Analysis
-
max time kernel
98s -
max time network
131s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
30/10/2024, 02:35
Behavioral task
behavioral1
Sample
xclient.exe
Resource
win10ltsc2021-20241023-en
5 signatures
150 seconds
General
-
Target
xclient.exe
-
Size
45KB
-
MD5
fdb57ca14b8ea706f3baafef05e395a5
-
SHA1
378d535385cb3304e80101ac34069286446c052c
-
SHA256
daa76c143c646e4660165ba3ebf2569293ace2139ca70ebb1eb3c818a9f75ea5
-
SHA512
245cee2bc6a651f3d61abe014f54cdc37026fefac9e955b4dd9f9d3d3029b15a3e3cb3bd5364a71e1afd870de0895ea1bfb1458ed8ed7b0dc99dff0dcfc6a7b6
-
SSDEEP
768:AurlDweV3OOVbADM9W1v9NfgkBpuAuREcNcFhlVvD4xeVhKfkgLbFEPa9pvR6iOX:AADweQKADMkV9GkSAcRaPlZrOD/FJ9N+
Malware Config
Extracted
Family
xworm
Version
5.0
C2
customer-principle.gl.at.ply.gg:22759
Mutex
NU1tAxCgXukpxctX
Attributes
-
Install_directory
%Public%
-
install_file
XClient.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4824-1-0x0000000000F30000-0x0000000000F42000-memory.dmp family_xworm -
Xworm family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4824 xclient.exe