Resubmissions
27/01/2025, 20:41
250127-zgfs3svqbp 1027/01/2025, 20:36
250127-zdvstsvkcy 1027/01/2025, 20:32
250127-zbph2avnfr 10Analysis
-
max time kernel
121s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:41
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20241007-en
General
-
Target
XClient.exe
-
Size
49KB
-
MD5
9cda258445b322eb90f65b32ba86d86c
-
SHA1
d86a39dcc80db9cef23fc389dbbb6951ed7f908c
-
SHA256
0aca70f4574b4f593ad118de1846cb744eed48473a8fd51759c37e508d44e50f
-
SHA512
f76c77b63b6e881cd6e9a436b5efe5e4a45a8e78126fcc6876ec6855ef2572ba7e9dec7200e32ddca78f232d451305f87729ee5989f3c8ed83cde53d132a1d9a
-
SSDEEP
768:DaT5ryS4lEW64POSn1iQK4kb2UULNwLdVvM6wEO1hEjdoHj:GNrH+EWR5rkbzeNivM6wEO1yaj
Malware Config
Extracted
xworm
sponef159-35748.portmap.host:35748
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7508868671:AAG6XIOhz39IrQIUnjub1TKVOVZHfdjpsvM/sendMessage?chat_id=6094400048
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/2908-1-0x0000000000990000-0x00000000009A2000-memory.dmp family_xworm behavioral1/files/0x0009000000012117-34.dat family_xworm behavioral1/memory/740-36-0x00000000011F0000-0x0000000001202000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2320 powershell.exe 2132 powershell.exe 2868 powershell.exe 2876 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe -
Executes dropped EXE 2 IoCs
pid Process 740 svchost.exe 2024 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2688 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2320 powershell.exe 2132 powershell.exe 2868 powershell.exe 2876 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2908 XClient.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2908 XClient.exe Token: SeDebugPrivilege 740 svchost.exe Token: SeDebugPrivilege 2024 svchost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2320 2908 XClient.exe 30 PID 2908 wrote to memory of 2320 2908 XClient.exe 30 PID 2908 wrote to memory of 2320 2908 XClient.exe 30 PID 2908 wrote to memory of 2132 2908 XClient.exe 32 PID 2908 wrote to memory of 2132 2908 XClient.exe 32 PID 2908 wrote to memory of 2132 2908 XClient.exe 32 PID 2908 wrote to memory of 2868 2908 XClient.exe 34 PID 2908 wrote to memory of 2868 2908 XClient.exe 34 PID 2908 wrote to memory of 2868 2908 XClient.exe 34 PID 2908 wrote to memory of 2876 2908 XClient.exe 36 PID 2908 wrote to memory of 2876 2908 XClient.exe 36 PID 2908 wrote to memory of 2876 2908 XClient.exe 36 PID 2908 wrote to memory of 2688 2908 XClient.exe 39 PID 2908 wrote to memory of 2688 2908 XClient.exe 39 PID 2908 wrote to memory of 2688 2908 XClient.exe 39 PID 556 wrote to memory of 740 556 taskeng.exe 43 PID 556 wrote to memory of 740 556 taskeng.exe 43 PID 556 wrote to memory of 740 556 taskeng.exe 43 PID 556 wrote to memory of 2024 556 taskeng.exe 44 PID 556 wrote to memory of 2024 556 taskeng.exe 44 PID 556 wrote to memory of 2024 556 taskeng.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2688
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3AFE4533-AF06-4727-868F-CC5FB537FE50} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55cc5389ef90aa18cf62773f9edba53fb
SHA1978ae38f98186b1c3f145c3726405fc258c33164
SHA256f01bca9ab698f77c899f51151a0538d86150838de2913c12ef762e9b03102661
SHA512f3f2fc60252a0245ec63881792f8b88b18d0b75e5edb7b895e834bdd4e3ebae3f3f61584b043167a750d459cd043f45cc6ebca328c0b8edb5cd88fe9e0648c73
-
Filesize
49KB
MD59cda258445b322eb90f65b32ba86d86c
SHA1d86a39dcc80db9cef23fc389dbbb6951ed7f908c
SHA2560aca70f4574b4f593ad118de1846cb744eed48473a8fd51759c37e508d44e50f
SHA512f76c77b63b6e881cd6e9a436b5efe5e4a45a8e78126fcc6876ec6855ef2572ba7e9dec7200e32ddca78f232d451305f87729ee5989f3c8ed83cde53d132a1d9a