Analysis Overview
SHA256
6beed422d1b8dd262962ce2b277dfa8d6f852b4572ee818d77173eea1842be4b
Threat Level: Known bad
The file XCliente.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Xworm family
Detect Xworm Payload
Drops startup file
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 22:47
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 22:47
Reported
2024-10-29 22:49
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XCliente.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCliente.lnk | C:\Users\Admin\AppData\Local\Temp\XCliente.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCliente.lnk | C:\Users\Admin\AppData\Local\Temp\XCliente.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\XCliente.exe | N/A |
| N/A | N/A | C:\Users\Public\XCliente.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XCliente = "C:\\Users\\Public\\XCliente.exe" | C:\Users\Admin\AppData\Local\Temp\XCliente.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XCliente.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\XCliente.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\XCliente.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\XCliente.exe | C:\Windows\System32\schtasks.exe |
| PID 2332 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\XCliente.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XCliente.exe
"C:\Users\Admin\AppData\Local\Temp\XCliente.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XCliente" /tr "C:\Users\Public\XCliente.exe"
C:\Users\Public\XCliente.exe
C:\Users\Public\XCliente.exe
C:\Users\Public\XCliente.exe
C:\Users\Public\XCliente.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | schools-fits.gl.at.ply.gg | udp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 23.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
| US | 147.185.221.23:14654 | schools-fits.gl.at.ply.gg | tcp |
Files
memory/2332-0-0x00007FFAC2433000-0x00007FFAC2435000-memory.dmp
memory/2332-1-0x0000000000EF0000-0x0000000000EFE000-memory.dmp
memory/3952-2-0x0000021E61300000-0x0000021E61301000-memory.dmp
memory/3952-4-0x0000021E61300000-0x0000021E61301000-memory.dmp
memory/3952-3-0x0000021E61300000-0x0000021E61301000-memory.dmp
memory/3952-14-0x0000021E61300000-0x0000021E61301000-memory.dmp
memory/3952-13-0x0000021E61300000-0x0000021E61301000-memory.dmp
memory/3952-12-0x0000021E61300000-0x0000021E61301000-memory.dmp
memory/3952-11-0x0000021E61300000-0x0000021E61301000-memory.dmp
memory/3952-10-0x0000021E61300000-0x0000021E61301000-memory.dmp
memory/3952-9-0x0000021E61300000-0x0000021E61301000-memory.dmp
memory/3952-8-0x0000021E61300000-0x0000021E61301000-memory.dmp
C:\Users\Public\XCliente.exe
| MD5 | 46af754270dd36d49444438d59d3dc03 |
| SHA1 | 3c7026e503ad99e027c441b386de18ab24417f54 |
| SHA256 | 6beed422d1b8dd262962ce2b277dfa8d6f852b4572ee818d77173eea1842be4b |
| SHA512 | 38d39b06c945cc3690acb463f4fceea44a8bc6d3d5862fdde34ac86e060b06e88969f431029ff83b38f25e3dd616ef64f6e9eca21dbe4d2efdae1577f096a904 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCliente.lnk
| MD5 | 6b0d884f20ad1362e502782423c8d87a |
| SHA1 | 0592204030ca102574a240611cd6ca2aa8d912ab |
| SHA256 | 14133a517672e7396abc44dec9d8706ade9f0134d6c190bb49c2a6646de2ea40 |
| SHA512 | 32d596854a99222d097b59fb6b69a0856b1be48f6d5f94b86f98c8f82b492ef395c7301a4329d5ed700fa6badbddab8ede3012ca1c46f082fcc94fd8cbdc3612 |
memory/2332-24-0x00007FFAC2430000-0x00007FFAC2EF1000-memory.dmp
memory/2332-26-0x00007FFAC2430000-0x00007FFAC2EF1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XCliente.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |