Overview

overview

10

Static

static

10

vm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    88s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2025, 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vm.exe

  • Size

    63KB

  • MD5

    d7d169c7173b67f881c5b04aed08c0eb

  • SHA1

    916cac2d81230bf709ce6fe4894ec74b3fb91a33

  • SHA256

    ac6c77f1af1db36464ec184588cab3db8f7ce1541d4bc5b91c2b814d5f36fc7f

  • SHA512

    1116890516958b2772b3903cf50fa55169534b3a867c0644134d575d0bccd8dc31dd175c007874e50b121e34effab5676fd1282b70331941d0ce46284e7d8d47

  • SSDEEP

    1536:C3UPUE/R41nfBEKU+bB2YFIrG6vUdb346tQD8O9r3gnst:CcSpEX+bBTiM9XJOBwst

Score
10/10
stormkittyxwormdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:17560

login-eye.gl.at.ply.gg:17560

147.185.221.27:17560
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\vm.exe
    "C:\Users\Admin\AppData\Local\Temp\vm.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4216
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3412
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\XClient.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4524
  • C:\Users\Admin\AppData\Roaming\XClient.exe
    C:\Users\Admin\AppData\Roaming\XClient.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1352
  • C:\Users\Admin\AppData\Roaming\XClient.exe
    C:\Users\Admin\AppData\Roaming\XClient.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    454c5c4b128d34aee2eb765f2a9c0aa9

    SHA1

    4b6e92db79d964f604fd6b261b3b19ede2aea8a5

    SHA256

    e1e65d1697b9ac59805f677cbc8eec623a899b75b1389354f0948ad3c1513772

    SHA512

    17b4e146ef4f8862d06ac975204cca9ef9b077420256df92d94409715b18efb4dc63879154c1c234317a169ac63024ed43b5cb52473882dc46c588af089f25d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    ada3bbf645850fada48785399a44c2e9

    SHA1

    0421c13b7bb2120e078e18a9d4f5118743c1c8bd

    SHA256

    cff75b20b3479f35242de2571318472607db1aa0a52db62c1c01a89bccb8491d

    SHA512

    6e0b2753850b1da38dddba4059a6ab2261a244e25bd078afc1bfb78743505dcc405caef08753134faa30bf9f4c8cd5d862405407aeb5c73ae7e86072da366c82

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    60945d1a2e48da37d4ce8d9c56b6845a

    SHA1

    83e80a6acbeb44b68b0da00b139471f428a9d6c1

    SHA256

    314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

    SHA512

    5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvlowsig.b5a.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XClient.exe
    Filesize

    63KB

    MD5

    d7d169c7173b67f881c5b04aed08c0eb

    SHA1

    916cac2d81230bf709ce6fe4894ec74b3fb91a33

    SHA256

    ac6c77f1af1db36464ec184588cab3db8f7ce1541d4bc5b91c2b814d5f36fc7f

    SHA512

    1116890516958b2772b3903cf50fa55169534b3a867c0644134d575d0bccd8dc31dd175c007874e50b121e34effab5676fd1282b70331941d0ce46284e7d8d47

    Download Submit

  • memory/2812-56-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2812-0-0x00007FF9B00B3000-0x00007FF9B00B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2812-61-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2812-1-0x0000000000850000-0x0000000000866000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2812-64-0x000000001DA80000-0x000000001DBA0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2812-100-0x00000000010D0000-0x00000000010DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4964-17-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4964-14-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4964-13-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4964-12-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4964-7-0x000001FB6C640000-0x000001FB6C662000-memory.dmp

    Filesize

    136KB

    Download