Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    305s
  • max time network
    317s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-11-2024 00:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    50KB

  • MD5

    fceed5f165bc95503b1c9314ff7ec459

  • SHA1

    c62b48cb6728bbe7e9aeb74c9398c4bb6666f1e3

  • SHA256

    429c847c13edb9c836b9fa6a8a1481ff24754d3ef0ceb6f2d86f475e2574bd02

  • SHA512

    f149191a07b91419446e7bee755545a95171c8a30439e2e53604b9262098415c478656f8793931d9f947bb64822cd263cc6a845344841c31fe8bf0ec3195ab08

  • SSDEEP

    768:NiKph0KQHQPbe+rNh3+W4dF8EUWb7YIq78OMOV6hU81Kj:NiKp+pmee1+988b7YkrOV6PKj

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

camera-recovered.gl.at.ply:9924

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:5000
  • C:\Users\Admin\AppData\Roaming\XClient.exe
    C:\Users\Admin\AppData\Roaming\XClient.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3344
  • C:\Users\Admin\AppData\Roaming\XClient.exe
    C:\Users\Admin\AppData\Roaming\XClient.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4228
  • C:\Users\Admin\AppData\Roaming\XClient.exe
    C:\Users\Admin\AppData\Roaming\XClient.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1488
  • C:\Users\Admin\AppData\Roaming\XClient.exe
    C:\Users\Admin\AppData\Roaming\XClient.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:832
  • C:\Users\Admin\AppData\Roaming\XClient.exe
    C:\Users\Admin\AppData\Roaming\XClient.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
    Filesize

    654B

    MD5

    2cbbb74b7da1f720b48ed31085cbd5b8

    SHA1

    79caa9a3ea8abe1b9c4326c3633da64a5f724964

    SHA256

    e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

    SHA512

    ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XClient.exe
    Filesize

    50KB

    MD5

    fceed5f165bc95503b1c9314ff7ec459

    SHA1

    c62b48cb6728bbe7e9aeb74c9398c4bb6666f1e3

    SHA256

    429c847c13edb9c836b9fa6a8a1481ff24754d3ef0ceb6f2d86f475e2574bd02

    SHA512

    f149191a07b91419446e7bee755545a95171c8a30439e2e53604b9262098415c478656f8793931d9f947bb64822cd263cc6a845344841c31fe8bf0ec3195ab08

    Download Submit

  • memory/3344-11-0x00007FFB24C30000-0x00007FFB256F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3344-13-0x00007FFB24C30000-0x00007FFB256F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4376-0-0x00007FFB24C33000-0x00007FFB24C35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4376-1-0x00000000000B0000-0x00000000000C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4376-2-0x00007FFB24C30000-0x00007FFB256F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4376-7-0x00007FFB24C33000-0x00007FFB24C35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4376-8-0x00007FFB24C30000-0x00007FFB256F2000-memory.dmp

    Filesize

    10.8MB

    Download