Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
08-11-2024 17:10
General
-
Target
7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12N.exe
-
Size
66KB
-
MD5
2b494d570e8555cd6dbca8dadae59840
-
SHA1
c59544f6f3a027887f0e4b0cccce87515ba3950f
-
SHA256
7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12
-
SHA512
fe8ca241a512b55758e47e8962bfa1d3d1017559e199d21cbf07afc830d3460a9b6d0f868bfa7ea59979d254c6a29e4d18cf9ae25a6e5b7726a7eb514eb6ea5a
-
SSDEEP
1536:iKQYa5VddJ8rYtvAq9dAfkb15LU3v2D4oD0l8laOEeVHN:iKQYa5DdyEAq9d6kb15LU3A4ovaOEe5N
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/H3wFXmEi
Signatures
-
Detect Xworm Payload 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12N.exe"C:\Users\Admin\AppData\Local\Temp\7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {415F7559-37C0-4B19-8EAB-573A2101A249} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD52b494d570e8555cd6dbca8dadae59840
SHA1c59544f6f3a027887f0e4b0cccce87515ba3950f
SHA2567212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12
SHA512fe8ca241a512b55758e47e8962bfa1d3d1017559e199d21cbf07afc830d3460a9b6d0f868bfa7ea59979d254c6a29e4d18cf9ae25a6e5b7726a7eb514eb6ea5a
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
88KB