Analysis
-
max time kernel
123s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 16:44
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240611-en
General
-
Target
XClient.exe
-
Size
41KB
-
MD5
c2c574a520f8d4ec451921142d6d1300
-
SHA1
2bedca7ae5e8d0262411238f500e0ca6e9f696c6
-
SHA256
7924b7ca79b85a3279076c0b78dd33cfa7bdbd50eeaa9a79ee1137b3ad92ce07
-
SHA512
8e23e89faa4f9e3174c2c1835605ca9d89b992f6b018634ab95261637ea36f7a0263b90ce78cc9079f05aef681a8fa7bdedd7194d64deccff26efdad24ba5653
-
SSDEEP
768:sd4LOwcmOsGuECAr43MxfJF5Pa9p+nL6iOwh13/ibX:skHcmOFrRrNRF49InL6iOwHar
Malware Config
Extracted
xworm
5.0
127.0.0.1:21653
order-detail.gl.at.ply.gg:21653
tceZXwc4o5YhEDzH
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2444-1-0x0000000000FA0000-0x0000000000FB0000-memory.dmp family_xworm C:\ProgramData\$77wsappx.exe family_xworm behavioral1/memory/1088-35-0x0000000000270000-0x0000000000280000-memory.dmp family_xworm behavioral1/memory/2992-38-0x0000000001180000-0x0000000001190000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2340 powershell.exe 2708 powershell.exe 2596 powershell.exe 2480 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77wsappx.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77wsappx.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
$77wsappx.exe$77wsappx.exepid process 1088 $77wsappx.exe 2992 $77wsappx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77wsappx = "C:\\ProgramData\\$77wsappx.exe " XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 2708 powershell.exe 2596 powershell.exe 2480 powershell.exe 2340 powershell.exe 2444 XClient.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exe$77wsappx.exe$77wsappx.exedescription pid process Token: SeDebugPrivilege 2444 XClient.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 2444 XClient.exe Token: SeDebugPrivilege 1088 $77wsappx.exe Token: SeDebugPrivilege 2992 $77wsappx.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2444 XClient.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
XClient.exetaskeng.exedescription pid process target process PID 2444 wrote to memory of 2708 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2708 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2708 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2596 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2596 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2596 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2480 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2480 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2480 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2340 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2340 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2340 2444 XClient.exe powershell.exe PID 2444 wrote to memory of 2800 2444 XClient.exe schtasks.exe PID 2444 wrote to memory of 2800 2444 XClient.exe schtasks.exe PID 2444 wrote to memory of 2800 2444 XClient.exe schtasks.exe PID 2152 wrote to memory of 1088 2152 taskeng.exe $77wsappx.exe PID 2152 wrote to memory of 1088 2152 taskeng.exe $77wsappx.exe PID 2152 wrote to memory of 1088 2152 taskeng.exe $77wsappx.exe PID 2152 wrote to memory of 2992 2152 taskeng.exe $77wsappx.exe PID 2152 wrote to memory of 2992 2152 taskeng.exe $77wsappx.exe PID 2152 wrote to memory of 2992 2152 taskeng.exe $77wsappx.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77wsappx.exe '2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77wsappx.exe '2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77wsappx" /tr "C:\ProgramData\$77wsappx.exe "2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskeng.exetaskeng.exe {BE2F9C0A-0F63-457A-960D-1C0B0DB7FC02} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\$77wsappx.exeC:\ProgramData\$77wsappx.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\$77wsappx.exeC:\ProgramData\$77wsappx.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\$77wsappx.exeFilesize
41KB
MD5c2c574a520f8d4ec451921142d6d1300
SHA12bedca7ae5e8d0262411238f500e0ca6e9f696c6
SHA2567924b7ca79b85a3279076c0b78dd33cfa7bdbd50eeaa9a79ee1137b3ad92ce07
SHA5128e23e89faa4f9e3174c2c1835605ca9d89b992f6b018634ab95261637ea36f7a0263b90ce78cc9079f05aef681a8fa7bdedd7194d64deccff26efdad24ba5653
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD52da12c82d4a55d63bac741899d692a0c
SHA1c84ddaf34e039c79eb9f1ab88eab168f29aa3286
SHA2563ae165b6ac1732d23e591c659caa5774bf1e755c2eb729b0f512a3cbd9ea8882
SHA512d44d0812394493741572a2c250572102aae4d01e87e8ce7c9e36d52bc637e88c3f06add2c0bf6c61fe58ce55ff71d0ab35b0ffe019b809e209a3a11bbbf40d2a
-
memory/1088-35-0x0000000000270000-0x0000000000280000-memory.dmpFilesize
64KB
-
memory/2444-30-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmpFilesize
4KB
-
memory/2444-1-0x0000000000FA0000-0x0000000000FB0000-memory.dmpFilesize
64KB
-
memory/2444-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmpFilesize
9.9MB
-
memory/2444-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmpFilesize
4KB
-
memory/2444-31-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmpFilesize
9.9MB
-
memory/2596-14-0x000000001B300000-0x000000001B5E2000-memory.dmpFilesize
2.9MB
-
memory/2596-15-0x0000000002290000-0x0000000002298000-memory.dmpFilesize
32KB
-
memory/2708-8-0x0000000002590000-0x0000000002598000-memory.dmpFilesize
32KB
-
memory/2708-7-0x000000001B180000-0x000000001B462000-memory.dmpFilesize
2.9MB
-
memory/2992-38-0x0000000001180000-0x0000000001190000-memory.dmpFilesize
64KB