Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    40KB

  • MD5

    36a1ae0555b5c56da0d72fc78864f11e

  • SHA1

    516159937190a889e2cfa1f4b3a2d4a0a772f82f

  • SHA256

    2862431a58c6d05311734d24fdd812e19bf01c0cdc50fb549347e461713a3449

  • SHA512

    3313c7303e745de06a0cc0b1093f251f82bffd88fea7d37403449924a0d7c8a844d9d73ace749022b60cf3932c3da121c3a6836f62347942d622d5a3af3f6cea

  • SSDEEP

    768:INfPMSk3K/EzTb/0X8WuFZ4ZJF5PC9O9568OMhu3/O2:of05a/CTjS89wFc9U568OMsF

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

156.225.129.219:1445

Mutex

LkRlKJxmQjSvDYPt

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\csrss'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    2ac30b903c896eeb7da3d0ab304c4b6c

    SHA1

    66c803dc76d89bc961528d1358b1a9f2e62413a7

    SHA256

    db5a26ef4eb4b7120c67224dbfc230dbd6623309e1ca27f06771c06b293549ce

    SHA512

    8d3a4630289dbb8a220fcaa504e6b220993a5aee2a3ff7f87533cfc7cc99e78b2bd7bfb41bf0c87fb0960cab112a99be8c7da94eca666b4f5b46222cff52460a

    Download Submit

  • memory/1924-0-0x000007FEF5943000-0x000007FEF5944000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1924-1-0x00000000003B0000-0x00000000003C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1924-2-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1924-28-0x000007FEF5943000-0x000007FEF5944000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1924-33-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2588-15-0x000000001B740000-0x000000001BA22000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2588-16-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2736-7-0x0000000002CD0000-0x0000000002D50000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2736-8-0x000000001B760000-0x000000001BA42000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2736-9-0x0000000001F00000-0x0000000001F08000-memory.dmp

    Filesize

    32KB

    Download