Malware Analysis Report

2024-11-15 09:49

Sample ID 241110-bznpmswgkp
Target XClient.exe
SHA256 89055b8db329f28180bdd72d02227f175a46b79b470c5131e932d235104ab6e1
Tags
xworm discovery execution persistence ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89055b8db329f28180bdd72d02227f175a46b79b470c5131e932d235104ab6e1

Threat Level: Known bad

The file XClient.exe was found to be: Known bad.

Malicious Activity Summary

xworm discovery execution persistence ransomware rat trojan

Detect Xworm Payload

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Drops startup file

Adds Run key to start application

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:35

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:35

Reported

2024-11-10 01:37

Platform

win7-20240903-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2C893DA1-9F04-11EF-8252-C28ADB222BBA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f0000000002000000000010660000000100002000000029a9ad2c22711274bbc2dd42e751f9928b0d00214be0da60150d969cae6d3392000000000e8000000002000020000000fd04885f67ac541d903163ccca4d2d0803c270ba6d6ad62cf8a95e538a423fa39000000010580769619af3a3ab38b5330289e0057e133aa7fd43689fcf516b52f8f1d2e64c3d69b0a1ccd97f94424d4b6e0adc5fd4fab586d3915e145dcb43a3f721385ef7af24a32e71c93cdba2a4474c630bad503de47d0a1762bf4e86a2468b4255db0e239c6073b7a219c515296c6c746ee6a6988b13e8100f89301d7843fac5d1dd63cb4d3a5eb044da49e92e7ce1daa06640000000ed9f03984b4cd3cdb41c27ef355afc69ea1cd8878cb3b304333735380089037fc950149ccf67b9a271f2696b6da613b62c701662fb441f6ad93be580a7fd7cce C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f0fe001133db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000ee001ad2a91d41d72b67991d440fbb17ed1406bda92dfb45595a5b2b83ea2d62000000000e80000000020000200000007534f02de498e579e6ee2199816cab1cf4b3697bf30b857e16774fb8a087617220000000834eb6ead9eae49fbf27db54379d323e8dba4f29449cbc6933fe70ffeaac7e88400000005f3ef729418dbbcc89b08ff81704aba1560d42d98344fb4a56e0fee2df0d3495b25d16b33e65747f0cfc5db21b78065d6831135fe5b80c558d188ee9a9975f61 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437364443" C:\Program Files\Internet Explorer\iexplore.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 2296 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 2296 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 2296 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\system32\CMD.EXE
PID 2296 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\system32\CMD.EXE
PID 2296 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\system32\CMD.EXE
PID 3028 wrote to memory of 1636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3028 wrote to memory of 1636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3028 wrote to memory of 1636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2296 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2296 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2296 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1868 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1868 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1868 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1868 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3028 wrote to memory of 2224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3028 wrote to memory of 2224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3028 wrote to memory of 2224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\system32\CMD.EXE

"CMD.EXE"

C:\Windows\system32\taskeng.exe

taskeng.exe {A6C1A026-A1FC-4140-BB36-DA20189E8B72} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:2

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SelectSend.mpeg2"

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 147.185.221.23:53631 tcp
US 147.185.221.23:53631 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
US 147.185.221.23:53631 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 147.185.221.23:53631 tcp

Files

memory/2296-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

memory/2296-1-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/2096-6-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/2096-7-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2096-8-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NL4C88364MKR0H77PT0D.temp

MD5 170bc2e6589189412a0927e889f4c3d2
SHA1 3c46a805958849b393a50ddf9f1c0881aef74b10
SHA256 844688079b2154d6843daf98f24bf9187fcd5ab7ade87fa60e32e9138a985c4b
SHA512 ebc21c54670938bb7b699874e671d85164a45b9950cc466994ec36bd02d924357ef28f111e0110d79c73a5a3fc580d25ef55a563aedc22679caec505f088a4e4

memory/2268-15-0x0000000002B60000-0x0000000002B68000-memory.dmp

memory/2268-14-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2296-30-0x000000001B220000-0x000000001B2A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 7e71f66eb4bd975fa6894f7be63d9de7
SHA1 a0b6a69adffde7a5209498ce1656f0d406da9204
SHA256 89055b8db329f28180bdd72d02227f175a46b79b470c5131e932d235104ab6e1
SHA512 5a776de6708ffa802700febe9a6a1cd95cd907f8d435c7ea28644c3c31565e373223b8db05ca142cb5bdc0d13745fba03099edbfc2fe7f9095232a997cdf6bf1

memory/2296-31-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

memory/2296-32-0x000000001B220000-0x000000001B2A0000-memory.dmp

memory/2296-33-0x0000000000690000-0x000000000069A000-memory.dmp

memory/1636-37-0x0000000000D50000-0x0000000000D62000-memory.dmp

memory/2296-38-0x00000000006A0000-0x00000000006AC000-memory.dmp

C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 ae6108264b800ee2f6ef597cebb09451
SHA1 9bbc1173c50dd788385dab7d8c1c257b474d87eb
SHA256 698aed449c7ec7359cd4d4b832861febdd146510c7d8ba617285582b1de70ff9
SHA512 17135a075c5d39783d9486e1a4b9cae4b1b6d15b6ea342a0e6b2f30a939aec28c2881ea0ba5b8613deb3e1052d767cfe264275ab4c50f4b3214a6a35a1cc2c1d

C:\Users\Admin\Documents\CloseDismount.xlsx.ENC

MD5 b49efffaeeeca56d073e169780cde3ad
SHA1 2044e9f26c56da4bf3cf19714eb2de480cc7d280
SHA256 03c94baee15393955f538b0a2e53efa12c0dd61c6fcc2470864367430af2219c
SHA512 28492f1af8512413d61da0a2ee251182c3582f30e22e7383b4ef6f5f3c802edb7ce9776035861d145de988084811b4a1b7ea2f1a48f29c6cf548500a66750ceb

C:\Users\Admin\Desktop\How To Decrypt My Files.html

MD5 553cf6c7e10d1c701098d7e1d0a01839
SHA1 3cbdf41c6d02de51754a2696a382485be5175771
SHA256 bfbb59fa451071b37088b6286c3e5941f2536c4d9a1b77c1c6e987da9545b6ae
SHA512 591ace58027c743e663598f29857e3fa52e47e5a015dfb5e46570fcc563b623306b6e9de5df0aed2f5242c7ae88178aced6c909ec3b8c075b5d7239922d3183c

C:\Users\Admin\AppData\Local\Temp\CabCCE3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCDA1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0fb452a993c5da203c3c62709cb1503
SHA1 b6af59246ff6b61359bb31fcd8cc53d8290ab563
SHA256 d965fcca96c09371417c4d5dc21498a852d0f178986015538500bcaa983f8775
SHA512 61cf990278a46455c073074a6d077801af23ed142f34784d84c44ab21e3a7616ea8a3b9d160d5bd3b10ec4cae058eeca94b71edda8c45ecbd5a80b63e8b1689c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ac07d63d192ef15b01ebc7fbefc4562
SHA1 dd8c2aba03c090b7a0c2326cd93eb8f9a88c7a4c
SHA256 9138a8f5377763c65704ac4e776d96df5b6979bf14fc6b7600fd2baa8fc838ba
SHA512 8a58a6c696095d7224c25fb529cd6d76f754d46501eb15787a83ebb92dd6b676f76a86a5a9011d118a6a12c4f9b194e8502e60152c2e508608e140ee381996dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58167c7e05403488ed7443ad8719f4c0
SHA1 3cd98d39b079694a283aad90111d72ff733b4160
SHA256 5c6bdaca6cc9d49b8e012249e4f0910be780434d3880b9081e85b63e311b524f
SHA512 b7a1f72d8d48ae8c59c8f73e25d3d57879b16c811648b8c325991f2ee2f69326150d930e352323ed405a566eaf284100c2218be869f6032c28a851f750b7d3d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c86ae77893d84ea141a867a412c1d69f
SHA1 5cebc90c4021c0b688c13eaa197772a407b1c1ea
SHA256 410dfbf03a4fbcf6eb493f55624b6c1c95c32ec807bc828c132c5b2b30d60ab4
SHA512 082c236d03f726f662fca0cd874ae112edf4c01777ad887472a5f06adc72ff65bbc9a6eb2aca43ec11c0656d0732630ce37950c86ac99b7a750d5f3a92cbdfab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17e358e39c45f3515e18a80c4aa7bb3c
SHA1 b8c5981d762abb8be7e8e7c7b474963e7162d8a6
SHA256 9b682ccc07fc7d3073b258ea5d6b9dce095621fec7746ef855e916d228ffb9a9
SHA512 508468cfdcbd6301c0c226f9c97e580949d83792fc642900f2ed7b38e5b5e0fb124b7d7a76c46bdde8da754b4cfc7fd8a4202b3378562d23a960921aec675a1f

C:\Users\Admin\Documents\CloseDismount.xlsx

MD5 aee47713681f597ed729cd9214349717
SHA1 061df0315fa905da37e30f374c7902a36e2e77b5
SHA256 170c0f8aa62f1a5f7995a3127b0a4e4a6e3c1b2d94506189406764d47d8afdc4
SHA512 b5f880ff1c7639e025fbe7713e1ecd4bdc392e5827875f49b449117a2b6c4bd08d75c9a5fe2bfff3795324177aba4c1415bf98dc494c8bbd11454e5d156f61ad

C:\Users\Admin\Desktop\SelectSend.mpeg2

MD5 3a0c5e3b977117f413521dc033efc801
SHA1 866c140254c3d9fdd300fbeafb7d0a68924eac2b
SHA256 4374c612fd837267b535e31f84d306f3b308428af232894272781e7e55447e62
SHA512 5d457b2ab727fd696ba589b91caa82d4e89215dc71905d535a08c1a59d9038bdee83436fbad83bdb00118a57e48646a41ea4896579603d44aa6ad99aa38f8639

C:\Users\Admin\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

memory/1720-1189-0x000007FEF1970000-0x000007FEF19A4000-memory.dmp

memory/1720-1188-0x000000013FCA0000-0x000000013FD98000-memory.dmp

memory/1720-1190-0x000007FEED740000-0x000007FEED9F6000-memory.dmp

memory/1720-1191-0x000007FEEC560000-0x000007FEED610000-memory.dmp

memory/2224-1193-0x0000000000E30000-0x0000000000E42000-memory.dmp

memory/2296-1194-0x0000000001F60000-0x0000000001F6A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ab33148c5b3344c6c9fa1b58b4ae21d
SHA1 887b7b85aa6de2cf25ca4efee618f40f8db36624
SHA256 a1865e9004c0c6d398d62e85bd00d60d42d257d6ab44b43a68072587b29a7d63
SHA512 6552bbef305b5f8f4dc79cb49178c90cba1ceb52500c505e2c59148b3ac47ef4d837c53bebe472e2f20147ddbc7448ec98f0a18e311bc6725ca7a102ad9fef03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f28a0078ac374044a298e0a39dffdbd3
SHA1 b794caeb76c8c9754f1618a5cec2c6afad7f08ef
SHA256 a8effaf359e9b01579a98bc614852b6b62cb6b02fb9f2a733aeb66b147cd0afd
SHA512 e02c7a92f8e18d511e9ca7e6191b921f78ef48b8d4f916d99cbcebaac644d1e84ebf29349fc42eccc7f846763786d46c8b97097409877f2adb23b1e275de7e04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 948ea080811640bf498401e41da09455
SHA1 5d6376efa30b46a5c24bc5b6a1d93a580ac6c335
SHA256 6e7921f2fe32aff678e4acdc7ac27ce54618cba01393401540341594f14e1cec
SHA512 c9d556175353dcbaf139dd728edfc461e913e934895bbd902ff100b3aedde1921cbe6aa0da5e82724707477f90d640d55b84e205f8597e3750b68448a121a149

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a8ae443c282f1f824a9794d106717ca
SHA1 0a11913a0b274d35c3ffaf84da63f4c2a7584827
SHA256 31876880a0754a519725ff727f2cbc369fd29a1373dfbe50a6ab73ded19874db
SHA512 189d44824a55f16856fba3507ba16e267d6f01e372bc67763e38348fed0cbbf56588cbbe2f3ea36c6dd889f3677a3baf502752be7532f55244cfb71e41f62cd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59467f818c36ebde3be9925a873b98ea
SHA1 0fe0f3dfc377e79ed802b38606d85e22275c711c
SHA256 1e4869e73b8160f753b06940b451c9ea78eeebe7006bc7d04551b4a591c9fcfd
SHA512 c7c5310d1707360400092922b2b1850ae77ea543ef3822c94a9c414068fe922d1f22120d3a87a57426262fed3a6cb96f5178165533afee7008fa3daf1febcc42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffdec78f41dc3acfcf629578d059f073
SHA1 247c31c4c4c1098d9a0fc9b39673215781642ba7
SHA256 c3537c33543aea5a28b248baa4b961483b149b112f0e89d4ae67c1ef08ac621b
SHA512 9a87febd733657415dbc001d23e1ee2c4e8f49eee4ac5812dc354ec18928936ac75ee6ad5602ee7629c0e3e8d453312a8b839f051d4f25e640fe89598c684347

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdb0535441c3820770f3146c77e51a21
SHA1 851fc6e9dc527769a574b93f740ae5e34aa48c60
SHA256 9533bbd689e659d6b8c739339076c119cbd06f6012a755e2e50fde8567eba35c
SHA512 ae161e59196b680781d4d3900410aede6e755b9b3cba3a603614a707aea39cbece649363f935c7b7f022dd2b0c3a9a3c1d31f24e7e4cb9ab8ba59d6db1d4ce93

memory/2296-1627-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:35

Reported

2024-11-10 01:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 147.185.221.23:53631 tcp
US 8.8.8.8:53 23.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/2480-0-0x00007FF8244B3000-0x00007FF8244B5000-memory.dmp

memory/2480-1-0x0000000000E30000-0x0000000000E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2lnrumz5.koq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1540-11-0x0000028BDA260000-0x0000028BDA282000-memory.dmp

memory/1540-12-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

memory/1540-13-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

memory/1540-14-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

memory/1540-17-0x0000028BDA410000-0x0000028BDA62C000-memory.dmp

memory/1540-18-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

memory/2480-46-0x00007FF8244B3000-0x00007FF8244B5000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 7e71f66eb4bd975fa6894f7be63d9de7
SHA1 a0b6a69adffde7a5209498ce1656f0d406da9204
SHA256 89055b8db329f28180bdd72d02227f175a46b79b470c5131e932d235104ab6e1
SHA512 5a776de6708ffa802700febe9a6a1cd95cd907f8d435c7ea28644c3c31565e373223b8db05ca142cb5bdc0d13745fba03099edbfc2fe7f9095232a997cdf6bf1

memory/2480-51-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

memory/2480-52-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1