Analysis
-
max time kernel
373s -
max time network
374s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 06:24
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10-20240404-en
General
-
Target
XClient.exe
-
Size
61KB
-
MD5
d537ba1b5dfd28d617d98452caadf449
-
SHA1
6cb1d669d2a10153e42ac33c7bd2fc8521ec7065
-
SHA256
a2e9485cb6b0018d079a1956dc8a073393c75ee0eca1ebed1fcdaff21b076d2e
-
SHA512
b0032aba438a0e8704ba6bb7f14e329464a4b09b3d4e6d8dc3ce96a8e70a21312faa407dddf092753234928e3de263a242ec45108f5a48a7d4f04695a9fcde2c
-
SSDEEP
1536:QrgMsFzvH+u9GeCdg/vzb2xsK/WS6zAEzO5sK:QrD8vHFSWzb26FAEzO5sK
Malware Config
Extracted
xworm
Ironthing-22901.portmap.host:22901
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/408-0-0x0000000000B50000-0x0000000000B66000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1108 powershell.exe 516 powershell.exe 2064 powershell.exe 3636 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 6 IoCs
Processes:
XClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exepid process 3152 XClient.exe 4404 XClient.exe 2196 XClient.exe 5108 XClient.exe 3616 XClient.exe 3504 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2064 powershell.exe 2064 powershell.exe 2064 powershell.exe 3636 powershell.exe 3636 powershell.exe 3636 powershell.exe 1108 powershell.exe 1108 powershell.exe 1108 powershell.exe 516 powershell.exe 516 powershell.exe 516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 408 XClient.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeIncreaseQuotaPrivilege 2064 powershell.exe Token: SeSecurityPrivilege 2064 powershell.exe Token: SeTakeOwnershipPrivilege 2064 powershell.exe Token: SeLoadDriverPrivilege 2064 powershell.exe Token: SeSystemProfilePrivilege 2064 powershell.exe Token: SeSystemtimePrivilege 2064 powershell.exe Token: SeProfSingleProcessPrivilege 2064 powershell.exe Token: SeIncBasePriorityPrivilege 2064 powershell.exe Token: SeCreatePagefilePrivilege 2064 powershell.exe Token: SeBackupPrivilege 2064 powershell.exe Token: SeRestorePrivilege 2064 powershell.exe Token: SeShutdownPrivilege 2064 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeSystemEnvironmentPrivilege 2064 powershell.exe Token: SeRemoteShutdownPrivilege 2064 powershell.exe Token: SeUndockPrivilege 2064 powershell.exe Token: SeManageVolumePrivilege 2064 powershell.exe Token: 33 2064 powershell.exe Token: 34 2064 powershell.exe Token: 35 2064 powershell.exe Token: 36 2064 powershell.exe Token: SeDebugPrivilege 3636 powershell.exe Token: SeIncreaseQuotaPrivilege 3636 powershell.exe Token: SeSecurityPrivilege 3636 powershell.exe Token: SeTakeOwnershipPrivilege 3636 powershell.exe Token: SeLoadDriverPrivilege 3636 powershell.exe Token: SeSystemProfilePrivilege 3636 powershell.exe Token: SeSystemtimePrivilege 3636 powershell.exe Token: SeProfSingleProcessPrivilege 3636 powershell.exe Token: SeIncBasePriorityPrivilege 3636 powershell.exe Token: SeCreatePagefilePrivilege 3636 powershell.exe Token: SeBackupPrivilege 3636 powershell.exe Token: SeRestorePrivilege 3636 powershell.exe Token: SeShutdownPrivilege 3636 powershell.exe Token: SeDebugPrivilege 3636 powershell.exe Token: SeSystemEnvironmentPrivilege 3636 powershell.exe Token: SeRemoteShutdownPrivilege 3636 powershell.exe Token: SeUndockPrivilege 3636 powershell.exe Token: SeManageVolumePrivilege 3636 powershell.exe Token: 33 3636 powershell.exe Token: 34 3636 powershell.exe Token: 35 3636 powershell.exe Token: 36 3636 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeIncreaseQuotaPrivilege 1108 powershell.exe Token: SeSecurityPrivilege 1108 powershell.exe Token: SeTakeOwnershipPrivilege 1108 powershell.exe Token: SeLoadDriverPrivilege 1108 powershell.exe Token: SeSystemProfilePrivilege 1108 powershell.exe Token: SeSystemtimePrivilege 1108 powershell.exe Token: SeProfSingleProcessPrivilege 1108 powershell.exe Token: SeIncBasePriorityPrivilege 1108 powershell.exe Token: SeCreatePagefilePrivilege 1108 powershell.exe Token: SeBackupPrivilege 1108 powershell.exe Token: SeRestorePrivilege 1108 powershell.exe Token: SeShutdownPrivilege 1108 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeSystemEnvironmentPrivilege 1108 powershell.exe Token: SeRemoteShutdownPrivilege 1108 powershell.exe Token: SeUndockPrivilege 1108 powershell.exe Token: SeManageVolumePrivilege 1108 powershell.exe Token: 33 1108 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
XClient.exedescription pid process target process PID 408 wrote to memory of 2064 408 XClient.exe powershell.exe PID 408 wrote to memory of 2064 408 XClient.exe powershell.exe PID 408 wrote to memory of 3636 408 XClient.exe powershell.exe PID 408 wrote to memory of 3636 408 XClient.exe powershell.exe PID 408 wrote to memory of 1108 408 XClient.exe powershell.exe PID 408 wrote to memory of 1108 408 XClient.exe powershell.exe PID 408 wrote to memory of 516 408 XClient.exe powershell.exe PID 408 wrote to memory of 516 408 XClient.exe powershell.exe PID 408 wrote to memory of 4264 408 XClient.exe schtasks.exe PID 408 wrote to memory of 4264 408 XClient.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.logFilesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52648a07ed826248d7d88c524cf25e16e
SHA1098bb44a21f77420d9571ebb9c6e49b13dcea72d
SHA2567f1e5d715cb56fa1c78ddf435e515d38bee665c2bd1471203fed12d0e8946721
SHA512fd1434a482a7316b215c8f5307f6434a7087287a60800602610f54d848ee96a63109b8dd3a89cf1429234debc4f68a4b00bfe2502ec3aae31e2041c94656c5fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD529db3bb4ae7cabf5329ed8e73c52b6ab
SHA19dd9fccec354a892d48610be38f61ff8be224a42
SHA2560ac6e06264ad35540bd337830f5ec5b8ae7f0f0964dc497601415a768589719e
SHA5124510595b5f630924f301b6bd615f132389b2da2478e2b3c90c4a8d2315f28c56bf3ba16bf7ba850398f100e22f3729bb635b29f67f465af3a77840878111f67e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD580f02464bc7bdbb5cf8e7db7f346e587
SHA1527ee84bb646efcfe2b5b655ad76eb4b9806cf62
SHA256ff097e85a47d9a7b38b5dbf65537bd63b96e2f4f921a78f971d3eb44ce9f766b
SHA5123f2824704297bb4d75e6422ef07dd49e6ec58f9a6859f420104c8c81794aacfc2858de1840374cf91ad775acee11ef287ccc7eed71b0148a0e129757d5bbbb9f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epc0imx2.oa1.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\XClient.exeFilesize
61KB
MD5d537ba1b5dfd28d617d98452caadf449
SHA16cb1d669d2a10153e42ac33c7bd2fc8521ec7065
SHA256a2e9485cb6b0018d079a1956dc8a073393c75ee0eca1ebed1fcdaff21b076d2e
SHA512b0032aba438a0e8704ba6bb7f14e329464a4b09b3d4e6d8dc3ce96a8e70a21312faa407dddf092753234928e3de263a242ec45108f5a48a7d4f04695a9fcde2c
-
memory/408-0-0x0000000000B50000-0x0000000000B66000-memory.dmpFilesize
88KB
-
memory/408-2-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmpFilesize
9.9MB
-
memory/408-186-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmpFilesize
9.9MB
-
memory/408-1-0x00007FFAA4D43000-0x00007FFAA4D44000-memory.dmpFilesize
4KB
-
memory/2064-10-0x0000028EE6BB0000-0x0000028EE6BD2000-memory.dmpFilesize
136KB
-
memory/2064-13-0x0000028EE6D60000-0x0000028EE6DD6000-memory.dmpFilesize
472KB
-
memory/2064-51-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmpFilesize
9.9MB
-
memory/2064-9-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmpFilesize
9.9MB
-
memory/2064-8-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmpFilesize
9.9MB
-
memory/2064-7-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmpFilesize
9.9MB