Analysis
-
max time kernel
123s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 20:09
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240903-en
5 signatures
150 seconds
General
-
Target
XClient.exe
-
Size
34KB
-
MD5
17e7008acdf564a64c66b5e1551de7d1
-
SHA1
89b9db120317d212ade05c2c300fe461d324d1a0
-
SHA256
1a875a261fd81412ed0bc0dd53084dd6e9b7a5545802a1c37d85efeb3ec314bd
-
SHA512
f4eb1e7c9997e3e9714e455b097081e52e3af72e5017c5ee2ab34c0cefcf197183f75f7a31870319ac24f36696778885f01d94accd3b5b866dbc20a406c36735
-
SSDEEP
768:pXuuB5cBenG5Z96pbWx9FV9jJOjhj/4e:pXu25cBeGjspW/FV9jJOjZQe
Malware Config
Extracted
Family
xworm
Version
5.0
C2
lefferek-42016.portmap.host:42016
Mutex
CvqERIOnQqEv3r1K
Attributes
-
Install_directory
%AppData%
-
install_file
DiscordClient.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/3552-1-0x00000000002F0000-0x00000000002FE000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordClient.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordClient.lnk XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3552 XClient.exe