Analysis
-
max time kernel
84s -
max time network
80s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
21-09-2024 19:36
General
-
Target
XRATClient.exe
-
Size
354KB
-
MD5
561def00a7bcf0e79729aaa63a0ca655
-
SHA1
a0490d9a12b0e125889b11ab6880a75b9f56cf1b
-
SHA256
6fa4e5b526be2acf1ea59d961cf62590c1e438745b0cd9180c45e86a4d637ae1
-
SHA512
d9f1909080e51acb48f3dd724343c4721ea891e54e46d8e5fe5f390112d8f4f96c9455c9347be24d4f6c94c03dd6c6d549be5ccafbc0d2db98a50ef2589ff525
-
SSDEEP
3072:TcKLbgaYXPPfUvubWxU5ImSO2qqk4dGR:Tc5a238mb
Malware Config
Extracted
xworm
germany-notice.gl.at.ply.gg:54909
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XRATClient.exe"C:\Users\Admin\AppData\Local\Temp\XRATClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
354KB
MD5561def00a7bcf0e79729aaa63a0ca655
SHA1a0490d9a12b0e125889b11ab6880a75b9f56cf1b
SHA2566fa4e5b526be2acf1ea59d961cf62590c1e438745b0cd9180c45e86a4d637ae1
SHA512d9f1909080e51acb48f3dd724343c4721ea891e54e46d8e5fe5f390112d8f4f96c9455c9347be24d4f6c94c03dd6c6d549be5ccafbc0d2db98a50ef2589ff525
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
376KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB