Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    237s
  • max time network
    239s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    38KB

  • MD5

    bfbb29d4f8dc3ce3b7b67e055fb70bcf

  • SHA1

    f9a646e32fb5ec8eb10f1486e5a95883a902b108

  • SHA256

    dd90b5843c6550de3403c5bf221c3639e56083e337f49050cd21c625229d9609

  • SHA512

    e05e3db627c1a9d8de16f1357a95f330b71724dd8ae182a62ad0d3c55414d6ad0caa4ca28f0bb746173565cd1705aa82fa8d41cd99ddddbc43379a746f568a71

  • SSDEEP

    768:siS8brf7blu3ml5G7m9NFfZk7FWPB9WxOOMhTaQkrl:zpnf7c+5PFyFO9WxOOM5sl

Score
10/10
xwormevasionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

instruments-survivor.gl.at.ply.gg:29973

Mutex

Bv3T1nydYnsmIsFU

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

aes.plain

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3916
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies registry class
      PID:4444
    • C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:628
    • C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3556
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x338 0x4ac
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\svchost.exe
    Filesize

    38KB

    MD5

    bfbb29d4f8dc3ce3b7b67e055fb70bcf

    SHA1

    f9a646e32fb5ec8eb10f1486e5a95883a902b108

    SHA256

    dd90b5843c6550de3403c5bf221c3639e56083e337f49050cd21c625229d9609

    SHA512

    e05e3db627c1a9d8de16f1357a95f330b71724dd8ae182a62ad0d3c55414d6ad0caa4ca28f0bb746173565cd1705aa82fa8d41cd99ddddbc43379a746f568a71

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_22A5F8C01828487ABCE4EDB68CB80E54.dat
    Filesize

    940B

    MD5

    d6436729a5ee945f31db554a4e9562f7

    SHA1

    89555893e7aa7b7d9bf5e11433439699daa02d41

    SHA256

    04ae74df299c1010bf86053e58637117f4c0d7c62c18d35f32d60148031ba2dd

    SHA512

    15b2954cbbce9e66a45236cdd236d25c2524d886c93604abe824b03ad8c986cf5dbf255ec423e801b61df62f59b6cd47d366e5e744ca3f5f0d419b1b7c79a81c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
    Filesize

    962B

    MD5

    c68223afd7abe623bbf30563f7845e1e

    SHA1

    90ba3d761fa0f64e2b5b104fb53848184551e161

    SHA256

    a311513c49172b0358c7db555fdd35680adc4039b2b98335e12cdf19dad4fc52

    SHA512

    3b2d911b5c389883e8d76ff72d4aba4a76c3daf699789a047a2985e3451fea5372584a277a3d807215bbbf2ffb99555c001cb1d7e5ef126b2e8c39d2046f2e00

    Download Submit

  • memory/3556-24-0x0000021D840A0000-0x0000021D840A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-23-0x0000021D840A0000-0x0000021D840A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-21-0x0000021D840A0000-0x0000021D840A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-20-0x0000021D840A0000-0x0000021D840A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-22-0x0000021D840A0000-0x0000021D840A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-25-0x0000021D840A0000-0x0000021D840A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-14-0x0000021D840A0000-0x0000021D840A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-15-0x0000021D840A0000-0x0000021D840A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-16-0x0000021D840A0000-0x0000021D840A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-26-0x0000021D840A0000-0x0000021D840A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-13-0x00000000016E0000-0x00000000016EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3916-12-0x00000000016D0000-0x00000000016DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3916-0-0x00007FF91D203000-0x00007FF91D205000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3916-8-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3916-11-0x00000000016C0000-0x00000000016CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3916-10-0x00000000015F0000-0x00000000015FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3916-7-0x00007FF91D203000-0x00007FF91D205000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3916-6-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3916-29-0x0000000001700000-0x000000000170A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3916-1-0x0000000000D60000-0x0000000000D70000-memory.dmp

    Filesize

    64KB

    Download