Overview

overview

10

Static

static

10

XCnigga.exe

windows7-x64

10

XCnigga.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2025 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XCnigga.exe

  • Size

    74KB

  • MD5

    6b67af317eaed9595eb9ee513372cd74

  • SHA1

    2350eb719b4d5ddd8da7247ec637fba5be994204

  • SHA256

    24201bf218d04d65430b3fa6100779967b1ed77ffb94fc986522861c429ec3e6

  • SHA512

    ca8015b8e4d67d705eb17ed80302bf4eceea14d5386cd096d6b73e4a6694ef8e8c734a674c8218361842f22e8d1b2dc1523b87984fcbe08a374938ad5e545d1f

  • SSDEEP

    1536:5nVzXcWbHadoyrUXbLjuogFWDg6nO6NRYKN4:37bHuXIbLj3g0DVO6Nd4

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/6wUPPUDa

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 37 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XCnigga.exe
    "C:\Users\Admin\AppData\Local\Temp\XCnigga.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XCnigga.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XCnigga.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1644
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2136
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
    1⤵
    • Modifies registry class
    PID:2152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    9552a652d87cbe04b886e445ada782a5

    SHA1

    ee2e1f78fbc6face21ac6a65be0c3ac6e411326b

    SHA256

    9b0f7ab8cebebbb913aabad1024a84acf04cb6de7ab8cf7d5883a5d54e46b3ce

    SHA512

    da641bf7a14446c2bbe69548a320909eb6314d97390c75d1c4c75dcc7cf769e4dd6b78014014ea76e835896f95a6a2cb86e40ec2224649a03ecc464b3649b56f

    Download Submit

  • memory/1644-33-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/1644-32-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2108-1-0x0000000000840000-0x0000000000858000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2108-2-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2108-7-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2108-0-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2108-34-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2136-37-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2136-36-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2136-35-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2808-8-0x00000000026D0000-0x0000000002750000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2808-10-0x0000000002250000-0x0000000002258000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2808-9-0x000000001B440000-0x000000001B722000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2840-16-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2840-17-0x0000000001F00000-0x0000000001F08000-memory.dmp

    Filesize

    32KB

    Download