Overview

overview

10

Static

static

10

XClient.exe

windows10-2004-x64

10

XClient.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient (1).zip

  • Size

    40KB

  • Sample

    240628-r2lk3axeqp

  • MD5

    c124b1503bd3c0d9a44033501df264d3

  • SHA1

    ff2f7e99e97ef598e0ab02d6847cda26749f2a34

  • SHA256

    4284e1cef08f8eeb36b70e700d580f34294253d7e0692bdd687240bd534923bc

  • SHA512

    406d366857a26e41f3b528c8a63f6a825aa2247c0741655bd46131733ae1b4a442688804c5ffe231a2f50c4e85a56caa20f8b227268c0e6bcf9e99bfe3bc20d9

  • SSDEEP

    768:d40+jmP3ntHPr6c1gK51rELoMWiIjAh8rwAAXjtvsbUkmkz/v/VZJtvF7ILg0nBT:dCqP3tHT6TK51rlAXjtvsJ9RvlILguR/

Score
10/10
ramnitxwormbankerevasionexecutionpersistenceratspywarestealertrojanupxworm

Malware Config

Targets

    • Target

      XClient.exe

    • Size

      69KB

    • MD5

      95ffbe3fbb27e900e3bf7012175efc24

    • SHA1

      b386127111d1c82f20e4625b805aa8a01dae9192

    • SHA256

      aeea4b2f2f8d924f36c902d96c0b77182984530acaedb33b3124665c4b2f769f

    • SHA512

      409ede5eff17f9d239adae7df9a594072b828088e9a19d173f7064b89f678ee36a6b25db4ba0db6bb74521d7e88b12f737b8d80abd7854476df94aa89edacc95

    • SSDEEP

      1536:ALSNQK0UvT9Mti+zoQ+bVEmuZAauL67LHXOoG1U2CEW1:AeN1/QX+bCY6HXOv4EG

    Score
    10/10
    ramnitxwormbankerevasionexecutionpersistenceratspywarestealertrojanupxworm

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

      evasiontrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks