Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    34KB

  • MD5

    606d9b179157736ea5acad71ad50c0c7

  • SHA1

    dd88b6e09b9be71fe98ee1fa76c5f14f5e9ef84c

  • SHA256

    80a2ae9b77c4eafc3da22fac6025b340793c2bdbfef7b061cdc88bdea330e11a

  • SHA512

    c81d9e0e6f28869f6618c2904d317eb113514db2685621c674c0697e76c187249fd50a365cf07f6972c2a43970b4081e470a18dc631ca74cd1f606307fcdd2c7

  • SSDEEP

    768:OtH6rNd7AtFPNhzIgtoFk9Fy9Yx/Ojhe/Vcg:OtuNJyF0gtowFy9Yx/OjItcg

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

MellowFishy-29478.portmap.host:29478

Mutex

k1tzVGcrL1gP53ej

Attributes
  • Install_directory

    %AppData%

  • install_file

    Realtek Audio Driver.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp42FF.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp42FF.tmp.bat
    Filesize

    159B

    MD5

    718ff2486724bf5dc44bef6ab7d03a63

    SHA1

    a2dd9b33622365cc8cd622731ab2ff2a17db9b6d

    SHA256

    b49afcd2ef635da4131ca2682fca736e37e352a740d5377191daf4445c67ad6b

    SHA512

    29cc15563e637abe45e97691fe12964a565113426b497997287f1245aad9a2152bf7995bfa2f3a502187639a9ff6978442070d9c5ee5c0130309b86ff9df13f6

    Download Submit

  • memory/4940-0-0x00007FFBDAF53000-0x00007FFBDAF55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4940-1-0x0000000000200000-0x000000000020E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4940-6-0x00007FFBDAF50000-0x00007FFBDBA11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4940-7-0x00007FFBDAF53000-0x00007FFBDAF55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4940-8-0x00007FFBDAF50000-0x00007FFBDBA11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4940-16-0x00007FFBDAF50000-0x00007FFBDBA11000-memory.dmp

    Filesize

    10.8MB

    Download