Analysis
-
max time kernel
263s -
max time network
275s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17-11-2024 21:18
General
-
Target
XClient.exe
-
Size
33KB
-
MD5
28dd866f286b8e9009870ccc10bf14b1
-
SHA1
dd7594002ef8ad7287fa3771d82af461e05097c5
-
SHA256
0935616d6f6daf035c5983316a4cfc33722f2b55720105f5f08f1c1a734cab0f
-
SHA512
4b066c4a7a7f1fc01092b148b85dece3cc5cac405754d2a91b88d0eed590228d2e3e95d6516bc4904e0beb665c16c7b59e699a4ef5afd26356b8c236da52da5c
-
SSDEEP
384:/l8UlK/V9FoBZ9aZV0NLx7o92lKZaJZvf/95ApkFy7BLT/OZwpGmTv99IkcisC29:dO/VMOGxwgJZvn9dFyJ9Fc2HOjhJJn
Malware Config
Extracted
xworm
5.0
who-gabriel.gl.at.ply.gg:45700
SzBfAo2Xalqmxk0z
-
install_file
USB.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2300-4-0x0000000002230000-0x000000000223E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2300-1-0x0000000000130000-0x000000000013E000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation XClient.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation SetupHost.Exe -
Executes dropped EXE 2 IoCs
pid Process 968 egablk.exe 5344 SetupHost.Exe -
Loads dropped DLL 10 IoCs
pid Process 5344 SetupHost.Exe 5344 SetupHost.Exe 5344 SetupHost.Exe 5344 SetupHost.Exe 5344 SetupHost.Exe 5344 SetupHost.Exe 5344 SetupHost.Exe 5344 SetupHost.Exe 5344 SetupHost.Exe 5344 SetupHost.Exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: XClient.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Logs\MoSetup\BlueBox.log egablk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupHost.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language egablk.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2300 XClient.exe Token: SeDebugPrivilege 2300 XClient.exe Token: 33 2096 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2096 AUDIODG.EXE Token: SeBackupPrivilege 968 egablk.exe Token: SeRestorePrivilege 968 egablk.exe Token: SeBackupPrivilege 968 egablk.exe Token: SeRestorePrivilege 968 egablk.exe Token: SeSecurityPrivilege 968 egablk.exe Token: SeBackupPrivilege 5344 SetupHost.Exe Token: SeRestorePrivilege 5344 SetupHost.Exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2300 XClient.exe 5344 SetupHost.Exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 968 egablk.exe 5344 SetupHost.Exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2300 wrote to memory of 968 2300 XClient.exe 92 PID 2300 wrote to memory of 968 2300 XClient.exe 92 PID 2300 wrote to memory of 968 2300 XClient.exe 92 PID 968 wrote to memory of 5344 968 egablk.exe 93 PID 968 wrote to memory of 5344 968 egablk.exe 93 PID 968 wrote to memory of 5344 968 egablk.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\egablk.exe"C:\Users\Admin\AppData\Local\Temp\egablk.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968 -
C:\$Windows.~WS\Sources\SetupHost.Exe"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5344
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2fc 0x40c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD55ff880b8888b3b2041fdf0ea70b432b0
SHA15705fb3a154e89761809ca447e5fbfac77e389eb
SHA256fd0000749c4f0bb62e7a1863a2c63d52a8e312722f4f534d48a75a4c6f799011
SHA51221abff0b9cfa637861062b0683435cbc07a528ed5235ebbc51a9b5c30e0912c148e6e5a9960a27a2a3f95f4af303356b61f68510a37d9ee7d4530c54828354e1
-
Filesize
807KB
MD57647226025e2f1696a167d2a635aeeb2
SHA1410d51cc71fbb5c054fddc8a491938533917a656
SHA2568dbc67ea0c162517b55499b986946c55856610562a54fa6cbe851fe0fd865535
SHA51285a7bcaa201970cd6c3048838fa24b11903206d4205769a550857d9650bc84f512d89297ee58419db866ce69fe46ee4826ae72af1fa8ebacd1e63b9ff0e1392c
-
Filesize
2.5MB
MD549f73880545587129d0e76ff958ff421
SHA1758ee02c9a0b7e68a3fcb3ac2cd1a7b57c804b25
SHA256eb9d28baaab8cd902177e1db5c41975ceb926f56baa42876cd7b15410b320f22
SHA51213fbf6e2ed58772fbb34fbc823f9bf0c0175def1c925abb0db5e91003e186475b5970169dd050891909643537aa78df0ae18c997394b2be2826476f4ed29c35d
-
Filesize
697KB
MD5e4d5415ab31ed174ff7eaf707d006971
SHA115a624a55b71849f46ac1326fda1cbc3faca5ee8
SHA256f967f52583c71d6b7444e4bf3de31287f03f164f84ed56e3416c8b81a9c699d3
SHA512af8c31235955455ebc80e2a50e2bcad7589f9a075a08c0674b2f16f5e30cae3aee981ccfff50ab48b965cfb6c9ce4380402142d47b074b8dddb78f3dffa93e12
-
Filesize
895KB
MD58841dd93dd8cbc0104a0fa0be3ab276f
SHA106e3e4f198526a1cf670f8dbf9a16b9d07fec5c2
SHA256b25f86c8349de51bff360ce48a22b84056d4c35536037f443d304d2054ba8784
SHA51229c80526ff01d3d60243bac49f07bdd80c2f63aed1b1d2ba04ec79ae7bfe3f871aa8e88caa5cdb58bd5f36395c22a26b91b4be0f4d26ba301cd3e3d85905e681
-
Filesize
22KB
MD5cd678b1258ff4a0bc040084427934330
SHA162d06976e76081e76b6cbeb51d16b1416b7bbed6
SHA256602752bb1e5b1b0be45a187cea81362eba1010bac00b631d67081cfb6516d500
SHA512ca9c4be3e62fb92f4703b10f65e08b2045e52c781728b4757cd79e531edd5c3c468e1bc56edfd8f74bdf4b2d79d767c59dc18cc30c7e8515c89a1751c338b21d
-
Filesize
7.0MB
MD5199fc0a0977b155f6daf1fa88df565ae
SHA15b2c674b7213db1a66bd245c2fbf0827485af819
SHA25605ada1ec86d60c0a6bad54741d758a98f8c0d362f54f521f212d9e1f5cf81bd0
SHA5128dc11b297c224ce38d6cc350e18c5974a4d170e143ea2c1e1a7ab299dce440a78b449ab26626e2a2834c2cb5c1e2d2fe554ba76d7fecf2c21a9ac77bd1ab796d
-
Filesize
201KB
MD5c8e56f10d4fe40caa360d8ac5eb1e3d1
SHA12915ee618c77a2bce62f7dc2579fb8d792db1ff1
SHA256e83436e219af407cb1d725ca1bb5f3b390f42cc88ad7c2320e7fac1932ed9188
SHA512de023e42f067d29c28a554c18478bb2d3736d9380fcd2795890771f4060055de6d5b10dbe6da1ebdeaa49bfdf9c5226f57abf2070dfa36921dfddd36a9f92dde
-
Filesize
1.2MB
MD52b642417613dc061ca3003c831de3790
SHA1af556f999d146787e5cdf3bea98e419bfe778b56
SHA256e77f50022caa3c9805774fb078454b68b0692f1bbf96216d3af93e3501c688bd
SHA5126738612ab25c3e69b9c825fc299d36098aec4a9725b85c9dd5dee6dcad5b09328e3aee115d2b693492d2f1a65fd3758e913d684ef1a4f1775869bbbfc66ce90e
-
Filesize
808KB
MD5598878bda0cd9cd4c9e45813ee15a660
SHA15c92b6675ef1a3fe6c0a154d5d97b36e03719392
SHA2569e8e14aafecd40f1ec955be958a39906dd508f9678bf15a73c8478967c209dd8
SHA512a0ccf747591c3ecb4e49e3300fa0c5d31a1220d4a7e19a7b4886431d1f59fa18b9b279fde6021692c246fb654448ffe6ca1603f536a09582ac857cc5b9b72949
-
Filesize
10.5MB
MD5b2ef653a8575cebf20a4aabe17b70b6b
SHA1a686304500e45ebf945c85b9de9085e6b58604c0
SHA256ab9967c2cd345ffdbf3c4283d95bb23c77a82a2782f381634f5dfa48f2b75071
SHA512dd293115d1f1b4474f5cdb03884529ea9e887f2420df8b4b050cb6f0e458cf8515c6dd33b977c20c680c088d6b4728f922df74f0f2475b2762f4f4377971f21b