xworm | dd234898a4e49168729350bc7442acd77f35d53eede8edbb268cdec2a48bf774

Analysis

max time kernel
110s
max time network
122s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09/03/2025, 14:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XClient.exe
Size

35KB
MD5

f5353c9e72508e5ee45fdd009e6b43db
SHA1

2fe825365aa07e610c1ba85d54c5f0d171750c04
SHA256

dd234898a4e49168729350bc7442acd77f35d53eede8edbb268cdec2a48bf774
SHA512

7bae76390749284f2ec904d5818786bd45bb382be2cd2782af7d6fd4b0aeeac71db14946a6d486da0956e0b29a391d614a39bc23f88ad2713e926c964a2be560
SSDEEP

768:SHs7Dzumj2frksy1TxVP+sVFyw9b2O/hDy8j:SM7DzumnpSKFr9b2O/Bxj

Score

10^/10

xworm bootkit discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

client-presence.gl.at.ply.gg:50976

Mutex

ZVJ9lOsEvNQZTKC6

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2644-1-0x0000000000310000-0x0000000000320000-memory.dmp	family_xworm
behavioral1/files/0x000b000000027e19-9.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International\Geo\Nation	svxssi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International\Geo\Nation	brcqbe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International\Geo\Nation	MasonMBR-S.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 8 IoCs

pid	Process
4072	XClient.exe
2336	svxssi.exe
4616	XClient.exe
1052	MasonMBR-S.exe
3808	MasonGDI.exe
440	MasonRootkit.exe
1264	brcqbe.exe
2296	MasonMBR-L.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MasonMBR-L.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\MasonMBR	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MasonGDI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MasonMBR-L.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\e4bfbfdf_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\e4bfbfdf_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_8086&dev_0022&subsys_80860022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\AppData\\Local\\Temp\\MasonGDI.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={E10369F7-CB22-4E8E-917F-FDC37A4E0C57}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1741530918"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 09 Mar 2025 14:35:19 GMT"	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3580	schtasks.exe
3556	schtasks.exe
2332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe
440	MasonRootkit.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	XClient.exe
Token: SeDebugPrivilege	2644	XClient.exe
Token: SeDebugPrivilege	4072	XClient.exe
Token: SeDebugPrivilege	4616	XClient.exe
Token: SeDebugPrivilege	440	MasonRootkit.exe
Token: 33	2012	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2012	AUDIODG.EXE
Token: SeShutdownPrivilege	3584	Explorer.EXE
Token: SeCreatePagefilePrivilege	3584	Explorer.EXE
Token: SeShutdownPrivilege	2296	MasonMBR-L.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1628	Conhost.exe

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2868	svchost.exe
2868	svchost.exe
944	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 3580	2644	XClient.exe	88
PID 2644 wrote to memory of 3580	2644	XClient.exe	88
PID 2644 wrote to memory of 2336	2644	XClient.exe	95
PID 2644 wrote to memory of 2336	2644	XClient.exe	95
PID 2336 wrote to memory of 3556	2336	svxssi.exe	97
PID 2336 wrote to memory of 3556	2336	svxssi.exe	97
PID 2336 wrote to memory of 1052	2336	svxssi.exe	99
PID 2336 wrote to memory of 1052	2336	svxssi.exe	99
PID 2336 wrote to memory of 3808	2336	svxssi.exe	100
PID 2336 wrote to memory of 3808	2336	svxssi.exe	100
PID 2336 wrote to memory of 3808	2336	svxssi.exe	100
PID 2336 wrote to memory of 440	2336	svxssi.exe	101
PID 2336 wrote to memory of 440	2336	svxssi.exe	101
PID 440 wrote to memory of 624	440	MasonRootkit.exe	5
PID 440 wrote to memory of 680	440	MasonRootkit.exe	7
PID 440 wrote to memory of 964	440	MasonRootkit.exe	12
PID 440 wrote to memory of 476	440	MasonRootkit.exe	13
PID 440 wrote to memory of 436	440	MasonRootkit.exe	14
PID 440 wrote to memory of 752	440	MasonRootkit.exe	15
PID 440 wrote to memory of 884	440	MasonRootkit.exe	16
PID 440 wrote to memory of 1040	440	MasonRootkit.exe	17
PID 440 wrote to memory of 1068	440	MasonRootkit.exe	18
PID 440 wrote to memory of 1088	440	MasonRootkit.exe	19
PID 440 wrote to memory of 1196	440	MasonRootkit.exe	20
PID 440 wrote to memory of 1288	440	MasonRootkit.exe	22
PID 440 wrote to memory of 1368	440	MasonRootkit.exe	23
PID 440 wrote to memory of 1396	440	MasonRootkit.exe	24
PID 440 wrote to memory of 1512	440	MasonRootkit.exe	25
PID 440 wrote to memory of 1540	440	MasonRootkit.exe	26
PID 440 wrote to memory of 1556	440	MasonRootkit.exe	27
PID 440 wrote to memory of 1616	440	MasonRootkit.exe	28
PID 440 wrote to memory of 1672	440	MasonRootkit.exe	29
PID 440 wrote to memory of 1728	440	MasonRootkit.exe	30
PID 440 wrote to memory of 1788	440	MasonRootkit.exe	31
PID 440 wrote to memory of 1900	440	MasonRootkit.exe	32
PID 440 wrote to memory of 1996	440	MasonRootkit.exe	33
PID 440 wrote to memory of 2020	440	MasonRootkit.exe	34
PID 440 wrote to memory of 2028	440	MasonRootkit.exe	35
PID 440 wrote to memory of 1404	440	MasonRootkit.exe	36
PID 440 wrote to memory of 1668	440	MasonRootkit.exe	37
PID 440 wrote to memory of 2136	440	MasonRootkit.exe	38
PID 440 wrote to memory of 2272	440	MasonRootkit.exe	39
PID 440 wrote to memory of 2408	440	MasonRootkit.exe	41
PID 440 wrote to memory of 2464	440	MasonRootkit.exe	42
PID 440 wrote to memory of 2652	440	MasonRootkit.exe	43
PID 440 wrote to memory of 2664	440	MasonRootkit.exe	44
PID 440 wrote to memory of 2756	440	MasonRootkit.exe	45
PID 440 wrote to memory of 2784	440	MasonRootkit.exe	46
PID 440 wrote to memory of 2800	440	MasonRootkit.exe	47
PID 440 wrote to memory of 2868	440	MasonRootkit.exe	48
PID 440 wrote to memory of 2944	440	MasonRootkit.exe	49
PID 440 wrote to memory of 2952	440	MasonRootkit.exe	50
PID 440 wrote to memory of 2964	440	MasonRootkit.exe	51
PID 1900 wrote to memory of 2012	1900	svchost.exe	102
PID 1900 wrote to memory of 2012	1900	svchost.exe	102
PID 440 wrote to memory of 2012	440	MasonRootkit.exe	102
PID 680 wrote to memory of 2944	680	lsass.exe	49
PID 440 wrote to memory of 2972	440	MasonRootkit.exe	52
PID 440 wrote to memory of 1936	440	MasonRootkit.exe	53
PID 440 wrote to memory of 3260	440	MasonRootkit.exe	54
PID 440 wrote to memory of 3584	440	MasonRootkit.exe	56
PID 440 wrote to memory of 3620	440	MasonRootkit.exe	57
PID 440 wrote to memory of 3760	440	MasonRootkit.exe	58
PID 440 wrote to memory of 4056	440	MasonRootkit.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1040

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1288
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1616
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x8c 0x40c
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2136

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Suspicious use of UnmapMainImage
PID:2868

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:1936

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3580
- - C:\Users\Admin\AppData\Local\Temp\svxssi.exe
    "C:\Users\Admin\AppData\Local\Temp\svxssi.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "MasonMBR" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\\MasonMBR.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\MasonMBR-S.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonMBR-S.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\MasonMBR-L.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MasonMBR-L.exe"
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:440
- - C:\Users\Admin\AppData\Local\Temp\brcqbe.exe
    "C:\Users\Admin\AppData\Local\Temp\brcqbe.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1264
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "MasonMBR" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\\MasonMBR.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2332
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:776

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4892

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3116

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2120

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2320

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3364

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe

Filesize
147KB

MD5
fd138f51961f3071e135dae4e279ca7d

SHA1
63a107425ab4b3515b4c6545076ac6721a459717

SHA256
24f189af6d0c0af7dbdbf230183423d34d9cc3c06f55fa911145dcc19e3a6eb6

SHA512
f0d596ebe25c89907018f4d5ca4635df28c7f7095c81bd4d6f6b0819301bd113fb2469d643c02b5d41f2ce523e8539c1a97a817160ee0074d6e1f0a7951e7804

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonMBR-S.exe

Filesize
58KB

MD5
1b120dcde4b7be948179d53257c71423

SHA1
efd894e18d8d9eb8b0af9e8eeaa0d44be04a7b62

SHA256
34c657218a5d7702de283691e868f61c1f50ffcd9e6c6bd3f0336bda904975aa

SHA512
fb5ac3cdc836926919710edb15f0e4cb54a72f74122566ac2a965efb1b36daa94cdf01b4b984203d0d4c0deb0791f65d20d675029b40fa7e1baafd3194e4dbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonMBR.exe

Filesize
93KB

MD5
b92a9c7baa9414d17e93112f621734b8

SHA1
f8f74b452bf78fd0dda4601d219d99d000d57606

SHA256
b9177dd0173b676408b79085e0a18a4bf35356b76acf79aa6039a36911796e3c

SHA512
0ab4781877b788acdf0c8ac9fd18e71fcf8a42f960e4b12ae0b81dbbe8abc25092ff4119c877863814e97180a6ade73ec567809e21ca5e8f543f7e7690c7d9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svxssi.exe

Filesize
482KB

MD5
85e11c1d67aec0150757e3255d8231b7

SHA1
9167c5ea4a23d59f38e82f128f2b1a2dbbd88cea

SHA256
b6dac480e4c7f15e8de6633ee9b52b3bda0b6b2f1897a76ddb4ab0ffb76b2588

SHA512
a25fcf6c359a00e5671b08dbf91fde79fe14e9720d8d8b4980584fbb32f9bba78a8cc8760e5c504fad894e34df1d2693bd1d161539ad4597df3c50c84c1c5e51

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
35KB

MD5
f5353c9e72508e5ee45fdd009e6b43db

SHA1
2fe825365aa07e610c1ba85d54c5f0d171750c04

SHA256
dd234898a4e49168729350bc7442acd77f35d53eede8edbb268cdec2a48bf774

SHA512
7bae76390749284f2ec904d5818786bd45bb382be2cd2782af7d6fd4b0aeeac71db14946a6d486da0956e0b29a391d614a39bc23f88ad2713e926c964a2be560

Download Submit
memory/436-97-0x0000027D0C0B0000-0x0000027D0C0DB000-memory.dmp

Filesize
172KB

Download
memory/436-98-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/440-81-0x00007FF852CC0000-0x00007FF852D7D000-memory.dmp

Filesize
756KB

Download
memory/440-78-0x00007FF8535D0000-0x00007FF8537C8000-memory.dmp

Filesize
2.0MB

Download
memory/476-95-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/476-94-0x000001D8F1D90000-0x000001D8F1DBB000-memory.dmp

Filesize
172KB

Download
memory/624-83-0x000001B215200000-0x000001B215225000-memory.dmp

Filesize
148KB

Download
memory/624-86-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/624-85-0x000001B215230000-0x000001B21525B000-memory.dmp

Filesize
172KB

Download
memory/680-88-0x000001BB94770000-0x000001BB9479B000-memory.dmp

Filesize
172KB

Download
memory/680-89-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/752-127-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/752-126-0x00000274C43B0000-0x00000274C43DB000-memory.dmp

Filesize
172KB

Download
memory/884-129-0x000001E07BB40000-0x000001E07BB6B000-memory.dmp

Filesize
172KB

Download
memory/884-130-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/964-101-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/964-100-0x000002195A900000-0x000002195A92B000-memory.dmp

Filesize
172KB

Download
memory/1040-112-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/1040-111-0x000002477C640000-0x000002477C66B000-memory.dmp

Filesize
172KB

Download
memory/1052-62-0x0000000000BC0000-0x0000000000BD4000-memory.dmp

Filesize
80KB

Download
memory/1068-132-0x000001FDED790000-0x000001FDED7BB000-memory.dmp

Filesize
172KB

Download
memory/1068-133-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/1088-115-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/1088-114-0x0000018F7AD70000-0x0000018F7AD9B000-memory.dmp

Filesize
172KB

Download
memory/1196-118-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/1196-117-0x000002774EDD0000-0x000002774EDFB000-memory.dmp

Filesize
172KB

Download
memory/1264-389-0x00000000003A0000-0x000000000041E000-memory.dmp

Filesize
504KB

Download
memory/1288-121-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/1288-120-0x0000020616690000-0x00000206166BB000-memory.dmp

Filesize
172KB

Download
memory/1368-124-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/1368-123-0x000001FC505B0000-0x000001FC505DB000-memory.dmp

Filesize
172KB

Download
memory/1396-136-0x00000211DB330000-0x00000211DB35B000-memory.dmp

Filesize
172KB

Download
memory/1396-137-0x00007FF813650000-0x00007FF813660000-memory.dmp

Filesize
64KB

Download
memory/2336-80-0x000000001BA70000-0x000000001BC17000-memory.dmp

Filesize
1.7MB

Download
memory/2336-31-0x0000000002730000-0x0000000002786000-memory.dmp

Filesize
344KB

Download
memory/2336-30-0x0000000000620000-0x000000000069E000-memory.dmp

Filesize
504KB

Download
memory/2644-32-0x000000001BA50000-0x000000001BA5C000-memory.dmp

Filesize
48KB

Download
memory/2644-7-0x00007FF8351D0000-0x00007FF835C92000-memory.dmp

Filesize
10.8MB

Download
memory/2644-6-0x00007FF8351D0000-0x00007FF835C92000-memory.dmp

Filesize
10.8MB

Download
memory/2644-0-0x00007FF8351D3000-0x00007FF8351D5000-memory.dmp

Filesize
8KB

Download
memory/2644-1-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/3808-82-0x0000000000EF0000-0x0000000000F1A000-memory.dmp

Filesize
168KB

Download
memory/3808-165-0x0000000006760000-0x00000000067F2000-memory.dmp

Filesize
584KB

Download
memory/4072-12-0x00007FF8351D0000-0x00007FF835C92000-memory.dmp

Filesize
10.8MB

Download
memory/4072-10-0x00007FF8351D0000-0x00007FF835C92000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads