Analysis
-
max time kernel
192s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-11-2024 17:34
General
-
Target
XCl1ient.exe
-
Size
32KB
-
MD5
f30c403483be14f6fd70474ae2754187
-
SHA1
249d5a63bbeff68f41b7a861491e87533e7c9230
-
SHA256
54541a6f3a056381ad7ef5660c7caee7a381dfd6c46a901341f41efcd85db3ab
-
SHA512
ebbe62886441c2d64de8e74f8e88e0a504d70c07a5467fe1be0dd3a96428be52c0d493ba749dd34bae2e361e852a09a8fbfb52c3399e8e714467051d5daa09aa
-
SSDEEP
384:icmKc71F3BUaMbGf/JLbFUr3Tm2eaFO6lzRApkFTBLTsOZwpGd2v99Ikuis+VFxc:za1LxMC1Js3Tw4flzVFE9jdOjhgbC
Malware Config
Extracted
xworm
5.0
mon-faculty.gl.at.ply.gg:37296
127.0.0.1:37296
4SXJgYYYcCz7QcRn
-
install_file
USB.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 1 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Stormkitty family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 10 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\XCl1ient.exe"C:\Users\Admin\AppData\Local\Temp\XCl1ient.exe"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\CMD.EXE"CMD.EXE"2⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault77efa6echf659h4b58h8528h05eae8c0fe771⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff408846f8,0x7fff40884708,0x7fff408847182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,4391326032149880440,13342133018577269427,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,4391326032149880440,13342133018577269427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,4391326032149880440,13342133018577269427,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ExitExport.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\InstallLimit.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0xe0,0xe4,0xd8,0x108,0x7fff408846f8,0x7fff40884708,0x7fff408847182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,8829919531406139133,812504240215648215,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,8829919531406139133,812504240215648215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,8829919531406139133,812504240215648215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8829919531406139133,812504240215648215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8829919531406139133,812504240215648215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,8829919531406139133,812504240215648215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,8829919531406139133,812504240215648215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8829919531406139133,812504240215648215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8829919531406139133,812504240215648215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD511653bc135563ea466daff1882772382
SHA151317ff25023c9f49c7b9196f19dceba366e3595
SHA256a014d201f4df2deb0a710bf9aa5ebcfe1bef9b900b185fbe12af15c8c044a757
SHA512af2b67dd9dd714e505239c29187ce8cd59c9575937ab6526618196cac5773b01000eebf6a12b3b62afb4264ccdaaceb01595eb433ba0c94b0148addc6a5d764c
-
Filesize
412B
MD564f9bce8b80091280b7fbdaf7972934a
SHA10b3c8fcf2026352450df769d61b184819845aefb
SHA2566b7f8438e2f5eba1e3d5edcd0c87c09acfc7a33f464751c1623a169d7788665d
SHA512f3307db3b168c6e4f8682164177fd9685ddc447553ad155a54dde9a84bee791b6e70172687257bb6a283cdbe4f2cec0235f242fd72a186475b02db0131ddfaf0
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
152B
MD55d7cbd0b8a90d4b690aa892ad01dd3ee
SHA1de2cef3a878fa892ddbaa2df84f8aec2cdff8fdf
SHA25687fc7ca0067b8538ef7430673298e6acd874c6b24d4a5c62f6bc6ebb96e1789f
SHA51218c53879e39f32f371313b6b99ea2e720c072974105940bae56e5a3c62557ce9a23fccfdf930dd3169f6b292b68b1c98488def111313407d289ddae9598d5ac8
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
331B
MD51fef7ecb3b99cd12082fa4404c0a0588
SHA14d546536102712ef57f12b68ff5f1737606ebc9a
SHA256540c885ddd5d913a28b8bf233e86417d8b6706f918012932b116a2d5d0cd97db
SHA5120f70e53c7c42632f3b79f9a0f1a7da6639dac83b7ababc144c1e1d42fa669d9cac328dd1ec9c622553da1f6a0e8b7c00c2d1f6b7d06e294fe5743a1c635fb189
-
Filesize
6KB
MD56d69c968c8addf70a5864a8177642d80
SHA17c0f951c3121439cd21c383e53051edc71ccca80
SHA2566934bd94409a066375c9647b960acb32cc5d6a2f2eea1e0a85a8835381e9ac70
SHA512c80e65f93d21fc8b40ac43f912d97a035e29fc1aa839d1ecc06dc394e1309fecc85b3fe68a97eb681ed40028a9ec170fa0cb12480f56b2af4a8c1839f6620214
-
Filesize
5KB
MD57848b3134ab8d62f8f0c5981ccb1beba
SHA1bd669b732d2dad820ccc4b5182e3291d40cf7213
SHA25606acddab5efac053099ebe787e3767874438cac9ef0d6c674306091150930b60
SHA51231bc5fdb5fe61921e89a729de422d945144ba6b6a32ed6678290eb46993e964d1e7ca1cec7dffa87d182bb0486a07a7df554c76872497ffca25cefc1f085ff7c
-
Filesize
350B
MD5102b0a77466937e5f3d48a7ec112a7fd
SHA10f0028fc80ee855e1baf3fc226e02d9ffeb536a7
SHA256221906674ede17b774b9852564c53978e8ad15fc7720a838c109dcdaf1de598a
SHA512a801e09822998a83d478f4d601ffd589b776c08140e704600d6ab78d9da0d8a5b48287ded970a37f75b04c9683946de6c6241e0c0e75a5849dbc14cf2ac49504
-
Filesize
326B
MD5c70869217693ec751f8715db258971b4
SHA1a7bff7327d78e82fb30ffe51cb6a0ede682e42ee
SHA256713be1f8a5e5795eaa4891a845cc794a272b0d1649feb000ee4ad4955f4d9c31
SHA5125599863f41c96485ae83acfb81569ceacb2de77e9ffa453a991f8170a6574e5fe1ea64e59206c1af7f94d075aef5356ecad645ee64750b083b7ea69434ed211d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
8KB
MD5d59ad5e55171bffcf3739239176b3728
SHA1ce68b846bbe36014341856897d64529f2a2d6380
SHA256f34ecf3f37cc5120a57157d59e3414942de7f78ee51d807d40ac560a741cc035
SHA512cf2ac585a90b8c29f7155ee25c652966fcd07428e19201de910a1e15c976eb3eb5b62481ed560ff2834627366f367a01cdda94b965381c3446b81e59e6784d5a
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2KB
MD56e47a92c1e16b06b5dde7772840b5eeb
SHA1dfe024c26dc0d92dada7246e0ce7dce1c4bffe60
SHA256e6a4e9c544c3ea65fd0b99328492fc35590298d2456f8e6fcdc8f58f85889a62
SHA51253d186256de44c48776eed8b66eca6a21c98ce0f7bd33968c5869017c2f7ff81471100629fd958625878e0295d681e1d12e7d68841e74067025217ec61c02304
-
Filesize
2KB
MD52ba835239fa2d6a1ca84cda814c86768
SHA1970f28a62ecbd5c29a2119256df595040eb5931d
SHA2567de17ab99313a83e3f926a34e531b7167cd1cc087c622fadc8b9229429dac165
SHA5121c6ba1c23d564c431b6c21705acb8ca421b96e0273b2d0644061945493bc546b22b291eb92ac534bfdddbb6ea616f239b9b772e6eaf03ee4c2d9728643bd19b1
-
Filesize
248B
MD5651c78b85a97f09d1ad2fb265d17416c
SHA1e678d454b5a8546b07798ca888796b45c21171ae
SHA25663dbe8309b6324060e10e2d2ba96db4d68f7f71ad0dc468296b9b33cde8d64e2
SHA5124b780faecf3fc09d0e68cd5af053bfd44afaee4195f25525dc88415d306026eeafa17c375f78e0a770d859a9e347d0fdf7b8695ff24cad710a6822317654c4f0
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD5266c28411f70700613122978d6a73bfb
SHA12152d6bed53e142fe0fb9ae6ddc351e81d4d0db9
SHA256fbde6e86acbe436258a7aacaee9612c32c108e4a7070c1b4ab04f458ca59ae18
SHA512e0a47c69e2f9df0cc392334296bd390dc5da9bf1394fb523d408024fbd49b2f0d5965d5f106ebf6087f3541786a61c3d38f65f0764f64cb0681740ce1eea3fd7
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
1.1MB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
5.2MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
92KB
-
Filesize
992KB
-
Filesize
208KB
-
Filesize
92KB
-
Filesize
16.7MB
-
Filesize
412KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
2.7MB
-
Filesize
116KB