Resubmissions

27/01/2025, 20:41

250127-zgfs3svqbp 10

27/01/2025, 20:36

250127-zdvstsvkcy 10

27/01/2025, 20:32

250127-zbph2avnfr 10

Analysis

  • max time kernel
    121s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 20:41

General

  • Target

    XClient.exe

  • Size

    49KB

  • MD5

    9cda258445b322eb90f65b32ba86d86c

  • SHA1

    d86a39dcc80db9cef23fc389dbbb6951ed7f908c

  • SHA256

    0aca70f4574b4f593ad118de1846cb744eed48473a8fd51759c37e508d44e50f

  • SHA512

    f76c77b63b6e881cd6e9a436b5efe5e4a45a8e78126fcc6876ec6855ef2572ba7e9dec7200e32ddca78f232d451305f87729ee5989f3c8ed83cde53d132a1d9a

  • SSDEEP

    768:DaT5ryS4lEW64POSn1iQK4kb2UULNwLdVvM6wEO1hEjdoHj:GNrH+EWR5rkbzeNivM6wEO1yaj

Malware Config

Extracted

Family

xworm

C2

sponef159-35748.portmap.host:35748

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7508868671:AAG6XIOhz39IrQIUnjub1TKVOVZHfdjpsvM/sendMessage?chat_id=6094400048

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2688
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3AFE4533-AF06-4727-868F-CC5FB537FE50} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:740
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2024

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          5cc5389ef90aa18cf62773f9edba53fb

          SHA1

          978ae38f98186b1c3f145c3726405fc258c33164

          SHA256

          f01bca9ab698f77c899f51151a0538d86150838de2913c12ef762e9b03102661

          SHA512

          f3f2fc60252a0245ec63881792f8b88b18d0b75e5edb7b895e834bdd4e3ebae3f3f61584b043167a750d459cd043f45cc6ebca328c0b8edb5cd88fe9e0648c73

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          49KB

          MD5

          9cda258445b322eb90f65b32ba86d86c

          SHA1

          d86a39dcc80db9cef23fc389dbbb6951ed7f908c

          SHA256

          0aca70f4574b4f593ad118de1846cb744eed48473a8fd51759c37e508d44e50f

          SHA512

          f76c77b63b6e881cd6e9a436b5efe5e4a45a8e78126fcc6876ec6855ef2572ba7e9dec7200e32ddca78f232d451305f87729ee5989f3c8ed83cde53d132a1d9a

        • memory/740-36-0x00000000011F0000-0x0000000001202000-memory.dmp

          Filesize

          72KB

        • memory/2132-15-0x0000000002810000-0x0000000002818000-memory.dmp

          Filesize

          32KB

        • memory/2132-14-0x000000001B530000-0x000000001B812000-memory.dmp

          Filesize

          2.9MB

        • memory/2320-7-0x000000001B590000-0x000000001B872000-memory.dmp

          Filesize

          2.9MB

        • memory/2320-8-0x00000000029A0000-0x00000000029A8000-memory.dmp

          Filesize

          32KB

        • memory/2320-6-0x00000000029C0000-0x0000000002A40000-memory.dmp

          Filesize

          512KB

        • memory/2908-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

          Filesize

          4KB

        • memory/2908-30-0x000000001B2D0000-0x000000001B350000-memory.dmp

          Filesize

          512KB

        • memory/2908-31-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

          Filesize

          4KB

        • memory/2908-32-0x000000001B2D0000-0x000000001B350000-memory.dmp

          Filesize

          512KB

        • memory/2908-1-0x0000000000990000-0x00000000009A2000-memory.dmp

          Filesize

          72KB