Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-01-2025 00:58
General
-
Target
XClient.exe
-
Size
230KB
-
MD5
3cefaf94fdda7a73b1630b756856a16c
-
SHA1
75ff4afa1db6af191464ce0a98e7b80b9c1bf41d
-
SHA256
e05ec6d8902b50a66fd606aa22777693d280c9f6b1fa884594d533534997aa0e
-
SHA512
bdf1d83f1a02a7c4cbebb45c61fb765d60a3e502692466fab816ca56c6f8483171101639ebad115b6edd7b8dac8212a3dcb12cfae545b13d37c3d19197b3c98f
-
SSDEEP
3072:hOpB7PALb4mVhVVChOVC2b8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9Nzr:o7ubPbbUhcX7elbKTua9bfF/H9d9n
Malware Config
Extracted
xworm
est-review.gl.at.ply.gg:21148
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 5 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 14 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {12EB63C4-25AD-46F0-8DE9-5658468E3FC0} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ConfirmApprove.rar.ENC1⤵
- Modifies registry class
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5ebe83ab7e528ba5ff7968855a9cbd9b2
SHA1c0ab3c07636ef8ccc4350c162b4ee7c9d43384ee
SHA25691d5eefd6076be3ad696cda08efaebd2c9775ee3b54aaf3838880f3812de97a2
SHA512523809835683c87bbd544351f0fb21077521ff2561bf48751b7a9f9af3186dd2dafc2e2494bc94c8a84ccc42904886ad8bbbec95a69dc6402d10dca33e95cfc7
-
Filesize
342B
MD5fc3eb857604d16dcfc4da8fcab0bc9f8
SHA18669c82aa458215bce046c2c10793331bef14cbf
SHA2562146b504c209d7c4d62d5a4d568e0837788a9fe34d4b17065a51ede862e3c973
SHA512e7e2c0816b11934bd88c26c9239b319c0d5f9bd58433aad2be9db18987f353519fa7d003c6791914b02ecc94389b5f1ad471ce59ba502ca25cca5de36d449cb4
-
Filesize
342B
MD5b9a4b2d45df361c1da04cfdeaa8c7a63
SHA181ad63185e7d5cb2f83b046aff1d729029478301
SHA25644390946f0554beb613214f421834c204a405762e0121badababe5de80b14938
SHA512944e086f2fe49cc85dda01c6db78ffbd1310f1d1b6a035a182bae62c4e860129a28f4e1964086686265b467afb5dc81526e86a012b6ecac8f73e0bc5b5f0b1e6
-
Filesize
342B
MD53e473ecd9a0408bff16ea2bf09d1e71d
SHA1501a301707453a2fa94eb79ff81419dc42cde3cf
SHA25697abbf1be0cd66d32181b06dced8260d7e3a8de783f6ed566923c04afafed611
SHA512b828b44e79654be11666671b3a034c0855a78c272a1a4fa37011c0b73eccd13b01b3da83e863beaa42336096a531bb348a27ddfbdfed53210af5a6e2eac0a297
-
Filesize
342B
MD518605d8cfc7475c70420588a9e975abe
SHA1efbc6216fa986f3df667b8570ff1b18e5da54721
SHA2561066520e06ed58305d4b8418f2fcdfd04b901938d6a5b5a702b52b7e6419ee0c
SHA51270547e75dc12784d75eb2b079dcaef7fb3005ee4fa94f18cb85a7b8bc0fdb03e38d0cc386517438e6ba47cd065de08ae99e9199247edc41bc8500ad0e205295b
-
Filesize
342B
MD58179875f79c42d7036a2a3795daa75ce
SHA1dcfc7e17455571465fac89422735d94dac0b9894
SHA2567622c02d5f2e0e2eeb9cefcdc01bc578e7c5b1ee1dabde9fe51cba6cac035852
SHA5125e34e03632b659ea9499ddec484287cb0b58a64aca4c400b5113c533b40b635509cfb7ce4d8d8fc3b21eb36bedcebd6bbf0aa4ca44878bc3b520f66b06883207
-
Filesize
342B
MD5a385b680203c19cc9993e3fd03fed06a
SHA1764a27aea1a7a0551c5b566bdc2ff61c5da17fe1
SHA2563259068eb988356f405e6ca1358f0d988256c6ec11e9376d76e210b41ed618a7
SHA512ce8398e97b34dedf2670c77820b74e7da06ce8259238b7fb65c1f24834d8eab6dc2d2d1c972abb0161ad7e5a23f783ff5122ebe4651ec7c2eb3cd5ac79f4f595
-
Filesize
342B
MD5c51913cc7050fc60e76b76c5c75b271e
SHA1eb3d83f911c039b1880473eb257a30826921da5e
SHA25663cfab0efbd162b51295ff9a889bd21ea07f06d034800bc53fe9e49d61e6b18f
SHA512845d38df28677f02b454983dc6eae5d55201ee0d114d62d3f496f57d6168ddfda4e5a879efcfe1b626a7f01174215b6ef2befcc463f1046d6047976aaaeb89c8
-
Filesize
342B
MD5002023795e6f0738d9f7e224f22715e1
SHA15463aef289b7887552d1d3e48beccafc0c4d0f4f
SHA2564e7239f9c2bed3b107fd36fe762dbd7efd3be9f074fe473c322951abf6617366
SHA512c97bd089b428142d2272ec44111ff5398c78c4da6abaf495d1f7bda583809ddc7340fc8d9b5513e36a55959554d4ca8c7d9504a07ebad7cf6132c0fe788debfb
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3KB
MD548c3f1a4d62814be0db18aa3da2aa66b
SHA1c8bc641c128f1de7c1db245d2f73832a4f931c75
SHA256b1115c8851feff857d0e8680974104d0262d2c398186b6f25423dbfa079d3339
SHA512c3c3a19a1696adf62f0c7fca7171e3d016ab5fb70ee9f5d45fd3f1337b12bb9c2afebb92e82e7c7854c5b4d056512fd60d25a50df01e8607714bf006f87cdafa
-
Filesize
230KB
MD53cefaf94fdda7a73b1630b756856a16c
SHA175ff4afa1db6af191464ce0a98e7b80b9c1bf41d
SHA256e05ec6d8902b50a66fd606aa22777693d280c9f6b1fa884594d533534997aa0e
SHA512bdf1d83f1a02a7c4cbebb45c61fb765d60a3e502692466fab816ca56c6f8483171101639ebad115b6edd7b8dac8212a3dcb12cfae545b13d37c3d19197b3c98f
-
Filesize
625B
MD5405c7cc661b224efde8c6e5df110c30e
SHA11853d71078bed8552ae7d61602d51b49c1fb4b2c
SHA2565318017743773342ab07ef8872d906a386bd3bf98bca8decacd0312e6d88b71a
SHA512b0605fb5a671ddb7a99d1c7e7a820b599d93411284b06a93f522e03c4b1bed1ab6533afdc60c27ba55d6296581f4783f3acbf6a2a50c057c7e85a08dff4ceeb7
-
Filesize
9KB
MD5d576c4015088ef323e8b3ff81dfdf850
SHA16d150655d029f59530eb15549604b59a010542f1
SHA25654adc0ceeaa7bf3ba8e21a59eaa83fb17ba9b57f3165aad7efc9c68eb7533cae
SHA512f367758ec9e6b4974036db642c331338d41722cc781ab0908d068a46c8662b2449aa35f0790dded71f29ca8f11309a4710be5e88764883a72d046680fab725af
-
Filesize
16B
MD5f20a51d364241c5206e1a99d07c15948
SHA1a0d0f2dcdd48b46a0ba0f8b7f3b03ac423114fa6
SHA256a8b4ef0da05e026f9faea7c431657616ee1503594672304666bf22436a64d936
SHA512ca817447b0533f0f7629be5fadc0f25fe32dccf4941a9c5923293c9f9dbbf5b3bd7d4936018ed2928c571f832ddfe2e15dfa0cc25a15adfea7713102f7ce746c
-
Filesize
248KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
248KB
-
Filesize
4KB
-
Filesize
248KB
-
Filesize
248KB