Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2024, 22:46
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20241007-en
General
-
Target
XClient.exe
-
Size
33KB
-
MD5
46af754270dd36d49444438d59d3dc03
-
SHA1
3c7026e503ad99e027c441b386de18ab24417f54
-
SHA256
6beed422d1b8dd262962ce2b277dfa8d6f852b4572ee818d77173eea1842be4b
-
SHA512
38d39b06c945cc3690acb463f4fceea44a8bc6d3d5862fdde34ac86e060b06e88969f431029ff83b38f25e3dd616ef64f6e9eca21dbe4d2efdae1577f096a904
-
SSDEEP
768:zB3hXuukvIi2lahqLeqdXFh9ZaO/hy/E33:93Euo32lahlqtFh9ZaO/kcH
Malware Config
Extracted
xworm
3.1
Gz1k9z3viwF3Mfl2
-
Install_directory
%Public%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/J09JweeH
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/1744-1-0x0000000000B60000-0x0000000000B6E000-memory.dmp family_xworm behavioral1/files/0x000f000000023b61-8.dat family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 3 IoCs
pid Process 4372 XClient.exe 4336 XClient.exe 3252 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Public\\XClient.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 22 pastebin.com 23 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2376 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1744 XClient.exe Token: SeDebugPrivilege 1604 taskmgr.exe Token: SeSystemProfilePrivilege 1604 taskmgr.exe Token: SeCreateGlobalPrivilege 1604 taskmgr.exe Token: 33 1604 taskmgr.exe Token: SeIncBasePriorityPrivilege 1604 taskmgr.exe Token: SeDebugPrivilege 4372 XClient.exe Token: SeDebugPrivilege 4336 XClient.exe Token: SeDebugPrivilege 3252 XClient.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe 1604 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2376 1744 XClient.exe 90 PID 1744 wrote to memory of 2376 1744 XClient.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Public\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2376
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1604
-
C:\Users\Public\XClient.exeC:\Users\Public\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
C:\Users\Public\XClient.exeC:\Users\Public\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
C:\Users\Public\XClient.exeC:\Users\Public\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3252
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
984B
MD5973ea14666035a4b3e8526ebf4e643c6
SHA1213003b1f5c903e68acfe2d5b1af4ca5e1b5a749
SHA2567af6b94288551e3672926460382d488105ec71aa70a0f3db1a926cb2ccf0825b
SHA51223598de7fd0887a754d347cef5d726e4262042926df7395d8d858e4d9927e90a7b44f7e1d331e649c9d705c31c261472f9e418338701a4aba8335402236473dc
-
Filesize
33KB
MD546af754270dd36d49444438d59d3dc03
SHA13c7026e503ad99e027c441b386de18ab24417f54
SHA2566beed422d1b8dd262962ce2b277dfa8d6f852b4572ee818d77173eea1842be4b
SHA51238d39b06c945cc3690acb463f4fceea44a8bc6d3d5862fdde34ac86e060b06e88969f431029ff83b38f25e3dd616ef64f6e9eca21dbe4d2efdae1577f096a904