Edit tour

Windows Analysis Report
HdTSntLSMB.exe

Overview

General Information

Sample name:	HdTSntLSMB.exe renamed because original name is a hash value
Original sample name:	e7d77866c1d45436028229fe3ef3fe5f1de7c29241991fc67cc31ad569396959.exe
Analysis ID:	1575206
MD5:	9574b84144372c196237bc6e5e7d13c8
SHA1:	9b3a925c16629f910ebfab7f790b1a303e60e1b2
SHA256:	e7d77866c1d45436028229fe3ef3fe5f1de7c29241991fc67cc31ad569396959
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

HdTSntLSMB.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\HdTSntLSMB.exe" MD5: 9574B84144372C196237BC6E5E7D13C8)

schtasks.exe (PID: 5100 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 1020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

XClient.exe (PID: 5580 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 9574B84144372C196237BC6E5E7D13C8)

XClient.exe (PID: 7516 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 9574B84144372C196237BC6E5E7D13C8)

XClient.exe (PID: 7640 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 9574B84144372C196237BC6E5E7D13C8)

XClient.exe (PID: 4024 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 9574B84144372C196237BC6E5E7D13C8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["reason-presence.gl.at.ply.gg"], "Port": 49666, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
HdTSntLSMB.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
HdTSntLSMB.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x84bc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8559:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x866e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8134:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x84bc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8559:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x866e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8134:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2145485090.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2145485090.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x82bc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8359:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x846e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7f34:$cnc4: POST / HTTP/1.1
Process Memory Space: HdTSntLSMB.exe PID: 7132	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.HdTSntLSMB.exe.ef0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.HdTSntLSMB.exe.ef0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x84bc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8559:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x866e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8134:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\HdTSntLSMB.exe, ProcessId: 7132, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\HdTSntLSMB.exe, ProcessId: 7132, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HdTSntLSMB.exe", ParentImage: C:\Users\user\Desktop\HdTSntLSMB.exe, ParentProcessId: 7132, ParentProcessName: HdTSntLSMB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", ProcessId: 5100, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T18:52:47.552426+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.6	49955	147.185.221.24	49666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HdTSntLSMB.exe

Avira: detected

Antivirus detection for URL or domain

Source: reason-presence.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: HdTSntLSMB.exe

Malware Configuration Extractor: Xworm {"C2 url": ["reason-presence.gl.at.ply.gg"], "Port": 49666, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: HdTSntLSMB.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HdTSntLSMB.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: HdTSntLSMB.exe	String decryptor: reason-presence.gl.at.ply.gg
Source: HdTSntLSMB.exe	String decryptor: 49666
Source: HdTSntLSMB.exe	String decryptor: <123456789>
Source: HdTSntLSMB.exe	String decryptor: <Xwormmm>
Source: HdTSntLSMB.exe	String decryptor: XWorm V5.6
Source: HdTSntLSMB.exe	String decryptor: USB.exe
Source: HdTSntLSMB.exe	String decryptor: %AppData%
Source: HdTSntLSMB.exe	String decryptor: XClient.exe

Source: HdTSntLSMB.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: HdTSntLSMB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49718 -> 147.185.221.24:49666
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49955 -> 147.185.221.24:49666

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: reason-presence.gl.at.ply.gg

Source: global traffic

TCP traffic: 192.168.2.6:49718 -> 147.185.221.24:49666

Source: Joe Sandbox View

IP Address: 147.185.221.24 147.185.221.24

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: reason-presence.gl.at.ply.gg

Source: HdTSntLSMB.exe, 00000000.00000002.4603636720.00000000031C1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: HdTSntLSMB.exe, XLogger.cs	.Net Code: KeyboardLayout
Source: XClient.exe.0.dr, XLogger.cs	.Net Code: KeyboardLayout

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: HdTSntLSMB.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.HdTSntLSMB.exe.ef0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2145485090.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Code function: 0_2_00007FFD346D8872	0_2_00007FFD346D8872
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Code function: 0_2_00007FFD346D146D	0_2_00007FFD346D146D
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Code function: 0_2_00007FFD346D7AC6	0_2_00007FFD346D7AC6
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Code function: 0_2_00007FFD346D44FB	0_2_00007FFD346D44FB
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Code function: 0_2_00007FFD346D1C59	0_2_00007FFD346D1C59
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 5_2_00007FFD346E1C59	5_2_00007FFD346E1C59
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 5_2_00007FFD346E146D	5_2_00007FFD346E146D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 9_2_00007FFD346F1C59	9_2_00007FFD346F1C59
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 9_2_00007FFD346F146D	9_2_00007FFD346F146D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 10_2_00007FFD346E1C59	10_2_00007FFD346E1C59
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 10_2_00007FFD346E146D	10_2_00007FFD346E146D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 16_2_00007FFD346E1C59	16_2_00007FFD346E1C59
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 16_2_00007FFD346E146D	16_2_00007FFD346E146D

Source: HdTSntLSMB.exe, 00000000.00000000.2145485090.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs HdTSntLSMB.exe
Source: HdTSntLSMB.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs HdTSntLSMB.exe

Source: HdTSntLSMB.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: HdTSntLSMB.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.HdTSntLSMB.exe.ef0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2145485090.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: HdTSntLSMB.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: HdTSntLSMB.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: HdTSntLSMB.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: XClient.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: HdTSntLSMB.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: HdTSntLSMB.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/4@1/1

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Mutant created: \Sessions\1\BaseNamedObjects\PD29o09mL0QxVKvZ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1020:120:WilError_03

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: HdTSntLSMB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HdTSntLSMB.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HdTSntLSMB.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

File read: C:\Users\user\Desktop\HdTSntLSMB.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HdTSntLSMB.exe "C:\Users\user\Desktop\HdTSntLSMB.exe"
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: XClient.lnk.0.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: HdTSntLSMB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HdTSntLSMB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: HdTSntLSMB.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: HdTSntLSMB.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: HdTSntLSMB.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: HdTSntLSMB.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: HdTSntLSMB.exe, Messages.cs	.Net Code: Memory
Source: XClient.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Code function: 0_2_00007FFD346D213D push E95D313Fh; iretd	0_2_00007FFD346D2189
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 5_2_00007FFD346E05A0 push ebx; retf FFEFh	5_2_00007FFD346E062A
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 9_2_00007FFD346F05A0 push ebx; retf FFEFh	9_2_00007FFD346F062A
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 10_2_00007FFD346E05A0 push ebx; retf FFEFh	10_2_00007FFD346E062A
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 16_2_00007FFD346E05A0 push ebx; retf FFEFh	16_2_00007FFD346E062A

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Memory allocated: 1350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Memory allocated: 1B1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AF50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AD50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AF30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Window / User API: threadDelayed 8412			Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Window / User API: threadDelayed 1433			Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe TID: 5272	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 1016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 7536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 7660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 7416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: HdTSntLSMB.exe, 00000000.00000002.4606300782.000000001C1C4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"

Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Queries volume information: C:\Users\user\Desktop\HdTSntLSMB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HdTSntLSMB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: HdTSntLSMB.exe, 00000000.00000002.4606300782.000000001C1C4000.00000004.00000020.00020000.00000000.sdmp, HdTSntLSMB.exe, 00000000.00000002.4602922730.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, HdTSntLSMB.exe, 00000000.00000002.4607093893.000000001CDA0000.00000004.00000020.00020000.00000000.sdmp, HdTSntLSMB.exe, 00000000.00000002.4606300782.000000001C207000.00000004.00000020.00020000.00000000.sdmp, HdTSntLSMB.exe, 00000000.00000002.4606300782.000000001C170000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\HdTSntLSMB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: HdTSntLSMB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.HdTSntLSMB.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2145485090.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HdTSntLSMB.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: HdTSntLSMB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.HdTSntLSMB.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2145485090.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HdTSntLSMB.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 Input Capture	221 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
HdTSntLSMB.exe	79%	ReversingLabs	Win32.Exploit.Xworm
HdTSntLSMB.exe	100%	Avira	TR/Spy.Gen
HdTSntLSMB.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\XClient.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	79%	ReversingLabs	Win32.Exploit.Xworm

Source	Detection	Scanner	Label	Link
reason-presence.gl.at.ply.gg	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reason-presence.gl.at.ply.gg	147.185.221.24	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
reason-presence.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HdTSntLSMB.exe, 00000000.00000002.4603636720.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.24	reason-presence.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575206
Start date and time:	2024-12-14 18:50:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	HdTSntLSMB.exe renamed because original name is a hash value
Original Sample Name:	e7d77866c1d45436028229fe3ef3fe5f1de7c29241991fc67cc31ad569396959.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/4@1/1
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 99% Number of executed functions: 38 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.147.0, 20.103.156.88, 13.107.246.63, 2.16.158.49, 20.234.120.54, 4.245.163.56, 20.223.35.26, 150.171.27.10, 2.16.158.56, 23.218.208.109
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, ocsp.digicert.com, login.live.com
Execution Graph export aborted for target XClient.exe, PID 4024 because it is empty
Execution Graph export aborted for target XClient.exe, PID 5580 because it is empty
Execution Graph export aborted for target XClient.exe, PID 7516 because it is empty
Execution Graph export aborted for target XClient.exe, PID 7640 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: HdTSntLSMB.exe

Simulations

Behavior and APIs

Time	Type	Description
12:51:06	API Interceptor	11311140x Sleep call for process: HdTSntLSMB.exe modified
18:51:06	Task Scheduler	Run new task: XClient path: C:\Users\user\AppData\Roaming\XClient.exe
18:51:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
18:51:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
18:51:26	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.24	file.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	XWorm	Browse
	NhoqAfkhHL.bat	Get hash	malicious	Unknown	Browse
	a4lIk1Jrla.exe	Get hash	malicious	Njrat, RevengeRAT	Browse
	W6s1vzcRdj.exe	Get hash	malicious	XWorm	Browse
	u7e3vb5dfk.exe	Get hash	malicious	XWorm	Browse
	aOi4JyF92S.exe	Get hash	malicious	XWorm	Browse
	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	7laJ4zKd8O.exe	Get hash	malicious	XWorm	Browse	147.185.221.18
	file.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	testingg.exe	Get hash	malicious	Njrat	Browse	147.185.221.19
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse	147.185.221.224
	system404.exe	Get hash	malicious	Metasploit	Browse	147.185.221.19
	Discord.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.18
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	147.185.221.22
	file.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	NhoqAfkhHL.bat	Get hash	malicious	Unknown	Browse	147.185.221.24
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	147.160.103.28

Process:	C:\Users\user\AppData\Roaming\XClient.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\HdTSntLSMB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	3.7195394315431693
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
MD5:	0DB526D48DAB0E640663E4DC0EFE82BA
SHA1:	17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
SHA-256:	934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
SHA-512:	FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....### explorer ###..[WIN]r[WIN]r[WIN]r

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\HdTSntLSMB.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 14 16:51:06 2024, mtime=Sat Dec 14 16:51:06 2024, atime=Sat Dec 14 16:51:06 2024, length=39936, window=hide
Category:	dropped
Size (bytes):	767
Entropy (8bit):	5.058074424762901
Encrypted:	false
SSDEEP:	12:8hlK244pnu8ChklXIsY//UFB0L72B50rjAes+HkOHxfmV:8hlMgDJlXU8nWRAesFOJm
MD5:	F3B3E260F1BCBC5BE70E7F3470EB816D
SHA1:	A2092D02F6E8614CAEFF73548F505EB8FD87AD2E
SHA-256:	66F2054545DC5DA8F155C07B7312C3A4B0DB1A117CA6D8858A5961A7DBA15635
SHA-512:	B6CA2AEE53D5E32052EDB0706E57A2B4A5DF9E05CD92E857C1811ADA7224643CAEF1B65DBE4BE3DA521C184B9C89C675416720C5D8BB35CEEE3A27E17B26703F
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....PN....PN...*.PN..........................v.:..DG..Yr?.D..U..k0.&...&.......$..S....0..PN..1.+.PN......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Y\...Roaming.@......EW<2.Y\...../......................^$.R.o.a.m.i.n.g.....b.2......Yd. .XClient.exe.H......Yd..Yd...........................<#).X.C.l.i.e.n.t...e.x.e.......\...............-.......[...................C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......142233...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\HdTSntLSMB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.583683609908372
Encrypted:	false
SSDEEP:	768:9mz6nA3MxG5g8y5AcksKyJjL77FWPa9X4cOwhlaG8k:926nUuf5A72Fv9XBOwnT8k
MD5:	9574B84144372C196237BC6E5E7D13C8
SHA1:	9B3A925C16629F910EBFAB7F790B1A303E60E1B2
SHA-256:	E7D77866C1D45436028229FE3EF3FE5F1DE7C29241991FC67CC31AD569396959
SHA-512:	05E80FC9BC0383709065D4A8C85FB9868626F4C21C0EFA01FBB7FBD8CA191D7250A6C4DBE022E9C533CCBE22C7EBB3C3663CED65C4E475E248A844A3BA2FEBFB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-D]g................................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........Y...V............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.583683609908372
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	HdTSntLSMB.exe
File size:	39'936 bytes
MD5:	9574b84144372c196237bc6e5e7d13c8
SHA1:	9b3a925c16629f910ebfab7f790b1a303e60e1b2
SHA256:	e7d77866c1d45436028229fe3ef3fe5f1de7c29241991fc67cc31ad569396959
SHA512:	05e80fc9bc0383709065d4a8c85fb9868626f4c21c0efa01fbb7fbd8ca191d7250a6c4dbe022e9c533ccbe22c7ebb3c3663ced65c4e475e248a844a3ba2febfb
SSDEEP:	768:9mz6nA3MxG5g8y5AcksKyJjL77FWPa9X4cOwhlaG8k:926nUuf5A72Fv9XBOwnT8k
TLSH:	D0034C887BD44222DAFE6BFA59B372060730F6078D13DB5E4CD4899A5B27BC48A05396
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-D]g................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40b10e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675D442D [Sat Dec 14 08:39:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9114	0x9200	f5f0f2a87c044387d3a11ac35759c39f	False	0.4946222174657534	data	5.707585347597108	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4d8	0x600	2472af5ddbb53779b7381f16b8b9407b	False	0.3756510416666667	data	3.7216503306685733	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	f6802faec724caec52208d5f57381d6f	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xc2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-14T18:51:19.015616+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49718	147.185.221.24	49666	TCP
2024-12-14T18:52:47.552426+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49955	147.185.221.24	49666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2024 18:51:08.393984079 CET	49718	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:08.513974905 CET	49666	49718	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:08.514081955 CET	49718	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:08.664908886 CET	49718	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:08.784866095 CET	49666	49718	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:19.015615940 CET	49718	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:19.139061928 CET	49666	49718	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:29.371531010 CET	49718	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:29.659204006 CET	49666	49718	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:30.401415110 CET	49666	49718	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:30.401628017 CET	49718	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:34.119172096 CET	49718	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:34.120187044 CET	49787	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:34.241184950 CET	49666	49718	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:34.242114067 CET	49666	49787	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:34.242172956 CET	49787	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:34.327212095 CET	49787	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:34.448414087 CET	49666	49787	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:48.431545019 CET	49787	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:48.562452078 CET	49666	49787	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:56.135447025 CET	49666	49787	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:56.135545969 CET	49787	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:56.728085995 CET	49787	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:56.730427980 CET	49848	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:56.849107981 CET	49666	49787	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:56.851541996 CET	49666	49848	147.185.221.24	192.168.2.6
Dec 14, 2024 18:51:56.851629019 CET	49848	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:56.881993055 CET	49848	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:51:57.008663893 CET	49666	49848	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:09.431942940 CET	49848	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:09.558758974 CET	49666	49848	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:16.603140116 CET	49848	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:16.752824068 CET	49666	49848	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:18.760512114 CET	49666	49848	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:18.760598898 CET	49848	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:21.634426117 CET	49848	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:21.649774075 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:21.754369020 CET	49666	49848	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:21.769614935 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:21.770627022 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:21.865057945 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:21.993803978 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:32.650142908 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:32.769920111 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:32.769989014 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:32.890276909 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:35.121891975 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:35.243335962 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:37.743983984 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:37.865029097 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:38.020952940 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:38.140887976 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:38.141180038 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:38.264452934 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:41.399739027 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:41.519903898 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:43.714006901 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:43.714107037 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:43.714246988 CET	49905	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:43.716351986 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:43.834038019 CET	49666	49905	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:43.847424984 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:43.847825050 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:43.909112930 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:44.031657934 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:44.031713009 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:44.152004957 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:47.431042910 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:47.552242994 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:47.552426100 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:47.673017025 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:52:54.274962902 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:52:54.397881985 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:04.634839058 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:04.758693933 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:04.758742094 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:04.885648012 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:04.885749102 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:05.019445896 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:05.019582033 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:05.139427900 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:05.149645090 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:05.269536018 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:05.844636917 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:05.844757080 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:10.274679899 CET	49955	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:10.277878046 CET	50012	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:10.396054983 CET	49666	49955	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:10.398631096 CET	49666	50012	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:10.398750067 CET	50012	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:10.452677965 CET	50012	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:10.572671890 CET	49666	50012	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:18.477699041 CET	50012	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:18.597501040 CET	49666	50012	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:29.274475098 CET	50012	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:29.397861958 CET	49666	50012	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:30.946647882 CET	50012	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:31.073219061 CET	49666	50012	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:32.307975054 CET	49666	50012	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:32.308046103 CET	50012	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:36.415360928 CET	50012	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:36.420303106 CET	50014	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:36.535161018 CET	49666	50012	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:36.540169954 CET	49666	50014	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:36.540319920 CET	50014	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:36.584278107 CET	50014	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:36.704468966 CET	49666	50014	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:38.430659056 CET	50014	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:38.554255962 CET	49666	50014	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:46.961903095 CET	50014	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:47.088430882 CET	49666	50014	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:47.088511944 CET	50014	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:47.208678961 CET	49666	50014	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:52.602638006 CET	50014	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:53:52.722278118 CET	49666	50014	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:58.433293104 CET	49666	50014	147.185.221.24	192.168.2.6
Dec 14, 2024 18:53:58.433367014 CET	50014	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:02.477274895 CET	50014	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:02.479211092 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:02.650614023 CET	49666	50014	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:02.650635004 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:02.650724888 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:02.776307106 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:02.896266937 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:02.946438074 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:03.066201925 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:07.711966991 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:07.831732988 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:08.055788994 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:08.181346893 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:08.539993048 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:08.659796000 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:08.659877062 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:08.780927896 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:08.780993938 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:08.905941010 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:08.905998945 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:09.031164885 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:10.914908886 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:11.041838884 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:11.042088985 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:11.168869972 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:11.743586063 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:11.864028931 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:24.558594942 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:24.558681965 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:29.342103958 CET	50015	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:29.344049931 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:29.462095022 CET	49666	50015	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:29.463934898 CET	49666	50016	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:29.464025021 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:29.595743895 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:29.715859890 CET	49666	50016	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:29.715919971 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:29.840846062 CET	49666	50016	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:29.840914965 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:29.969137907 CET	49666	50016	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:40.383426905 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:40.504309893 CET	49666	50016	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:45.164814949 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:45.289746046 CET	49666	50016	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:45.290214062 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:45.411047935 CET	49666	50016	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:50.742628098 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:50.863384962 CET	49666	50016	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:51.387438059 CET	49666	50016	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:51.387500048 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:55.867496967 CET	50016	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:55.869998932 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:55.991367102 CET	49666	50016	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:55.993527889 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:55.993607998 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:56.030831099 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:56.155888081 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:56.161012888 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:56.286123991 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:54:57.586361885 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:54:57.722165108 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:01.602034092 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:01.722148895 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:01.722433090 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:01.843637943 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:01.843723059 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:01.964124918 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:01.964195967 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:02.089989901 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:02.090137959 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:02.216674089 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:03.136931896 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:03.263720989 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:09.117533922 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:09.240226030 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:17.902982950 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:17.903278112 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:26.336210012 CET	50017	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:26.337352991 CET	50019	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:26.456207991 CET	49666	50017	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:26.457156897 CET	49666	50019	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:26.460889101 CET	50019	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:26.549067974 CET	50019	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:26.673261881 CET	49666	50019	147.185.221.24	192.168.2.6
Dec 14, 2024 18:55:36.836199045 CET	50019	49666	192.168.2.6	147.185.221.24
Dec 14, 2024 18:55:36.956739902 CET	49666	50019	147.185.221.24	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2024 18:51:08.128540993 CET	64906	53	192.168.2.6	1.1.1.1
Dec 14, 2024 18:51:08.384177923 CET	53	64906	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 14, 2024 18:51:08.128540993 CET	192.168.2.6	1.1.1.1	0x5d32	Standard query (0)	reason-presence.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 14, 2024 18:51:08.384177923 CET	1.1.1.1	192.168.2.6	0x5d32	No error (0)	reason-presence.gl.at.ply.gg		147.185.221.24	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:51:01
Start date:	14/12/2024
Path:	C:\Users\user\Desktop\HdTSntLSMB.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HdTSntLSMB.exe"
Imagebase:	0xef0000
File size:	39'936 bytes
MD5 hash:	9574B84144372C196237BC6E5E7D13C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2145485090.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2145485090.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:51:06
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x7ff71d450000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:51:06
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:51:06
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0xde0000
File size:	39'936 bytes
MD5 hash:	9574B84144372C196237BC6E5E7D13C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:51:17
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x120000
File size:	39'936 bytes
MD5 hash:	9574B84144372C196237BC6E5E7D13C8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:51:26
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0xba0000
File size:	39'936 bytes
MD5 hash:	9574B84144372C196237BC6E5E7D13C8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:52:01
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0xcc0000
File size:	39'936 bytes
MD5 hash:	9574B84144372C196237BC6E5E7D13C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD346D146D Relevance: 1.9, Strings: 1, Instructions: 655
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAO_^, xrefs: 00007FFD346D1521

Memory Dump Source

Source File: 00000000.00000002.4607616738.00007FFD346D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346d0000_HdTSntLSMB.jbxd

Similarity

API ID:
String ID: CAO_^
API String ID: 0-3111533842
Opcode ID: abb66450d73c1374ca4fb5c8958eb31f31a598fefbef32b933a31298f7ecb0d9
Instruction ID: 0c8eedbbcfb01c90f115ca25521c9926014942f3551b6e01d4185c4f287280c1
Opcode Fuzzy Hash: abb66450d73c1374ca4fb5c8958eb31f31a598fefbef32b933a31298f7ecb0d9
Instruction Fuzzy Hash: 5612D321B28A564BE7A8FB6C84A53F977D2FF99304F440579E04ED32D6DE2CAC418781

Function 00007FFD346D7AC6 Relevance: .5, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4607616738.00007FFD346D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346d0000_HdTSntLSMB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eade2645b0d7feac282677bcde8683313a3a2b3d1f272c4e540ef9666f13da29
Instruction ID: 3c26aab1dccc7d89e5dc68aa11ad15133c73b7a9bbfb8ef5f8dfb026d26020b9
Opcode Fuzzy Hash: eade2645b0d7feac282677bcde8683313a3a2b3d1f272c4e540ef9666f13da29
Instruction Fuzzy Hash: E2F1B730609A8D8FEBA8DF28C8557F977E1FF55311F14426EE84DC7291CB38A9458B82

Function 00007FFD346D8872 Relevance: .5, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4607616738.00007FFD346D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346d0000_HdTSntLSMB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0d44a0eca822523aea18af7fc12c6bf66b615398f35c778f662537c6f83fa7
Instruction ID: 4fa7ee3ea0046fba34a6f3e8902520d823df308e29d3afb29e22eed203c9dfac
Opcode Fuzzy Hash: 5a0d44a0eca822523aea18af7fc12c6bf66b615398f35c778f662537c6f83fa7
Instruction Fuzzy Hash: 9EE1B630A09A4E8FEBA8DF28C8597F977E1FF55310F14426AD85DC7291CF78A8458B81

Function 00007FFD346D1C59 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4607616738.00007FFD346D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346d0000_HdTSntLSMB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48d1e9ffdbaa994cc9485deaca4be050b68d5427b8b0d486873e2b4c205a4df
Instruction ID: 7d4e6e354d01eda9c97aabe80c6cf58a9a23f05909061daee48c1e28cd706909
Opcode Fuzzy Hash: d48d1e9ffdbaa994cc9485deaca4be050b68d5427b8b0d486873e2b4c205a4df
Instruction Fuzzy Hash: 1551DC50B0E6C90FE796ABB898B52B57FD5DF8B219B0805FBE0C9C71A3DD585806C342

Function 00007FFD346D26DD Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD346D27B2

Memory Dump Source

Source File: 00000000.00000002.4607616738.00007FFD346D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346d0000_HdTSntLSMB.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: f4f3dbc6ed7886e9cb2e64fc8a128cb8cf5be178f0980ac2aff665888732e460
Instruction ID: 121deff72be6dc94b840da675cdc340bc8711742d8a21b8c85622ae088bf1402
Opcode Fuzzy Hash: f4f3dbc6ed7886e9cb2e64fc8a128cb8cf5be178f0980ac2aff665888732e460
Instruction Fuzzy Hash: 0B41163190C6588FCB29DF98C855BE9BBF0FF56310F04416EE08AD3692CB746846CB91

Function 00007FFD346D2C08 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD346D2CD1

Memory Dump Source

Source File: 00000000.00000002.4607616738.00007FFD346D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346d0000_HdTSntLSMB.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 64ef69667b24c4ade9160aafb8e43e7e2704d7f7e36d26943bc4ff8f9f202ce5
Instruction ID: 71ccf8601f79da2a4fb33c0f036b14226caa49b43d6eb6e7f6b8e627f95f5f84
Opcode Fuzzy Hash: 64ef69667b24c4ade9160aafb8e43e7e2704d7f7e36d26943bc4ff8f9f202ce5
Instruction Fuzzy Hash: 10410830A1CA5D5FDB58DF6C98566F9BBE1EF5A321F00027ED049D3292CE64A852C7C1

Non-executed Functions

Function 00007FFD346D44FB Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4607616738.00007FFD346D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346d0000_HdTSntLSMB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27082f136d3ec9498fae99d157e55b70ffbc665ac93e59b984b6b840b09b2363
Instruction ID: 9f3e69df54bca4283638720a57b9d7535a9ae70c58bb21f40128ac25c3b2bca8
Opcode Fuzzy Hash: 27082f136d3ec9498fae99d157e55b70ffbc665ac93e59b984b6b840b09b2363
Instruction Fuzzy Hash: 1AA17D57F0F6E31BF6626A6C6CF50EAAB90DF93265B0900B3D2D9C60939C0D7C079691

Analysis Process: XClient.exePID: 5580, Parent PID: 1064COMMON

Executed Functions

Function 00007FFD346E1C59 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2231544571.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b832b04e61dbf279d790cd083e5305d2b5e61dc5c803cfc524f59ccc41280d
Instruction ID: fa0d2ccaa199696b4103c75b82257d95038ed273122d6b7751fde03c5637d43c
Opcode Fuzzy Hash: f3b832b04e61dbf279d790cd083e5305d2b5e61dc5c803cfc524f59ccc41280d
Instruction Fuzzy Hash: C151ED50B0D6C90FE796ABB888B52B6BFD5DF8B219B0805FBE0C9C7193DD185846D342

Function 00007FFD346E0C3E Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2231544571.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6352e23b7f11b89d4af8f6f351759161e82b520a68615d9dc5cfe7c8dc13a9
Instruction ID: 7d1444a681e473d813f002bd1d4ec718e46968566cea95b3d015d2d6f16366fe
Opcode Fuzzy Hash: ec6352e23b7f11b89d4af8f6f351759161e82b520a68615d9dc5cfe7c8dc13a9
Instruction Fuzzy Hash: 1081E821B0DA9A0FE756AB7C88B51FA7BE1EF87214B4900BBD08DC7193DD1C6846C351

Function 00007FFD346E12C9 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2231544571.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3ffe8a38f9f9f1a3f6a3951ae7c4134592265f58fa38d63dbd73a59e3f4774
Instruction ID: ad694ece9459b16c76883ccac570f9a645b6175fbd479ca0cff2c6484c6ef531
Opcode Fuzzy Hash: 2c3ffe8a38f9f9f1a3f6a3951ae7c4134592265f58fa38d63dbd73a59e3f4774
Instruction Fuzzy Hash: 65518861B18A195FDB64BB7894AE6EE7BE2FF45314F800879E50ED32C2DD2C6851C701

Function 00007FFD346E04D0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2231544571.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9d34f8e5abe5d4f195f38bb5436c321365b87f83353c23e5c734394304eebd
Instruction ID: ac44d863a3465e0dabc8625f56fc3c876aaae26347cec4915b78f1443524322c
Opcode Fuzzy Hash: 7b9d34f8e5abe5d4f195f38bb5436c321365b87f83353c23e5c734394304eebd
Instruction Fuzzy Hash: 0831B521B1C9590FE798EB6C946A3B9B7C2EF9D355F0805BEE04EC3293DD68AC418340

Function 00007FFD346E0AD1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2231544571.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff030800f48a36bd4a01c8983c87718d82b3794fdc4cb741ecc69e612b437c0
Instruction ID: 8358e8b994d3cb7b732f9396104948ce2e1e59b8b929e039117af8cf9bb7e31b
Opcode Fuzzy Hash: 7ff030800f48a36bd4a01c8983c87718d82b3794fdc4cb741ecc69e612b437c0
Instruction Fuzzy Hash: BD31F821B1C9194FEB54BBAC98693FA77E5FF99315F080277E04CC3292DD2C68418751

Function 00007FFD346E0985 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2231544571.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d023ed5acd2f4956329b2b54603b57000aa6ef2eea67b684c6db08214e17e1
Instruction ID: c5f72efd3c80aad775efaf482014938983697b8811d7453eb32b5a07630f2e64
Opcode Fuzzy Hash: 10d023ed5acd2f4956329b2b54603b57000aa6ef2eea67b684c6db08214e17e1
Instruction Fuzzy Hash: 07317F71B18A198FEB54EBACC4A96EEB7F1FF98300F940579D149D7282CE38A841C751

Function 00007FFD346E0800 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2231544571.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec39021d65cdb305dc9d68d54a7a4a9f85571f7a3f5cf121f18e4a93eda27da
Instruction ID: c3d08dcb0b2d6219e86cb12f93dee71c2d59ed1f868d2ede756311cc1e327934
Opcode Fuzzy Hash: aec39021d65cdb305dc9d68d54a7a4a9f85571f7a3f5cf121f18e4a93eda27da
Instruction Fuzzy Hash: F531E421B4895A5BD761FBACD0AA4EA7FE1EF85318F90497DD14CC3387CD286841CB41

Function 00007FFD346E1E11 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2231544571.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e9f4eca328960688d2b87ceab37eedf91fcd623b3997dcabe7ac130dbfcf14
Instruction ID: 955d38dca51ddb5901abb5d6f80fb1f3f85fcb452879e67baf1ab09c0b462c11
Opcode Fuzzy Hash: f6e9f4eca328960688d2b87ceab37eedf91fcd623b3997dcabe7ac130dbfcf14
Instruction Fuzzy Hash: A701FC51A0DA920FE7916B3C55B54F2BFE0DFD6710B4C04BAE588C6196DC1C69C19391

Analysis Process: XClient.exePID: 7516, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD346F1C59 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2342352678.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd346f0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199120f0ae82adcee9473fdbcafa3bc91d56791008f40e7fdf28dea11b5f57ca
Instruction ID: 2c90d827612f99c3d4cb051eace448a627cae6449dbbc12287a9facbe2cfae2b
Opcode Fuzzy Hash: 199120f0ae82adcee9473fdbcafa3bc91d56791008f40e7fdf28dea11b5f57ca
Instruction Fuzzy Hash: 4251DC51B0E6C90FE796AB7888B52B5BFE5DF9B259B0801FBE0C9C7193DD185806C302

Function 00007FFD346F0C3E Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2342352678.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd346f0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f2435953e0f9e6f0f9e48d5f5aa27793f049c972aeae8029c2ede18f66959f
Instruction ID: d6645054170a8de72c39fb45d6a46de7e03b395bc81e59d4a18745abba40ceb5
Opcode Fuzzy Hash: 16f2435953e0f9e6f0f9e48d5f5aa27793f049c972aeae8029c2ede18f66959f
Instruction Fuzzy Hash: 45811822B0DA9A0FE756AB6C88B61F97BE1EF87214B4901B7D08DC7193DD2C6C46C351

Function 00007FFD346F12C9 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2342352678.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd346f0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc044fc972bc2151a7b8c712db9bad00af05aff95dc45f388d7dd45ce9b20617
Instruction ID: bb8cfbac3f942b03c0a5bb1b690ed7090a179293e602b874b7de23f9b06b8752
Opcode Fuzzy Hash: cc044fc972bc2151a7b8c712db9bad00af05aff95dc45f388d7dd45ce9b20617
Instruction Fuzzy Hash: AA51C371B186194FDB65FB7898AA6ED7BA6FF95204F800579E44EC72C6DD2C9801C700

Function 00007FFD346F04D0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2342352678.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd346f0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53f3994ba722d96bc9722aa33e3919ffbac2ff25106632a35806c3b3bfe610b
Instruction ID: af8c96488c3215cb48d2a3e3e5fcbd0b81c5c5f82204b46ce86b93cf14e971b8
Opcode Fuzzy Hash: d53f3994ba722d96bc9722aa33e3919ffbac2ff25106632a35806c3b3bfe610b
Instruction Fuzzy Hash: F531D721B1C9590FE798EB6C946A2B9B7C6EF9D355F0406BEE04EC32D3DD68AC018340

Function 00007FFD346F0AD1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2342352678.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd346f0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd34645c72ff9174ae0de031feb49892e2bce3cfe575016c10fcfb4595a8f7a
Instruction ID: 8b735353a402769599086195fa7a8b99f09f8d8b0ed03749c0002daa169b0ebb
Opcode Fuzzy Hash: 7cd34645c72ff9174ae0de031feb49892e2bce3cfe575016c10fcfb4595a8f7a
Instruction Fuzzy Hash: 8B310822B18D194FEB65BBAC98693FD77E5EF99315F0402B7E44CC3292DD2C68018352

Function 00007FFD346F0985 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2342352678.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd346f0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217a63dfdd73e3473cea8f8986fcd6e469badfa9e1766ea1dd0dc5fdd7df2b86
Instruction ID: 80adfbbf4b17edef2c807eee7f6ff8c43eb9d5948d8ac4967c0a0b6946932f25
Opcode Fuzzy Hash: 217a63dfdd73e3473cea8f8986fcd6e469badfa9e1766ea1dd0dc5fdd7df2b86
Instruction Fuzzy Hash: 52319F71B18A1A8FEB55EBACC8A56ED77A1FF98300F900679D04DD7286CE38A801C740

Function 00007FFD346F0800 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2342352678.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd346f0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7b4729692e32a959b1eead031de2c78655570c0d083713ded48092c73c0d58
Instruction ID: 3f20ec7ba6499084bc2b096411cea90dd1cacea10e91055517344109d04e2d76
Opcode Fuzzy Hash: 2e7b4729692e32a959b1eead031de2c78655570c0d083713ded48092c73c0d58
Instruction Fuzzy Hash: 1131C165B4854A4FD762FBACD4E21E93FA5FFD5214B904A64D48CCB3DACD286901C780

Function 00007FFD346F1E11 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2342352678.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd346f0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66402c910a4c1c8d0c2ee20f0726da881be147fa60ccdb7000cba24290ed5b18
Instruction ID: 72ce5e9e8b3d70140267435a4744d52c031eccf9b77ac477797689c559b46eef
Opcode Fuzzy Hash: 66402c910a4c1c8d0c2ee20f0726da881be147fa60ccdb7000cba24290ed5b18
Instruction Fuzzy Hash: 77014716A0D6960FE7926B3C18B54F13FE0EF92250B0805BAE5C8C61D7DC0CA9418382

Analysis Process: XClient.exePID: 7640, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD346E1C59 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2423662597.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed8d507f0b0f71cdda6b92e7a23b4981aa5d614087c17cc188703d3671cbd9b
Instruction ID: 324764d3f4cd50737a857fde5b526745fafbfe51f4157a44923b61a8cc796148
Opcode Fuzzy Hash: aed8d507f0b0f71cdda6b92e7a23b4981aa5d614087c17cc188703d3671cbd9b
Instruction Fuzzy Hash: F451ED50B0D6C90FE796ABB888B52B6BFD5DF8B219B0805FBE0C9C7193DD185846D342

Function 00007FFD346E0C3E Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2423662597.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac623c6facefa8c19626ce40b890cde082106f9deae94fd5c3c8053945ab2b7
Instruction ID: d7c4df6192567a2575db6491fe95af1b2abf52f4e0961d430ec10f8ec7db5aa6
Opcode Fuzzy Hash: 1ac623c6facefa8c19626ce40b890cde082106f9deae94fd5c3c8053945ab2b7
Instruction Fuzzy Hash: 2B81E821B0DA960FE756AB7C88B51FA7BE1EF87214B4900BBD08DC7193DD1C6846C351

Function 00007FFD346E12C9 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2423662597.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfe2cbc5ceac3826a16b077fc3cf56263aeb3afda4f00bc51560293c4b26334
Instruction ID: a398a9035e2f2831e3790e47d99107246346ec6ccb86b32d01e1385c98ad5038
Opcode Fuzzy Hash: acfe2cbc5ceac3826a16b077fc3cf56263aeb3afda4f00bc51560293c4b26334
Instruction Fuzzy Hash: 1A515561B18A194FDB65BB78D4AE6EA7BE2FF45214FC00879E40ED3282DD2C6851C701

Function 00007FFD346E04D0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2423662597.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17752efc2285c6d0fba674329badad44ba40c0bbbd43852705d1bc11481383e6
Instruction ID: 47ad325e5989a776b5cce3f9e4ede8e7bbf8bf420b0e5173d808e4adf917de6d
Opcode Fuzzy Hash: 17752efc2285c6d0fba674329badad44ba40c0bbbd43852705d1bc11481383e6
Instruction Fuzzy Hash: E031B521B1C9590FE798EB6C946A3B9B7C2EF9D355F0805BEE04EC3293DD68AC418340

Function 00007FFD346E0AD1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2423662597.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff030800f48a36bd4a01c8983c87718d82b3794fdc4cb741ecc69e612b437c0
Instruction ID: 8358e8b994d3cb7b732f9396104948ce2e1e59b8b929e039117af8cf9bb7e31b
Opcode Fuzzy Hash: 7ff030800f48a36bd4a01c8983c87718d82b3794fdc4cb741ecc69e612b437c0
Instruction Fuzzy Hash: BD31F821B1C9194FEB54BBAC98693FA77E5FF99315F080277E04CC3292DD2C68418751

Function 00007FFD346E0985 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2423662597.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a2fc3b8908e6083c49f52ea8e63e08fc12562a3877b4e576247a0e655b8275
Instruction ID: cb962f8ee705aaee6b62a1e9419b267727a8474ab45ef59c0912e9c3459386a5
Opcode Fuzzy Hash: e2a2fc3b8908e6083c49f52ea8e63e08fc12562a3877b4e576247a0e655b8275
Instruction Fuzzy Hash: 92318C31B18A5A8FEB95EBACC4A57EA77F1FF98300F940579D049D3282CE78A841C741

Function 00007FFD346E0800 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2423662597.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c1056f5bbe97b6201374501623e19710b4a06d6448ad7754a4fae495601ba2
Instruction ID: def778bf1a271765f01121310c5f2f6cdc95a21a64c0aa4fda58076c90e14543
Opcode Fuzzy Hash: d6c1056f5bbe97b6201374501623e19710b4a06d6448ad7754a4fae495601ba2
Instruction Fuzzy Hash: 2E31C531B4899A4BDBA2FBACD0A61EA3FF1EF85214FD44979D04CC3386CD686941C740

Function 00007FFD346E1E11 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2423662597.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da4832c3a6c2f5625a6444a2539156f91df2ec53f531a6e833c5f35160c06dc
Instruction ID: a977e94a13b954f83386867c41e15a502315cbd3d7fec2ca6e606f4f431e3d32
Opcode Fuzzy Hash: 9da4832c3a6c2f5625a6444a2539156f91df2ec53f531a6e833c5f35160c06dc
Instruction Fuzzy Hash: 01014711A0CAA20FE792AB3C58B54F2BFE0DFD2710B4C04BAE588C6192DC0C69C19392

Analysis Process: XClient.exePID: 4024, Parent PID: 1064COMMON

Executed Functions

Function 00007FFD346E1C59 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2776988202.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494ccd5e0ec2b339748d1ec85d1d95d1e938efd42be640009b41a253b38f747c
Instruction ID: a24ec7d8f6bacdad0c3d2d28e15b362cadd54982de9370113515fb369c3d14dc
Opcode Fuzzy Hash: 494ccd5e0ec2b339748d1ec85d1d95d1e938efd42be640009b41a253b38f747c
Instruction Fuzzy Hash: EF51ED50B0D6C90FE796ABB888B52B6BFD5DF8B219B0805FBE0C9C7193DD185846D342

Function 00007FFD346E0C3E Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2776988202.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea9bdc6f8fcc068c1846f65a3b81a1c4beb24a13477c35664ce6f9ce50c69d5
Instruction ID: 39e1090aa5122ea3180ad7e922f9b6e19b9e37a8a19b00feef9b6f459e9ec56b
Opcode Fuzzy Hash: 9ea9bdc6f8fcc068c1846f65a3b81a1c4beb24a13477c35664ce6f9ce50c69d5
Instruction Fuzzy Hash: 7581E821B0DA9A0FE756AB7C88B51FA7BE1EF87214B4900BBD08DC7193DD1C6846D351

Function 00007FFD346E12C9 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2776988202.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d4bb89b37285c00ad3231bcd73bb62a4a7d3592eb5fe9a2a8437c7a45ec55e
Instruction ID: 0e0e570841452696a0c5d85d2ac919907b3fbe5de8a26e3dda0ece2f3ada097b
Opcode Fuzzy Hash: 47d4bb89b37285c00ad3231bcd73bb62a4a7d3592eb5fe9a2a8437c7a45ec55e
Instruction Fuzzy Hash: 52519561B186194FDB65BBB894AE6EE7BE2FF89304F800879E50ED3283DD2C5911C700

Function 00007FFD346E04D0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2776988202.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974b73c0c68039e96bd72bebd283d533e6ddf6ebcccba03ebd8be46bcda58eb2
Instruction ID: 1784cfe27df504692143c9bdd64066cb9741482f75fd844c034c4a8c499364b6
Opcode Fuzzy Hash: 974b73c0c68039e96bd72bebd283d533e6ddf6ebcccba03ebd8be46bcda58eb2
Instruction Fuzzy Hash: C431B561B1C9590FE798EB6C946A3B9B7C2EF9D355F0805BEE04EC3293DD68AC418340

Function 00007FFD346E0AD1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2776988202.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff030800f48a36bd4a01c8983c87718d82b3794fdc4cb741ecc69e612b437c0
Instruction ID: 8358e8b994d3cb7b732f9396104948ce2e1e59b8b929e039117af8cf9bb7e31b
Opcode Fuzzy Hash: 7ff030800f48a36bd4a01c8983c87718d82b3794fdc4cb741ecc69e612b437c0
Instruction Fuzzy Hash: BD31F821B1C9194FEB54BBAC98693FA77E5FF99315F080277E04CC3292DD2C68418751

Function 00007FFD346E0985 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2776988202.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9be444df1a8ab78ee583535e16590d67fdace4d71360d5c4953bc9d83bdfecb
Instruction ID: f554c9432164d8c2e8e1f3b2d006d94170cc540b30b49e6f3bb5b23666554066
Opcode Fuzzy Hash: e9be444df1a8ab78ee583535e16590d67fdace4d71360d5c4953bc9d83bdfecb
Instruction Fuzzy Hash: 8C31A031B18A198FEB54EBACC4A56EEB7F2FF98301F940579D149D3282CE38A841C750

Function 00007FFD346E0800 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2776988202.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55801197f52c04fcf377a0f03536ae9579872f381d499aa8d7509e3c66efefc9
Instruction ID: 5dcf2104984094fb6c2ae364fca0d468668e88e95d72bd64bd15af4f11804bdb
Opcode Fuzzy Hash: 55801197f52c04fcf377a0f03536ae9579872f381d499aa8d7509e3c66efefc9
Instruction Fuzzy Hash: 0931E161B4895A4FD761FBACD0A64EA7BA2EFC9319F804979D14CC3387CD286941CB80

Function 00007FFD346E1E11 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2776988202.00007FFD346E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd346e0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec047d72eccb90543056fa8969f0f3800e6da9b577b79547a8933cfbfec5392
Instruction ID: f7e414708582540b29152614836901116ce1f20bb5db6d1087be5595fbb3d653
Opcode Fuzzy Hash: 5ec047d72eccb90543056fa8969f0f3800e6da9b577b79547a8933cfbfec5392
Instruction Fuzzy Hash: 2E01F751A0D6A20FE792AB3C59B54F2BFE0DFD6710B4C04BAE588C6197DC1CA981D392

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HdTSntLSMB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

C:\Users\user\AppData\Roaming\XClient.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
HdTSntLSMB.exe

Function 00007FFD346D146D Relevance: 1.9, Strings: 1, Instructions: 655
COMMON

Function 00007FFD346D7AC6 Relevance: .5, Instructions: 476
COMMON

Function 00007FFD346D8872 Relevance: .5, Instructions: 461
COMMON

Function 00007FFD346D26DD Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Function 00007FFD346D2C08 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre