00007FFA208C5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2560-55-0x00007FFA208C3000-0x00007FFA208C5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2560-107-0x00007FFA208C0000-0x00007FFA21381000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2948-13-0x00007FFA208C0000-0x00007FFA21381000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2948-8-0x000001B99C7C0000-0x000001B99C7E2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2948-15-0x00007FFA208C0000-0x00007FFA21381000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2948-14-0x00007FFA208C0000-0x00007FFA21381000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2948-17-0x00007FFA208C0000-0x00007FFA21381000-memory.dmp

                Filesize

                10.8MB

                Download