Analysis
-
max time kernel
299s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 11:00
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10-20240404-en
General
-
Target
XClient.exe
-
Size
70KB
-
MD5
1aee9a35a708cb39e8cb4d77493ea266
-
SHA1
734371aca4a8f81bc8da952687dfe3c9315fdbde
-
SHA256
69062434a621587b25a7502d5384bed98f5002d34f5e5604abfb7b81d80cf29d
-
SHA512
108f32dbede91c7552a88046d6cf92b49945744e0bbea380c2a880d460326c66e2ef28948fd2395e6976d6976fa83c974e2f70e9c05ba7b856dd82c2d713e6f2
-
SSDEEP
1536:1uHWDFSwUrZS8Pm/ZZbZWfweYcYX67lwO+zfh9G:g2sVSS6ZbZBTAlwO+zfLG
Malware Config
Extracted
xworm
3.1
0.tcp.eu.ngrok.io:15792
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2100-1-0x00000000002F0000-0x0000000000308000-memory.dmp family_xworm C:\ProgramData\XClient.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 164 powershell.exe 888 powershell.exe 3780 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 4 IoCs
Processes:
XClient.exeXClient.exeXClient.exeXClient.exepid process 2296 XClient.exe 1568 XClient.exe 2980 XClient.exe 2224 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\ProgramData\\XClient.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 69 0.tcp.eu.ngrok.io 5 0.tcp.eu.ngrok.io 10 0.tcp.eu.ngrok.io 20 0.tcp.eu.ngrok.io 41 0.tcp.eu.ngrok.io 44 0.tcp.eu.ngrok.io 57 0.tcp.eu.ngrok.io 59 0.tcp.eu.ngrok.io -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings OpenWith.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exeXClient.exepid process 164 powershell.exe 164 powershell.exe 164 powershell.exe 888 powershell.exe 888 powershell.exe 888 powershell.exe 3780 powershell.exe 3780 powershell.exe 3780 powershell.exe 2100 XClient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2100 XClient.exe Token: SeDebugPrivilege 164 powershell.exe Token: SeIncreaseQuotaPrivilege 164 powershell.exe Token: SeSecurityPrivilege 164 powershell.exe Token: SeTakeOwnershipPrivilege 164 powershell.exe Token: SeLoadDriverPrivilege 164 powershell.exe Token: SeSystemProfilePrivilege 164 powershell.exe Token: SeSystemtimePrivilege 164 powershell.exe Token: SeProfSingleProcessPrivilege 164 powershell.exe Token: SeIncBasePriorityPrivilege 164 powershell.exe Token: SeCreatePagefilePrivilege 164 powershell.exe Token: SeBackupPrivilege 164 powershell.exe Token: SeRestorePrivilege 164 powershell.exe Token: SeShutdownPrivilege 164 powershell.exe Token: SeDebugPrivilege 164 powershell.exe Token: SeSystemEnvironmentPrivilege 164 powershell.exe Token: SeRemoteShutdownPrivilege 164 powershell.exe Token: SeUndockPrivilege 164 powershell.exe Token: SeManageVolumePrivilege 164 powershell.exe Token: 33 164 powershell.exe Token: 34 164 powershell.exe Token: 35 164 powershell.exe Token: 36 164 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeIncreaseQuotaPrivilege 888 powershell.exe Token: SeSecurityPrivilege 888 powershell.exe Token: SeTakeOwnershipPrivilege 888 powershell.exe Token: SeLoadDriverPrivilege 888 powershell.exe Token: SeSystemProfilePrivilege 888 powershell.exe Token: SeSystemtimePrivilege 888 powershell.exe Token: SeProfSingleProcessPrivilege 888 powershell.exe Token: SeIncBasePriorityPrivilege 888 powershell.exe Token: SeCreatePagefilePrivilege 888 powershell.exe Token: SeBackupPrivilege 888 powershell.exe Token: SeRestorePrivilege 888 powershell.exe Token: SeShutdownPrivilege 888 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeSystemEnvironmentPrivilege 888 powershell.exe Token: SeRemoteShutdownPrivilege 888 powershell.exe Token: SeUndockPrivilege 888 powershell.exe Token: SeManageVolumePrivilege 888 powershell.exe Token: 33 888 powershell.exe Token: 34 888 powershell.exe Token: 35 888 powershell.exe Token: 36 888 powershell.exe Token: SeDebugPrivilege 3780 powershell.exe Token: SeIncreaseQuotaPrivilege 3780 powershell.exe Token: SeSecurityPrivilege 3780 powershell.exe Token: SeTakeOwnershipPrivilege 3780 powershell.exe Token: SeLoadDriverPrivilege 3780 powershell.exe Token: SeSystemProfilePrivilege 3780 powershell.exe Token: SeSystemtimePrivilege 3780 powershell.exe Token: SeProfSingleProcessPrivilege 3780 powershell.exe Token: SeIncBasePriorityPrivilege 3780 powershell.exe Token: SeCreatePagefilePrivilege 3780 powershell.exe Token: SeBackupPrivilege 3780 powershell.exe Token: SeRestorePrivilege 3780 powershell.exe Token: SeShutdownPrivilege 3780 powershell.exe Token: SeDebugPrivilege 3780 powershell.exe Token: SeSystemEnvironmentPrivilege 3780 powershell.exe Token: SeRemoteShutdownPrivilege 3780 powershell.exe Token: SeUndockPrivilege 3780 powershell.exe Token: SeManageVolumePrivilege 3780 powershell.exe Token: 33 3780 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
XClient.exeOpenWith.exepid process 2100 XClient.exe 1856 OpenWith.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
XClient.exedescription pid process target process PID 2100 wrote to memory of 164 2100 XClient.exe powershell.exe PID 2100 wrote to memory of 164 2100 XClient.exe powershell.exe PID 2100 wrote to memory of 888 2100 XClient.exe powershell.exe PID 2100 wrote to memory of 888 2100 XClient.exe powershell.exe PID 2100 wrote to memory of 3780 2100 XClient.exe powershell.exe PID 2100 wrote to memory of 3780 2100 XClient.exe powershell.exe PID 2100 wrote to memory of 3344 2100 XClient.exe schtasks.exe PID 2100 wrote to memory of 3344 2100 XClient.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\ProgramData\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\XClient.exeC:\ProgramData\XClient.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\XClient.exeC:\ProgramData\XClient.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\XClient.exeC:\ProgramData\XClient.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\XClient.exeC:\ProgramData\XClient.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\XClient.exeFilesize
70KB
MD51aee9a35a708cb39e8cb4d77493ea266
SHA1734371aca4a8f81bc8da952687dfe3c9315fdbde
SHA25669062434a621587b25a7502d5384bed98f5002d34f5e5604abfb7b81d80cf29d
SHA512108f32dbede91c7552a88046d6cf92b49945744e0bbea380c2a880d460326c66e2ef28948fd2395e6976d6976fa83c974e2f70e9c05ba7b856dd82c2d713e6f2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.logFilesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51fb4f1db8cf6587a456df7b158f5e9de
SHA1931f99cd91a9befe6cbefa29aaa3123af2732c20
SHA256e9a4790f800fd415692df3af70c0f33243fa181512db2ee28bb27680c7a20db7
SHA512b9abbe69c9b1a1b14e52f62d53c22c2a5521ae6a4b5af6fc0d2ec3ec17ef32cdaceb8ac62dc2a02b4a70558b505c410f81e00374313942c65963fc3b2ee9b61c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59fceaa8f38c649b2e22774fae18c3a57
SHA15fd53df1613ba5450c0b8efd46825db0d9b524e3
SHA256fd1439be9ac2c7e9657901542c04521cea486ac10ba40144cfd20183b18e51c5
SHA51245846475ef49c7fe0b7ccca1c18404f963f689c73ff4bd29add0fc49ce3872bceb230d5a45782731c4161888d853671253231c23e13b05b0739a4b835ff0c52a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y0ntfaso.pxn.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/164-10-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmpFilesize
9.9MB
-
memory/164-13-0x0000027FF79A0000-0x0000027FF7A16000-memory.dmpFilesize
472KB
-
memory/164-51-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmpFilesize
9.9MB
-
memory/164-9-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmpFilesize
9.9MB
-
memory/164-8-0x0000027FDF1F0000-0x0000027FDF212000-memory.dmpFilesize
136KB
-
memory/164-7-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmpFilesize
9.9MB
-
memory/2100-0-0x00007FFCC9C13000-0x00007FFCC9C14000-memory.dmpFilesize
4KB
-
memory/2100-2-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmpFilesize
9.9MB
-
memory/2100-147-0x00007FFCC9C13000-0x00007FFCC9C14000-memory.dmpFilesize
4KB
-
memory/2100-148-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmpFilesize
9.9MB
-
memory/2100-1-0x00000000002F0000-0x0000000000308000-memory.dmpFilesize
96KB