Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 21:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    34KB

  • MD5

    c066e2162e9aa7dd672e4c20c1c8c9eb

  • SHA1

    20c061ca760ed127dd7c43ad5147064af4009d93

  • SHA256

    f2c139ededc6158ae672aa2ae484cbdf503517af131062ddd80a106dd7827557

  • SHA512

    aa75920ffef507b16ed23f7c4033374ec5b1ae56d9f6f32db6a0b632366a031280be4b6c2fed4ef895fda459899dccb62def861ffb90d287a23112a9d56a4adf

  • SSDEEP

    384:PxXv9qZ/QXokXcjlcTB+Gx//wD7rXVhLHzVdfgkBE2jHuh/58pkFyHBLTLZwYGoy:JXB2GxebHzDyCw/VFye9F+Ojh7yaEr4

Score
10/10
neshtastormkittyumbralxwormdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

cheflilou-43810.portmap.host:43810

Mutex

JQrIKWspeoVSCrcE

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1300923716687106088/zBYqs8nJ3MptGRgCn45okL0BWnQ0FdPIXStaaykk5DhZfBnHinW4M0Ve6U2CSPsMATf2

Signatures

  • Detect Neshta payload 3 IoCs
  • Detect Umbral payload 3 IoCs
  • Detect Xworm Payload 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\ppotez.exe
      "C:\Users\Admin\AppData\Local\Temp\ppotez.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\3582-490\ppotez.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ppotez.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2796
        • C:\Windows\system32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\3582-490\ppotez.exe"
          4⤵
          • Views/modifies file attributes
          PID:2300
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3582-490\ppotez.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2656
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:408
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2524
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1948
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:540
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
            PID:2568
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:1432
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:884
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:2444
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\3582-490\ppotez.exe" && pause
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:2240
              • C:\Windows\system32\PING.EXE
                ping localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2964

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Event Triggered Execution

      1
      T1546

      Change Default File Association

      1
      T1546.001

      Privilege Escalation

      Event Triggered Execution

      1
      T1546

      Change Default File Association

      1
      T1546.001

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Modify Registry

      1
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ppotez.exe
        Filesize

        270KB

        MD5

        f76710d1d5a29fca7e79fe4edf8c91d8

        SHA1

        6fb0a847757bbb11b6879faee49ba2206d062c37

        SHA256

        9a1e6e1d123a3989318515c475e04f02ece3d85eade3ab77c6c3baf928abb1e4

        SHA512

        6735e5431f6dee3c3d20612440fb0b320f6330b58c54d178683c61874335749a90f8992662f250ed8286e26e4eae1ccf13e145e53b5fb43a5bff2678a73511b1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        90fa10732953453834b6aba94c8b8f85

        SHA1

        052301eb4ddac3f195b5fb5ac9a594ec30db740e

        SHA256

        51275d4aba021fbf0ee69cd61ef245ac5d9660b560121c23585693fa35ae4f95

        SHA512

        d738516723dafc57ee6195ed12f665dea8854f3952143b391e9daa98f9858393292d0046e6b3290dc228ecc15ea7c36e58918a24c1b8ed7f1e44c9338ca013ec

        Download Submit

      • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
        Filesize

        252KB

        MD5

        9e2b9928c89a9d0da1d3e8f4bd96afa7

        SHA1

        ec66cda99f44b62470c6930e5afda061579cde35

        SHA256

        8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

        SHA512

        2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

        Download Submit

      • \Users\Admin\AppData\Local\Temp\3582-490\ppotez.exe
        Filesize

        229KB

        MD5

        13a44ae702c2f8ec11472d6b965b8786

        SHA1

        dc410e60fce3498499d148c37d54dc25ca502aa4

        SHA256

        9ed2f2b8b28c3d25bb88732ffb42cb352552cf73448372ca2566511bfb8cd401

        SHA512

        63116b191589b5209e80206a9a4454e56c522fd3d53655abb0c4dfe4b08f2a381cd9a3b52e97167dfd2753f9ca69ba8ff6e9e14915c00d7e610fc477dc2d453f

        Download Submit

      • memory/408-112-0x000000001B8B0000-0x000000001BB92000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/408-113-0x00000000021D0000-0x00000000021D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2380-8-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2380-7-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2380-6-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2380-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2380-1-0x0000000000140000-0x000000000014E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2380-149-0x000000001BCC0000-0x000000001BDE0000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2612-26-0x0000000000E10000-0x0000000000E50000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2656-105-0x000000001B700000-0x000000001B9E2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2656-106-0x0000000002760000-0x0000000002768000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2804-145-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2804-147-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download