Overview

overview

10

Static

static

10

XClien2t.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    43s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClien2t.exe

  • Size

    39KB

  • MD5

    cb66c0aecefa400bd702fdfce6768867

  • SHA1

    86eff3a8079fac5ba6bee0c7305dcfb02bf11dff

  • SHA256

    e984d24a32bfbd3da67c941e130e6cc73efb0dbd343f549b49626fd059a84c7e

  • SHA512

    f9436c34ebfe6ea6db97eaef00d0e5c8b5196fe7e01f6c4cb3ea811c98a80b6e735de8e74bb5a2b0404f69001f1aeae160386a9bb402f4ba3da65bb7d5458831

  • SSDEEP

    768:Inp2iB3sNvzK2Awjzef/YEW7KbiCqEoFN9UeGOphFjtYGK:RiB8V6f/WlCq9FN9UvOplBK

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

https://pastebin.com/raw/s98jTNJs:1

Mutex

skS6kMhEKAoBazrr

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    msconfig.exe

  • pastebin_url

    https://pastebin.com/raw/s98jTNJs

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClien2t.exe
    "C:\Users\Admin\AppData\Local\Temp\XClien2t.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msconfig" /tr "C:\Users\Admin\msconfig.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3724-0-0x00007FF87A7F3000-0x00007FF87A7F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3724-1-0x00000000005C0000-0x00000000005D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3724-6-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3724-7-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

    Filesize

    10.8MB

    Download