Analysis

  • max time kernel
    364s
  • max time network
    365s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2024 06:41

General

  • Target

    XClient.exe

  • Size

    32KB

  • MD5

    ee3c4303a024e6531418878287a55a31

  • SHA1

    a894a9d478c5d2bc92fd8dea25c1d2a9d99e4f19

  • SHA256

    2befb434a29f0c1431586c14afde088aa4d39b75bf986f9e808a1a3588ec9029

  • SHA512

    79edad989c972b2d1840f43dcba28e332c0d2a29352a33b774e502940303e8e8246c2b6ab5391ce30b118e61be20dc71b68d5adb17aa068d5e15a5d41d3cac0f

  • SSDEEP

    384:UYxRXcrP31VZBELRUnvJff3cdiwJVARJpkFTBLToOZwxJd2v99IkuistwMVFxOjw:MPjgRevJ3cdXVAGF/9jGROjhTbO

Score
10/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

https://pastebin.com/raw/DxYQ14Jj:123

Mutex

WFsVIr1jHXzRP1t5

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/DxYQ14Jj

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:532
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4516
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/532-0-0x00007FFE84C83000-0x00007FFE84C85000-memory.dmp

      Filesize

      8KB

    • memory/532-1-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

      Filesize

      56KB

    • memory/532-2-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

      Filesize

      10.8MB

    • memory/532-3-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

      Filesize

      10.8MB

    • memory/1916-4-0x0000014CFEDD0000-0x0000014CFEDD1000-memory.dmp

      Filesize

      4KB

    • memory/1916-5-0x0000014CFEDD0000-0x0000014CFEDD1000-memory.dmp

      Filesize

      4KB

    • memory/1916-6-0x0000014CFEDD0000-0x0000014CFEDD1000-memory.dmp

      Filesize

      4KB

    • memory/1916-16-0x0000014CFEDD0000-0x0000014CFEDD1000-memory.dmp

      Filesize

      4KB

    • memory/1916-15-0x0000014CFEDD0000-0x0000014CFEDD1000-memory.dmp

      Filesize

      4KB

    • memory/1916-14-0x0000014CFEDD0000-0x0000014CFEDD1000-memory.dmp

      Filesize

      4KB

    • memory/1916-13-0x0000014CFEDD0000-0x0000014CFEDD1000-memory.dmp

      Filesize

      4KB

    • memory/1916-12-0x0000014CFEDD0000-0x0000014CFEDD1000-memory.dmp

      Filesize

      4KB

    • memory/1916-11-0x0000014CFEDD0000-0x0000014CFEDD1000-memory.dmp

      Filesize

      4KB

    • memory/1916-10-0x0000014CFEDD0000-0x0000014CFEDD1000-memory.dmp

      Filesize

      4KB