Analysis
-
max time kernel
562s -
max time network
482s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 07:31
Static task
static1
Behavioral task
behavioral1
Sample
Roblox theme.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Roblox theme.exe
Resource
win10v2004-20240508-en
General
-
Target
Roblox theme.exe
-
Size
1013KB
-
MD5
f9692e37bd7d64a1d5458f39d5730308
-
SHA1
4984464e640fe749391e4819300b615eb4c85c6a
-
SHA256
49c4484aee2c2d16b940cb5e47e908cc894ececf443569f0f127e0c8df2ab832
-
SHA512
4fb5d6dff3d3da8013f8e618a5f65d70156229ee47d214541b04a56fe29d6e7d026aa4eb6870ea19a57ec2cf20042af91c8f62d30a7158bb8a6f77d9be5044d6
-
SSDEEP
24576:lOtT5xDVDvwVqYdVpqVfuMSOYw3Y+JBbUX/S/6Hv9rO5gUa:lOtT57MdhHMxvY+fUPSCH69a
Malware Config
Extracted
xworm
java-mas.gl.at.ply.gg:23199
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm behavioral2/memory/4468-36-0x0000000000040000-0x0000000000072000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3860 powershell.exe 1964 powershell.exe 396 powershell.exe 3968 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Roblox theme.exeXClient.sfx.exeXClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Roblox theme.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation XClient.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe -
Executes dropped EXE 12 IoCs
Processes:
XClient.sfx.exeRTC_Launcher11.exeXClient.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 3528 XClient.sfx.exe 3352 RTC_Launcher11.exe 4468 XClient.exe 3592 svchost.exe 1968 svchost.exe 3380 svchost.exe 1456 svchost.exe 4884 svchost.exe 1976 svchost.exe 3180 svchost.exe 4628 svchost.exe 3976 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 3860 powershell.exe 3860 powershell.exe 1964 powershell.exe 1964 powershell.exe 396 powershell.exe 396 powershell.exe 3968 powershell.exe 3968 powershell.exe 4468 XClient.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
XClient.exeRTC_Launcher11.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 4468 XClient.exe Token: SeDebugPrivilege 3352 RTC_Launcher11.exe Token: SeDebugPrivilege 3860 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 3968 powershell.exe Token: SeDebugPrivilege 4468 XClient.exe Token: SeDebugPrivilege 3592 svchost.exe Token: SeDebugPrivilege 1968 svchost.exe Token: SeDebugPrivilege 3380 svchost.exe Token: SeDebugPrivilege 1456 svchost.exe Token: SeDebugPrivilege 4884 svchost.exe Token: SeDebugPrivilege 1976 svchost.exe Token: SeDebugPrivilege 3180 svchost.exe Token: SeDebugPrivilege 4628 svchost.exe Token: SeDebugPrivilege 3976 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RTC_Launcher11.exepid process 3352 RTC_Launcher11.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 4468 XClient.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Roblox theme.exeXClient.sfx.exeXClient.exedescription pid process target process PID 4464 wrote to memory of 3528 4464 Roblox theme.exe XClient.sfx.exe PID 4464 wrote to memory of 3528 4464 Roblox theme.exe XClient.sfx.exe PID 4464 wrote to memory of 3528 4464 Roblox theme.exe XClient.sfx.exe PID 4464 wrote to memory of 3352 4464 Roblox theme.exe RTC_Launcher11.exe PID 4464 wrote to memory of 3352 4464 Roblox theme.exe RTC_Launcher11.exe PID 3528 wrote to memory of 4468 3528 XClient.sfx.exe XClient.exe PID 3528 wrote to memory of 4468 3528 XClient.sfx.exe XClient.exe PID 4468 wrote to memory of 3860 4468 XClient.exe powershell.exe PID 4468 wrote to memory of 3860 4468 XClient.exe powershell.exe PID 4468 wrote to memory of 1964 4468 XClient.exe powershell.exe PID 4468 wrote to memory of 1964 4468 XClient.exe powershell.exe PID 4468 wrote to memory of 396 4468 XClient.exe powershell.exe PID 4468 wrote to memory of 396 4468 XClient.exe powershell.exe PID 4468 wrote to memory of 3968 4468 XClient.exe powershell.exe PID 4468 wrote to memory of 3968 4468 XClient.exe powershell.exe PID 4468 wrote to memory of 688 4468 XClient.exe schtasks.exe PID 4468 wrote to memory of 688 4468 XClient.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roblox theme.exe"C:\Users\Admin\AppData\Local\Temp\Roblox theme.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XClient.sfx.exe"C:\Users\Admin\AppData\Roaming\XClient.sfx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pro34ilr.vjq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exeFilesize
758KB
MD5cb1929328dea316fcb34f3486697d16e
SHA18c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b
SHA2567a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9
SHA51290ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28
-
C:\Users\Admin\AppData\Roaming\XClient.exeFilesize
174KB
MD5df3b4775708fd5ad9f3b1e2701ea4eaf
SHA142ff8fdf99a432f494594e6c9badb38385d77b12
SHA2562ea99f3355f04bef152f0558aaa2719d9b9dcb6552297ab766069a4e1a314f73
SHA5129140213342fac4579d74c405c182dccd1ee9756a545d3cec5101167a4868215048e8189d1e7c0e4b81f8d42ccf3e17252b57d9d6ceb997d69b10da218e9aa2b1
-
C:\Users\Admin\AppData\Roaming\XClient.sfx.exeFilesize
346KB
MD5a09245eb66f7a82aaf5a41e20c9b0d63
SHA184fff1520784316b3fdcbaa44efb67e7d4e26ea4
SHA2569d0ab230077ee742e2a1c4c68ebcf7f2039f0729d6ac03ef49c00389a79ad5dc
SHA5127257a33b0d5c2e14376197b5673413557961ce2d2bb5ad672642ea52f8bec08cccab56c9cecdc1f3ca5f893dba955541cacee5f5e1a7561f749a32002ee67456
-
memory/3352-50-0x000001BABBE30000-0x000001BABBEA6000-memory.dmpFilesize
472KB
-
memory/3352-35-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmpFilesize
10.8MB
-
memory/3352-22-0x000001BAA0E30000-0x000001BAA0EF4000-memory.dmpFilesize
784KB
-
memory/3352-21-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmpFilesize
8KB
-
memory/3352-89-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmpFilesize
8KB
-
memory/3352-90-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmpFilesize
10.8MB
-
memory/3860-43-0x00000247AFA90000-0x00000247AFAB2000-memory.dmpFilesize
136KB
-
memory/4468-36-0x0000000000040000-0x0000000000072000-memory.dmpFilesize
200KB