Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 18:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    80KB

  • MD5

    2549b9c24b00e10d1d1b19ed18abea56

  • SHA1

    71135d2dccd4f4cdcefdd0cf2b59fe7d7fa51897

  • SHA256

    89751d8b2b5ff207f8a7da0605086c675471f47830c29357d42006eb2598262a

  • SHA512

    52c672a7bb9c2b426ad6d4ee201c18fe751836f3b0fd4dea8c76e86c16fb47afe0f1a6443af323ccef6a549eb88af73250c59af9e4000784afb2ca7ca3509afa

  • SSDEEP

    1536:6C1htydn6LwUGd8H0qlKhxGeB9VxgCR939beP8e5Lkkma6R1DTgbi55oOLuXnvKL:6CxicwUU3jvGeBTR19bePvgkmfgYoOCe

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

america-depending.gl.at.ply.gg:22525

Attributes
  • Install_directory

    %AppData%

  • install_file

    fix solve.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\fix solve.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix solve.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3372

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    80.14.97.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    80.14.97.104.in-addr.arpa
    IN PTR
    Response
    80.14.97.104.in-addr.arpa
    IN PTR
    a104-97-14-80deploystaticakamaitechnologiescom
  • flag-us
    DNS
    245.131.30.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    245.131.30.184.in-addr.arpa
    IN PTR
    Response
    245.131.30.184.in-addr.arpa
    IN PTR
    a184-30-131-245deploystaticakamaitechnologiescom
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    america-depending.gl.at.ply.gg
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    america-depending.gl.at.ply.gg
    IN A
    Response
    america-depending.gl.at.ply.gg
    IN A
    147.185.221.25
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.190.18.2.in-addr.arpa
    IN PTR
    Response
    167.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    121.150.79.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    121.150.79.40.in-addr.arpa
    IN PTR
    Response
  • 147.185.221.25:22525
    america-depending.gl.at.ply.gg
    XClient.exe
    260 B
     5
  • 147.185.221.25:22525
    america-depending.gl.at.ply.gg
    XClient.exe
    260 B
     5
  • 147.185.221.25:22525
    america-depending.gl.at.ply.gg
    XClient.exe
    260 B
     5
  • 147.185.221.25:22525
    america-depending.gl.at.ply.gg
    XClient.exe
    260 B
     5
  • 147.185.221.25:22525
    america-depending.gl.at.ply.gg
    XClient.exe
    260 B
     5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    80.14.97.104.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    80.14.97.104.in-addr.arpa

  • 8.8.8.8:53
    245.131.30.184.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    245.131.30.184.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    america-depending.gl.at.ply.gg
    dns
    XClient.exe
    76 B
     92 B
     1
    1

    DNS Request

    america-depending.gl.at.ply.gg

    DNS Response

    147.185.221.25

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    167.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    167.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    121.150.79.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    121.150.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    77d622bb1a5b250869a3238b9bc1402b

    SHA1

    d47f4003c2554b9dfc4c16f22460b331886b191b

    SHA256

    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

    SHA512

    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    a9451a6b9669d49bd90704dff21beb85

    SHA1

    5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80

    SHA256

    b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056

    SHA512

    06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    9a2c763c5ff40e18e49ad63c7c3b0088

    SHA1

    4b289ea34755323fa869da6ad6480d8d12385a36

    SHA256

    517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

    SHA512

    3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orispmtt.53e.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3360-11-0x00000227D46F0000-0x00000227D4712000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3360-14-0x00007FFE23A50000-0x00007FFE24511000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-17-0x00007FFE23A50000-0x00007FFE24511000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-13-0x00007FFE23A50000-0x00007FFE24511000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-12-0x00007FFE23A50000-0x00007FFE24511000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4676-0-0x00007FFE23A53000-0x00007FFE23A55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4676-1-0x0000000000AD0000-0x0000000000AEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4676-56-0x00007FFE23A53000-0x00007FFE23A55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4676-57-0x00007FFE23A50000-0x00007FFE24511000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4676-58-0x00007FFE23A50000-0x00007FFE24511000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.