Overview

overview

10

Static

static

10

XClient.exe

windows10-2004-x64

10

XClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    65KB

  • MD5

    f4e5f696d570d7941c3501411c0d1d6c

  • SHA1

    4a22f1fc9571cf7da21df2eeb3db4d9af5ba5bee

  • SHA256

    bf200fd4fc3cb983bd36958cbb6d0cdd23a25b5e8e897c2d8f7ac9758e728ed2

  • SHA512

    9f21975b2eb8bc01d3fd7c18db02cf67cb1092013deac99842fb7868a213f23fcbc1cd37527b357be1447c332ed2b29dfc3e19925a5f654a6a1771a1ee9290e4

  • SSDEEP

    1536:/o4f+hIhZduTpNj/PjkbFFUprp5QaN6GOIrma1:DxhqvkbFufpOIyk

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

sponef159-35748.portmap.host:7809

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7508868671:AAG6XIOhz39IrQIUnjub1TKVOVZHfdjpsvM/sendMessage?chat_id=6094400048

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1376
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2828
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UseMount.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:220
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1740
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    731e9e4becec0b1ef9caad4b3562d4b4

    SHA1

    6dffb77aba4e92ad5bd4b7c02fdee6f328bcd457

    SHA256

    71c7eca538938fa4d5b470fee41cfe43734e9beb9ae409d5b41111fa1a15c2d5

    SHA512

    841cf559ae5b0feec4be43018717641399b3602a553112e98b07d498f1a44169924466abc7e2313b8e8cf1c0fdc1bb7635e2818aab8269b0ef349a0ba0cd6ae5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    1f545274ba19d9199a78f74cd05e8187

    SHA1

    4036cf78d3f310af42963c8f16ae27c5922b5dff

    SHA256

    3b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c

    SHA512

    b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    10890cda4b6eab618e926c4118ab0647

    SHA1

    1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

    SHA256

    00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

    SHA512

    a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1idt3mk.nzl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    334B

    MD5

    38f761dd19681cec1df62179aa4ce0ad

    SHA1

    d62e0368c1e315a610297bf0b09ad31d574ff411

    SHA256

    81078adea712d7511f70a1d113fcb8472374dda040d77ad4f628f4787ad7222c

    SHA512

    4a99a80d88e4d6783e9c6a3733f3d764e50c43e7529fba6afcb6c2bd56b5586dcebb2fa85b66e9cf433fb33689941f628be1bf7735de6d37bd8fd75304590ca4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    65KB

    MD5

    f4e5f696d570d7941c3501411c0d1d6c

    SHA1

    4a22f1fc9571cf7da21df2eeb3db4d9af5ba5bee

    SHA256

    bf200fd4fc3cb983bd36958cbb6d0cdd23a25b5e8e897c2d8f7ac9758e728ed2

    SHA512

    9f21975b2eb8bc01d3fd7c18db02cf67cb1092013deac99842fb7868a213f23fcbc1cd37527b357be1447c332ed2b29dfc3e19925a5f654a6a1771a1ee9290e4

    Download Submit

  • memory/220-121-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-119-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-122-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-64-0x00007FF8F8CB0000-0x00007FF8F8CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-120-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-65-0x00007FF8F8CB0000-0x00007FF8F8CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-59-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-60-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-61-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-62-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-63-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1868-17-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1868-14-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1868-13-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1868-12-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1868-11-0x00000121E4B30000-0x00000121E4B52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5004-58-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5004-57-0x00007FF91D203000-0x00007FF91D205000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5004-56-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5004-0-0x00007FF91D203000-0x00007FF91D205000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5004-1-0x0000000000CF0000-0x0000000000D06000-memory.dmp

    Filesize

    88KB

    Download