Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    29-06-2024 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    41KB

  • MD5

    c2c574a520f8d4ec451921142d6d1300

  • SHA1

    2bedca7ae5e8d0262411238f500e0ca6e9f696c6

  • SHA256

    7924b7ca79b85a3279076c0b78dd33cfa7bdbd50eeaa9a79ee1137b3ad92ce07

  • SHA512

    8e23e89faa4f9e3174c2c1835605ca9d89b992f6b018634ab95261637ea36f7a0263b90ce78cc9079f05aef681a8fa7bdedd7194d64deccff26efdad24ba5653

  • SSDEEP

    768:sd4LOwcmOsGuECAr43MxfJF5Pa9p+nL6iOwh13/ibX:skHcmOFrRrNRF49InL6iOwHar

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:21653

order-detail.gl.at.ply.gg:21653
Mutex

tceZXwc4o5YhEDzH

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77wsappx.exe '
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77wsappx.exe '
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2340
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77wsappx" /tr "C:\ProgramData\$77wsappx.exe "
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2800
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {BE2F9C0A-0F63-457A-960D-1C0B0DB7FC02} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\ProgramData\$77wsappx.exe
      C:\ProgramData\$77wsappx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\ProgramData\$77wsappx.exe
      C:\ProgramData\$77wsappx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\$77wsappx.exe
    Filesize

    41KB

    MD5

    c2c574a520f8d4ec451921142d6d1300

    SHA1

    2bedca7ae5e8d0262411238f500e0ca6e9f696c6

    SHA256

    7924b7ca79b85a3279076c0b78dd33cfa7bdbd50eeaa9a79ee1137b3ad92ce07

    SHA512

    8e23e89faa4f9e3174c2c1835605ca9d89b992f6b018634ab95261637ea36f7a0263b90ce78cc9079f05aef681a8fa7bdedd7194d64deccff26efdad24ba5653

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    2da12c82d4a55d63bac741899d692a0c

    SHA1

    c84ddaf34e039c79eb9f1ab88eab168f29aa3286

    SHA256

    3ae165b6ac1732d23e591c659caa5774bf1e755c2eb729b0f512a3cbd9ea8882

    SHA512

    d44d0812394493741572a2c250572102aae4d01e87e8ce7c9e36d52bc637e88c3f06add2c0bf6c61fe58ce55ff71d0ab35b0ffe019b809e209a3a11bbbf40d2a

    Download Submit
  • memory/1088-35-0x0000000000270000-0x0000000000280000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2444-30-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2444-1-0x0000000000FA0000-0x0000000000FB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2444-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2444-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2444-31-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2596-14-0x000000001B300000-0x000000001B5E2000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2596-15-0x0000000002290000-0x0000000002298000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2708-8-0x0000000002590000-0x0000000002598000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2708-7-0x000000001B180000-0x000000001B462000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2992-38-0x0000000001180000-0x0000000001190000-memory.dmp
    Filesize

    64KB

    Download