Analysis
-
max time kernel
364s -
max time network
365s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2024 06:41
General
-
Target
XClient.exe
-
Size
32KB
-
MD5
ee3c4303a024e6531418878287a55a31
-
SHA1
a894a9d478c5d2bc92fd8dea25c1d2a9d99e4f19
-
SHA256
2befb434a29f0c1431586c14afde088aa4d39b75bf986f9e808a1a3588ec9029
-
SHA512
79edad989c972b2d1840f43dcba28e332c0d2a29352a33b774e502940303e8e8246c2b6ab5391ce30b118e61be20dc71b68d5adb17aa068d5e15a5d41d3cac0f
-
SSDEEP
384:UYxRXcrP31VZBELRUnvJff3cdiwJVARJpkFTBLToOZwxJd2v99IkuistwMVFxOjw:MPjgRevJ3cdXVAGF/9jGROjhTbO
Malware Config
Extracted
Family
xworm
Version
5.0
C2
https://pastebin.com/raw/DxYQ14Jj:123
Mutex
WFsVIr1jHXzRP1t5
Attributes
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/DxYQ14Jj
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/532-1-0x0000000000BF0000-0x0000000000BFE000-memory.dmp family_xworm -
Xworm family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 14 pastebin.com 15 pastebin.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1916 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 532 XClient.exe Token: SeDebugPrivilege 1916 taskmgr.exe Token: SeSystemProfilePrivilege 1916 taskmgr.exe Token: SeCreateGlobalPrivilege 1916 taskmgr.exe Token: 33 1916 taskmgr.exe Token: SeIncBasePriorityPrivilege 1916 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:532
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4516
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1916