Analysis

  • max time kernel
    263s
  • max time network
    275s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-11-2024 21:18

General

  • Target

    XClient.exe

  • Size

    33KB

  • MD5

    28dd866f286b8e9009870ccc10bf14b1

  • SHA1

    dd7594002ef8ad7287fa3771d82af461e05097c5

  • SHA256

    0935616d6f6daf035c5983316a4cfc33722f2b55720105f5f08f1c1a734cab0f

  • SHA512

    4b066c4a7a7f1fc01092b148b85dece3cc5cac405754d2a91b88d0eed590228d2e3e95d6516bc4904e0beb665c16c7b59e699a4ef5afd26356b8c236da52da5c

  • SSDEEP

    384:/l8UlK/V9FoBZ9aZV0NLx7o92lKZaJZvf/95ApkFy7BLT/OZwpGmTv99IkcisC29:dO/VMOGxwgJZvn9dFyJ9Fc2HOjhJJn

Malware Config

Extracted

Family

xworm

Version

5.0

C2

who-gabriel.gl.at.ply.gg:45700

Mutex

SzBfAo2Xalqmxk0z

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\AppData\Local\Temp\egablk.exe
      "C:\Users\Admin\AppData\Local\Temp\egablk.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\$Windows.~WS\Sources\SetupHost.Exe
        "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:5344
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2fc 0x40c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2096
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:5624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

      Filesize

      3.7MB

      MD5

      5ff880b8888b3b2041fdf0ea70b432b0

      SHA1

      5705fb3a154e89761809ca447e5fbfac77e389eb

      SHA256

      fd0000749c4f0bb62e7a1863a2c63d52a8e312722f4f534d48a75a4c6f799011

      SHA512

      21abff0b9cfa637861062b0683435cbc07a528ed5235ebbc51a9b5c30e0912c148e6e5a9960a27a2a3f95f4af303356b61f68510a37d9ee7d4530c54828354e1

    • C:\$Windows.~WS\Sources\ServicingCommon.dll

      Filesize

      807KB

      MD5

      7647226025e2f1696a167d2a635aeeb2

      SHA1

      410d51cc71fbb5c054fddc8a491938533917a656

      SHA256

      8dbc67ea0c162517b55499b986946c55856610562a54fa6cbe851fe0fd865535

      SHA512

      85a7bcaa201970cd6c3048838fa24b11903206d4205769a550857d9650bc84f512d89297ee58419db866ce69fe46ee4826ae72af1fa8ebacd1e63b9ff0e1392c

    • C:\$Windows.~WS\Sources\SetupCore.dll

      Filesize

      2.5MB

      MD5

      49f73880545587129d0e76ff958ff421

      SHA1

      758ee02c9a0b7e68a3fcb3ac2cd1a7b57c804b25

      SHA256

      eb9d28baaab8cd902177e1db5c41975ceb926f56baa42876cd7b15410b320f22

      SHA512

      13fbf6e2ed58772fbb34fbc823f9bf0c0175def1c925abb0db5e91003e186475b5970169dd050891909643537aa78df0ae18c997394b2be2826476f4ed29c35d

    • C:\$Windows.~WS\Sources\SetupHost.exe

      Filesize

      697KB

      MD5

      e4d5415ab31ed174ff7eaf707d006971

      SHA1

      15a624a55b71849f46ac1326fda1cbc3faca5ee8

      SHA256

      f967f52583c71d6b7444e4bf3de31287f03f164f84ed56e3416c8b81a9c699d3

      SHA512

      af8c31235955455ebc80e2a50e2bcad7589f9a075a08c0674b2f16f5e30cae3aee981ccfff50ab48b965cfb6c9ce4380402142d47b074b8dddb78f3dffa93e12

    • C:\$Windows.~WS\Sources\SetupMgr.dll

      Filesize

      895KB

      MD5

      8841dd93dd8cbc0104a0fa0be3ab276f

      SHA1

      06e3e4f198526a1cf670f8dbf9a16b9d07fec5c2

      SHA256

      b25f86c8349de51bff360ce48a22b84056d4c35536037f443d304d2054ba8784

      SHA512

      29c80526ff01d3d60243bac49f07bdd80c2f63aed1b1d2ba04ec79ae7bfe3f871aa8e88caa5cdb58bd5f36395c22a26b91b4be0f4d26ba301cd3e3d85905e681

    • C:\$Windows.~WS\Sources\SetupPlatform.cfg

      Filesize

      22KB

      MD5

      cd678b1258ff4a0bc040084427934330

      SHA1

      62d06976e76081e76b6cbeb51d16b1416b7bbed6

      SHA256

      602752bb1e5b1b0be45a187cea81362eba1010bac00b631d67081cfb6516d500

      SHA512

      ca9c4be3e62fb92f4703b10f65e08b2045e52c781728b4757cd79e531edd5c3c468e1bc56edfd8f74bdf4b2d79d767c59dc18cc30c7e8515c89a1751c338b21d

    • C:\$Windows.~WS\Sources\SetupPlatform.dll

      Filesize

      7.0MB

      MD5

      199fc0a0977b155f6daf1fa88df565ae

      SHA1

      5b2c674b7213db1a66bd245c2fbf0827485af819

      SHA256

      05ada1ec86d60c0a6bad54741d758a98f8c0d362f54f521f212d9e1f5cf81bd0

      SHA512

      8dc11b297c224ce38d6cc350e18c5974a4d170e143ea2c1e1a7ab299dce440a78b449ab26626e2a2834c2cb5c1e2d2fe554ba76d7fecf2c21a9ac77bd1ab796d

    • C:\$Windows.~WS\Sources\WDSCORE.dll

      Filesize

      201KB

      MD5

      c8e56f10d4fe40caa360d8ac5eb1e3d1

      SHA1

      2915ee618c77a2bce62f7dc2579fb8d792db1ff1

      SHA256

      e83436e219af407cb1d725ca1bb5f3b390f42cc88ad7c2320e7fac1932ed9188

      SHA512

      de023e42f067d29c28a554c18478bb2d3736d9380fcd2795890771f4060055de6d5b10dbe6da1ebdeaa49bfdf9c5226f57abf2070dfa36921dfddd36a9f92dde

    • C:\$Windows.~WS\Sources\WinDlp.dll

      Filesize

      1.2MB

      MD5

      2b642417613dc061ca3003c831de3790

      SHA1

      af556f999d146787e5cdf3bea98e419bfe778b56

      SHA256

      e77f50022caa3c9805774fb078454b68b0692f1bbf96216d3af93e3501c688bd

      SHA512

      6738612ab25c3e69b9c825fc299d36098aec4a9725b85c9dd5dee6dcad5b09328e3aee115d2b693492d2f1a65fd3758e913d684ef1a4f1775869bbbfc66ce90e

    • C:\$Windows.~WS\Sources\unbcl.dll

      Filesize

      808KB

      MD5

      598878bda0cd9cd4c9e45813ee15a660

      SHA1

      5c92b6675ef1a3fe6c0a154d5d97b36e03719392

      SHA256

      9e8e14aafecd40f1ec955be958a39906dd508f9678bf15a73c8478967c209dd8

      SHA512

      a0ccf747591c3ecb4e49e3300fa0c5d31a1220d4a7e19a7b4886431d1f59fa18b9b279fde6021692c246fb654448ffe6ca1603f536a09582ac857cc5b9b72949

    • C:\Users\Admin\AppData\Local\Temp\egablk.exe

      Filesize

      10.5MB

      MD5

      b2ef653a8575cebf20a4aabe17b70b6b

      SHA1

      a686304500e45ebf945c85b9de9085e6b58604c0

      SHA256

      ab9967c2cd345ffdbf3c4283d95bb23c77a82a2782f381634f5dfa48f2b75071

      SHA512

      dd293115d1f1b4474f5cdb03884529ea9e887f2420df8b4b050cb6f0e458cf8515c6dd33b977c20c680c088d6b4728f922df74f0f2475b2762f4f4377971f21b

    • memory/2300-10-0x00000000006B0000-0x00000000006BA000-memory.dmp

      Filesize

      40KB

    • memory/2300-6-0x0000000000650000-0x000000000065A000-memory.dmp

      Filesize

      40KB

    • memory/2300-5-0x00000000023B0000-0x00000000023BA000-memory.dmp

      Filesize

      40KB

    • memory/2300-4-0x0000000002230000-0x000000000223E000-memory.dmp

      Filesize

      56KB

    • memory/2300-0-0x00007FF9D3EF3000-0x00007FF9D3EF5000-memory.dmp

      Filesize

      8KB

    • memory/2300-3-0x00007FF9D3EF0000-0x00007FF9D49B2000-memory.dmp

      Filesize

      10.8MB

    • memory/2300-2-0x00007FF9D3EF0000-0x00007FF9D49B2000-memory.dmp

      Filesize

      10.8MB

    • memory/2300-1-0x0000000000130000-0x000000000013E000-memory.dmp

      Filesize

      56KB

    • memory/2300-79-0x000000001C690000-0x000000001C9E0000-memory.dmp

      Filesize

      3.3MB

    • memory/2300-83-0x000000001A6F0000-0x000000001A6FC000-memory.dmp

      Filesize

      48KB

    • memory/2300-84-0x000000001A3E0000-0x000000001A3EC000-memory.dmp

      Filesize

      48KB