Analysis Overview
SHA256
9a2bf745baf56c027d7e4d52cc7c41cc7b2748d634677384fc2d9eecdb8f7485
Threat Level: Known bad
The file XWorm-Rat-Remote-Administration-Tool--main.zip was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Asyncrat family
AsyncRat
Async RAT payload
Downloads MZ/PE file
Obfuscated with Agile.Net obfuscator
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Program crash
Enumerates physical storage devices
Enumerates system info in registry
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-19 14:45
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral25
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
28s
Max time network
33s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
64s
Max time network
133s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 20.42.65.90:443 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 67.24.33.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
126s
Max time network
154s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sysfile32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x86.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sysfile32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\x86.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\sysfile32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"
\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\windows\temp\yjed03tr.inf
C:\Users\Admin\AppData\Local\Temp\x86.exe
C:\Users\Admin\AppData\Local\Temp\x86.exe
C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe
"C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ChromeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA9C.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ChromeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| IN | 20.207.73.82:443 | github.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.73.207.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| TR | 37.18.62.18:8060 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 40.77.2.164:443 | tcp | |
| FR | 40.79.141.152:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| TR | 37.18.62.18:8060 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| TR | 37.18.62.18:8060 | tcp | |
| TR | 37.18.62.18:8060 | tcp | |
| TR | 37.18.62.18:8060 | tcp |
Files
memory/372-133-0x0000000000880000-0x0000000000888000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pbnkipwe.knq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/372-143-0x000000001BFF0000-0x000000001C012000-memory.dmp
memory/372-144-0x000000001C050000-0x000000001C060000-memory.dmp
C:\windows\temp\yjed03tr.inf
| MD5 | 5c23ac475d677288f01378eb90a7d32c |
| SHA1 | 8801e0122b4c2575bc8dcfbf04421a2c446dddf7 |
| SHA256 | 7f146ed6fa2a2fbde0cda5e2afc47d4987dc62b8d3edb75d4d7341653bcefabe |
| SHA512 | 21c7ec4352e9c2c4a5472b4b5fee1372440589f27cd3f7b9bd756ce9d311b90c28fe82403cf8435119fc0ed13da03b6773f774b68128f1b280f7ecd5cafd4961 |
memory/372-150-0x000000001C050000-0x000000001C060000-memory.dmp
memory/372-151-0x000000001C050000-0x000000001C060000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x86.exe
| MD5 | f922206889c896cf2d86f21e9f9db7db |
| SHA1 | 046b00f2edb34982db266d903627ced283f4a5ea |
| SHA256 | 1ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3 |
| SHA512 | abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965 |
C:\Users\Admin\AppData\Local\Temp\x86.exe
| MD5 | f922206889c896cf2d86f21e9f9db7db |
| SHA1 | 046b00f2edb34982db266d903627ced283f4a5ea |
| SHA256 | 1ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3 |
| SHA512 | abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965 |
memory/4524-154-0x0000000000670000-0x0000000000678000-memory.dmp
memory/4524-164-0x000000001BDC0000-0x000000001BDD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe
| MD5 | 9b64d05f82ebaa3e51a79c1beeed2181 |
| SHA1 | 28b89cd9f181c41586b06f3e3c1f90e2270781ef |
| SHA256 | 93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8 |
| SHA512 | 580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13 |
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe
| MD5 | 9b64d05f82ebaa3e51a79c1beeed2181 |
| SHA1 | 28b89cd9f181c41586b06f3e3c1f90e2270781ef |
| SHA256 | 93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8 |
| SHA512 | 580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13 |
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe
| MD5 | 9b64d05f82ebaa3e51a79c1beeed2181 |
| SHA1 | 28b89cd9f181c41586b06f3e3c1f90e2270781ef |
| SHA256 | 93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8 |
| SHA512 | 580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13 |
memory/668-178-0x0000000000010000-0x0000000000022000-memory.dmp
memory/668-179-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/668-180-0x0000000004D60000-0x0000000004DFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAA9C.tmp.bat
| MD5 | e40f0b44d2654de3fca4d9d64a2212e1 |
| SHA1 | 3ea42b98393fe18635f921ec9c0a3c412456ee0c |
| SHA256 | 2897f8201c2ddf7302b76117e6f2e7c88adc48e505bc662cea5e8958fca975a8 |
| SHA512 | e1438a66aa84628e1a93e14ed43b1a6778caec3e2a9b516c975ae4749b16da2bfb08974e8769669cc68268f2d100dd4f4e30a54ff605034d8a0b849eb55f8389 |
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
| MD5 | 9b64d05f82ebaa3e51a79c1beeed2181 |
| SHA1 | 28b89cd9f181c41586b06f3e3c1f90e2270781ef |
| SHA256 | 93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8 |
| SHA512 | 580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13 |
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
| MD5 | 9b64d05f82ebaa3e51a79c1beeed2181 |
| SHA1 | 28b89cd9f181c41586b06f3e3c1f90e2270781ef |
| SHA256 | 93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8 |
| SHA512 | 580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13 |
memory/3744-189-0x0000000005050000-0x0000000005060000-memory.dmp
memory/3744-190-0x0000000005050000-0x0000000005060000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main.zip
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.0.844819942\995053127" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cd734d0-027f-49b9-8fea-bed8da25f83b} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 1932 203f2eef858 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.1.1368469249\162420822" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {677a6a64-00e1-4d83-9d3e-75677518f7cb} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 2332 203e5f70758 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.2.330279750\583964726" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3044 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d091b0a-99f0-4bea-a9bf-65613e0e5e94} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 2940 203f2e66558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.3.1301926521\45450349" -childID 2 -isForBrowser -prefsHandle 2492 -prefMapHandle 3524 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0d2a7a1-8696-4b5b-8cc1-484c977ada7a} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 2480 203e5f62b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.4.505766572\643992425" -childID 3 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e955b06f-ecce-4237-aafa-20a58439d8ad} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 3952 203f6df4858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.5.1520109427\2131821777" -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 5040 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ac47df9-db0a-406f-9ab2-030bd13c4db1} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5056 203e5f2fc58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.6.1049507184\666730950" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e155ba4-1ad0-4fd1-a49d-4fd8b3f0fe0a} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5308 203f979cf58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.7.1234046461\1914958036" -childID 6 -isForBrowser -prefsHandle 5448 -prefMapHandle 5092 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0838893-7402-4aa5-ae98-e51ed2dd3a9f} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5440 203f979de58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.8.1293284175\2029035580" -childID 7 -isForBrowser -prefsHandle 5816 -prefMapHandle 5292 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8171af6-1902-4e17-84fe-60e34d261b19} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5808 203f6107558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.9.1880118340\1697038352" -childID 8 -isForBrowser -prefsHandle 6036 -prefMapHandle 6040 -prefsLen 26851 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b622f21-0377-4a9c-89ee-0681c3c845e7} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 6024 203f790d058 tab
Network
| Country | Destination | Domain | Proto |
| NL | 8.253.208.120:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 52.152.108.96:443 | tcp | |
| GB | 51.105.71.136:443 | tcp | |
| NL | 8.253.208.120:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 184.28.198.226:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 226.198.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:49755 | tcp | |
| N/A | 127.0.0.1:49762 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 54.189.57.246:443 | shavar.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | 239.237.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.9.241.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.65.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.144.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.57.189.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| DE | 172.217.23.206:443 | plus.l.google.com | tcp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| DE | 172.217.23.206:443 | plus.l.google.com | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| IN | 20.207.73.82:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 82.73.207.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | repository-images.githubusercontent.com | udp |
| US | 185.199.110.133:443 | repository-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | repository-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | repository-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| IN | 20.207.73.85:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 22.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.73.207.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js
| MD5 | f73e52d124620d05267ba934f3b312d3 |
| SHA1 | 34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30 |
| SHA256 | fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7 |
| SHA512 | 4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | b012b037ea628e48424a50cdab47e021 |
| SHA1 | e08a85bde37cda76872070a59e2793acc0605d6a |
| SHA256 | 823febb0bd5808cfdd54f7092084205b67ec1253f0df114d0a18c04bcc969c6c |
| SHA512 | 2c108dd9303a8f4914b85ea8447b67051ee0c394b9074237771a948cc439aeb2718098b7cb7bb14882ebaf28ea77158983018f00a6d573a1a13432a3a70dcf8d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
| MD5 | 22949dd2e093dd30697086a173021d38 |
| SHA1 | 7faad190683e6c5f6485c4416320fadd0a2849d6 |
| SHA256 | 24ef9c5f24c19a01c6b2a76b2e30720870f947de3a5d33a54f9681b91d37dcf1 |
| SHA512 | 3d3069d39e85c0fecb95f6bbd69ed40f5c4a0a376ba5beb78696475c6762039d786512323893cdcf82abbb355a0fc9307cc0effeb1295eea9857c64b8b973c98 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | b1c55d6f717732cd292d3109a55286f7 |
| SHA1 | 85fd085b20999d53b6a81674aa284262a0fd60b6 |
| SHA256 | 3b63ae55c0f7f5b477d7fced0c1dc22e57401f54eee7c09d81df848934780f1c |
| SHA512 | 1d1fa02ccaaaf5520160dd08d440205c79d5c210163f68949a2b7ba62a314af768dd85f8673c0d36e8c770fdcb80ffc37481e3bf799202db26fad912d0db5507 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
| MD5 | dca5d20174a9dc0274ec45f649d34ed8 |
| SHA1 | d427961de50d09aa2ef7b9067bb42028576427f8 |
| SHA256 | 44cade9d613ed09b621d6c803b85ec384f18bac9331b5921fd1cdb63fcc2ca5a |
| SHA512 | fc140b68210a739c9793b5226d0c51693208122910a4e2497b0cfedda2101c6d663f08aa2a56872e0bf00f5c54c0f3fb688ee8c6a5f963e9a2c4c4597cab8478 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0e28a9316aaac5b02e4be0e9348109b8 |
| SHA1 | f4ece5428aa7c744d2d6bfa4121ff53dad9ae94f |
| SHA256 | 0d7073ac846d13551bf5f308e1172f55022e6313b35b10b63b5768d69ad62280 |
| SHA512 | 637af0602f1bf7c8b2e7b54439d01521152fa6d45ebfa177b5289e846a67ba106ed23f80acc889f3ea49e966a35a058f5407d817098a1722544e99d36776d3b5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
| MD5 | 6778939ccbc5155a66e63367bf36ad9d |
| SHA1 | 9e96c1d76501bc3edd9bc80c5026df0867cdaad4 |
| SHA256 | 4a12de830cf74c91714efb3d4791f40e06bdbf969495c6a5b701722f93bd610b |
| SHA512 | 22f797649044d8f85b60407945819d83019d339f608966ba5633d4f0992f2111aef0de523a5d9161267b9307901fa9fc09854d9dbe961690b010a680a617f985 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
| MD5 | 5b17f2e1d031b014dd97ec493b4b4cef |
| SHA1 | ea96b871e7a44b232550e6e8bdb10da7bad16cd2 |
| SHA256 | c57e00f5efb226be5189a793ae61362fa0802701da7ba725000adba7cc6b74bb |
| SHA512 | 41e987423b584f7edc4064e67d8af9738c1cb90951dfd0cef137fc2d790a495f417626ce8bed34ba93ce1db41d06f46e80c7053541ce3c2de6e7c2c4972445bf |
Analysis: behavioral6
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
61s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\FastColoredTextBox.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 20.42.65.90:443 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| NL | 178.79.208.1:80 | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230221-en
Max time kernel
61s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\NAudio.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 33.18.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| IE | 20.54.89.15:443 | tcp | |
| US | 20.42.65.85:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
150s
Max time network
34s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.php\ = "php_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\php_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\php_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\php_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\php_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\php_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\php_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.php | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 624 wrote to memory of 1880 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 624 wrote to memory of 1880 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 624 wrote to memory of 1880 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1880 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1880 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1880 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1880 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\Uploader.php
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\Uploader.php
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\Uploader.php"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
93s
Max time network
153s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 91.198.174.192:443 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 20.42.65.85:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| NL | 173.223.113.131:80 | tcp |
Files
memory/1028-133-0x0000000000280000-0x0000000000288000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fkwzxap5.nhw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1028-143-0x000000001CDF0000-0x000000001CE12000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
62s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\Guna.UI2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 52.109.13.63:443 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 13.89.179.8:443 | tcp | |
| IE | 20.54.89.15:443 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
28s
Max time network
32s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\NAudio.dll,#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe | C:\Windows\system32\WerFault.exe |
| PID 1196 wrote to memory of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe | C:\Windows\system32\WerFault.exe |
| PID 1196 wrote to memory of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1196 -s 528
Network
Files
memory/1196-54-0x0000000000AD0000-0x0000000000AD8000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1344 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe | C:\Windows\system32\WerFault.exe |
| PID 1344 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe | C:\Windows\system32\WerFault.exe |
| PID 1344 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1344 -s 1508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
Files
memory/1344-54-0x00000000000D0000-0x000000000040E000-memory.dmp
memory/1344-55-0x00000000005A0000-0x00000000005C0000-memory.dmp
memory/1344-56-0x000000001B5B0000-0x000000001B630000-memory.dmp
memory/1344-57-0x000000001B5B0000-0x000000001B630000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
129s
Max time network
142s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ChromeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2924.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ChromeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| TR | 37.18.62.18:8060 | tcp | |
| TR | 37.18.62.18:8060 | tcp | |
| TR | 37.18.62.18:8060 | tcp | |
| TR | 37.18.62.18:8060 | tcp | |
| TR | 37.18.62.18:8060 | tcp |
Files
memory/1748-54-0x00000000002A0000-0x00000000002B2000-memory.dmp
memory/1748-55-0x0000000004E80000-0x0000000004EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2924.tmp.bat
| MD5 | 989ed820c656350b217255a0fbfbff2d |
| SHA1 | 32353cba4fa7b192a5413d24bdc0928642497340 |
| SHA256 | cbead317b735aac31ee742179c95abcede0787de131724351dd45bdbd74d6210 |
| SHA512 | 3c29f9f8268169919c9df03113bd2bd3bb8b9f91eb9d2f350e2a9357b26a31ab1d64c3063b2eb0b42bf0b3d5316d5f582b0a4c400e6f0d714d265b8565a08114 |
C:\Users\Admin\AppData\Local\Temp\tmp2924.tmp.bat
| MD5 | 989ed820c656350b217255a0fbfbff2d |
| SHA1 | 32353cba4fa7b192a5413d24bdc0928642497340 |
| SHA256 | cbead317b735aac31ee742179c95abcede0787de131724351dd45bdbd74d6210 |
| SHA512 | 3c29f9f8268169919c9df03113bd2bd3bb8b9f91eb9d2f350e2a9357b26a31ab1d64c3063b2eb0b42bf0b3d5316d5f582b0a4c400e6f0d714d265b8565a08114 |
\Users\Admin\AppData\Roaming\ChromeUpdate.exe
| MD5 | 9b64d05f82ebaa3e51a79c1beeed2181 |
| SHA1 | 28b89cd9f181c41586b06f3e3c1f90e2270781ef |
| SHA256 | 93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8 |
| SHA512 | 580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13 |
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
| MD5 | 9b64d05f82ebaa3e51a79c1beeed2181 |
| SHA1 | 28b89cd9f181c41586b06f3e3c1f90e2270781ef |
| SHA256 | 93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8 |
| SHA512 | 580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13 |
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
| MD5 | 9b64d05f82ebaa3e51a79c1beeed2181 |
| SHA1 | 28b89cd9f181c41586b06f3e3c1f90e2270781ef |
| SHA256 | 93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8 |
| SHA512 | 580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13 |
memory/1820-68-0x0000000000120000-0x0000000000132000-memory.dmp
memory/1820-69-0x0000000004E80000-0x0000000004EC0000-memory.dmp
memory/1820-70-0x0000000004E80000-0x0000000004EC0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1092 wrote to memory of 1772 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe | C:\Windows\system32\WerFault.exe |
| PID 1092 wrote to memory of 1772 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe | C:\Windows\system32\WerFault.exe |
| PID 1092 wrote to memory of 1772 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1092 -s 524
Network
Files
memory/1092-54-0x0000000001220000-0x0000000001228000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
150s
Max time network
34s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.dat\ = "dat_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\dat_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\dat_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\dat_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\dat_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.dat | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\dat_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1328 wrote to memory of 980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1328 wrote to memory of 980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1328 wrote to memory of 980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 980 wrote to memory of 632 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 980 wrote to memory of 632 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 980 wrote to memory of 632 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 980 wrote to memory of 632 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\GeoIP.dat
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\GeoIP.dat
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\GeoIP.dat"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
104s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\GeoIP.dat
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.18.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| US | 67.24.35.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
111s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 1480 -ip 1480
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1480 -s 1764
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.17.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FR | 51.11.192.49:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
Files
memory/1480-133-0x00000172A65F0000-0x00000172A692E000-memory.dmp
memory/1480-134-0x00000172A85A0000-0x00000172A85B0000-memory.dmp
memory/1480-135-0x00000172A6ED0000-0x00000172A6EDA000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
150s
Max time network
34s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\md_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\md_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.md\ = "md_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\md_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\md_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.md | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\md_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1168 wrote to memory of 1456 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1168 wrote to memory of 1456 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1168 wrote to memory of 1456 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1456 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1456 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1456 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1456 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\README.md
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\README.md
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\README.md"
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
74s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\README.md
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| IE | 20.54.89.15:443 | tcp | |
| US | 52.168.112.67:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| NL | 8.253.208.113:80 | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
91s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\Uploader.php
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 20.42.73.24:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| NL | 88.221.25.155:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.111.26.67.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.0.1034358815\1660774573" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa23cbb-0003-4c52-ba38-4445badae330} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 1900 183e9a91958 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.1.20790494\382531592" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9f0d886-9b0a-4641-8936-29b66c5d6ab7} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 2300 183db972e58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.2.256786418\525697426" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 3024 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db52919c-337d-4cf3-b6d9-739d1849ff1f} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 3252 183ec6e6c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.3.1380914045\837485481" -childID 2 -isForBrowser -prefsHandle 2328 -prefMapHandle 1472 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad238c24-d4b7-4d46-9dc9-f9b421a42bd7} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 2928 183db970a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.4.1698835549\292654639" -childID 3 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1eb2946-85f1-4dd2-8caa-d84fb4a99e52} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 3996 183ec857958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.5.35368348\1300412696" -childID 4 -isForBrowser -prefsHandle 5036 -prefMapHandle 5048 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bab490e4-3c51-4227-872a-846882986517} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 4780 183eea7b858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.7.495778722\353049683" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b34c40e-56e5-41e6-80a6-b6fd4d1e8bd4} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 5400 183eee85658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.6.734838649\926386023" -childID 5 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {742070f0-c9be-488a-9cec-b359a865e30f} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 5304 183eee84d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.8.1119359329\1872870993" -childID 7 -isForBrowser -prefsHandle 4560 -prefMapHandle 3728 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fae9038-717f-4e8b-bb35-5bb0f2f1cfdc} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 4880 183eb95ba58 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 184.28.198.210:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 210.198.28.184.in-addr.arpa | udp |
| FR | 51.11.192.49:443 | tcp | |
| N/A | 127.0.0.1:49779 | tcp | |
| N/A | 127.0.0.1:49786 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 54.149.234.21:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 239.237.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.9.241.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.65.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.234.149.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.144.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 117.18.232.240:80 | tcp | |
| US | 8.8.8.8:53 | www.port.com | udp |
| US | 8.8.8.8:53 | www.port.com | udp |
| US | 8.8.8.8:53 | www.port.com | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 88.221.134.209:80 | a19.dscg10.akamai.net | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 209.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r4---sn-5hneknee.gvt1.com | udp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | udp |
| NL | 74.125.8.73:443 | r4---sn-5hneknee.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-5hneknee.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-5hneknee.gvt1.com | udp |
| NL | 74.125.8.73:443 | r4.sn-5hneknee.gvt1.com | udp |
| US | 8.8.8.8:53 | 73.8.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.111.73.144:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.111.73.144:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| US | 34.111.73.144:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| US | 34.111.73.144:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| US | 34.111.73.144:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| US | 34.111.73.144:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 144.73.111.34.in-addr.arpa | udp |
Files
memory/1064-133-0x0000000000F10000-0x00000000010FA000-memory.dmp
memory/1064-134-0x0000000006140000-0x00000000066E4000-memory.dmp
memory/1064-135-0x0000000005AB0000-0x0000000005B42000-memory.dmp
memory/1064-136-0x0000000005C30000-0x0000000005CCC000-memory.dmp
memory/1064-137-0x0000000005B90000-0x0000000005BF6000-memory.dmp
memory/1064-138-0x0000000005E30000-0x0000000005E40000-memory.dmp
memory/1064-139-0x0000000006B00000-0x0000000006B0A000-memory.dmp
memory/1064-140-0x0000000006E60000-0x0000000007084000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
memory/1064-148-0x0000000072F30000-0x0000000072FB9000-memory.dmp
memory/1064-149-0x0000000005E30000-0x0000000005E40000-memory.dmp
memory/1064-150-0x0000000005E30000-0x0000000005E40000-memory.dmp
memory/1064-151-0x0000000005E30000-0x0000000005E40000-memory.dmp
memory/1064-152-0x0000000005E30000-0x0000000005E40000-memory.dmp
memory/1064-153-0x0000000005E30000-0x0000000005E40000-memory.dmp
memory/1064-154-0x0000000005E30000-0x0000000005E40000-memory.dmp
memory/1064-155-0x0000000005E30000-0x0000000005E40000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
| MD5 | 1984b45f201f1fd79d2154406648433b |
| SHA1 | 42f082dc6d4d43333688690bf4dfa7c7f8b618ab |
| SHA256 | 000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9 |
| SHA512 | e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 9e8d24f784a87a56f2cdedbd1aa36456 |
| SHA1 | 78f59f9c48eee4b7bf4d602ea5922aabe86e597e |
| SHA256 | 3c56c20579943a51262f81402b2de182b8dfd75a929135c74242181e2f8ae481 |
| SHA512 | aa1059da4a500083ce195b44a07f2b294e0210270ade87de7f6a26303f18b4723d05bf2e42f201896f1faed7cb2f4a19679ed1ba32c59181b6fa6ffb9780dd35 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
| MD5 | b6bb2a8d961eb572fdc2ccdad662e421 |
| SHA1 | d2394572604c87256e613ef09b19fb0782fa5807 |
| SHA256 | 08183972eea319fb853e31aabdc65c0b80eb3d33c5c8949ba9be6628922150bb |
| SHA512 | b0eb78e1d129a6671185eb07f234576862f8d4a06e2133009ae6f7ea5e822c67799869899b1616f7e51cdfa62a945a4139b235bb764aa37086a49ebf592ccfcc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 32c6f6d8f3ceb48aba9af752781d19ee |
| SHA1 | 3bc889ea95f0987a2af4418e049115b9249318f9 |
| SHA256 | 7a3e6ebaba2af8f3604d6a330b41318f9db1fa2f960b85c9683b2294220b5cfc |
| SHA512 | 804e21db711a94a9bf0d4a1ed80376208e4f6f840fa1f4aaee28381fa45746fcc3a1bb8c83b35d4586b616d6c302974ba243d54056e1591540ebed20c3fdd6df |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
| MD5 | 01a6c495049f675554b56b365c244827 |
| SHA1 | 7d121ff603e22b29e473c127c929f6423fc93ac0 |
| SHA256 | 3f4cc0bc81b2a98190ba408d673ecb70fd206e55fb73b4f80fd8ece24617c147 |
| SHA512 | f23a00b0207d8beaf7546c19218266507d42a81e65a1ac15fa46d4c8278268ff1a3a4da7a3a699afe8b29978824fe2ff7019be4b68a3b5b3ba1d5a213c2a79c0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
| MD5 | 6e3178702727013aaf966d39f9de0145 |
| SHA1 | 21f701d54f2c9e5b2df8997a1912ba43f0a1efc2 |
| SHA256 | 8084da8f84b538c50d78b496cbe676ebcdf90a721fde3e1b9969c821056c1f23 |
| SHA512 | 8e664615476776c6b35f5e0077a108385db78ea8c7ce8886bfc33144f0f065350235613444cf162a58dceb5f8e10cf1d1aa8090554e15475eb9446b0e95371b7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 00845a67c8d84f4495fdfe9381b99d4c |
| SHA1 | db79419580d607ccd36d8e3aa545e8a252fef3ef |
| SHA256 | f3dbc61fa5cf1ae6b1f970af926d27413af38a8e133759b9c793dbe925f797dd |
| SHA512 | cf1f3c59eac5b8af351d256178a3cb823c393c5abff2938d80c268174d959b0a658d368d8307c609d62b1375fc2477e2e03237cee7cc79db7bdd4e6497e40436 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
| MD5 | d166130d31532686f64e3efa48a08b47 |
| SHA1 | c603b92d14a371d0a08c45987545d6877f2ae9f1 |
| SHA256 | 64befed764776751bf5ac51235d1ef771584efa47508724eb81edbaaea77216d |
| SHA512 | cf6bcf77f7c04ff84cc790004ad107f60607a0ab4173ac0250d2e17617b9b81ffb6c276c676d92e29c98b5b08c237ee1b95d7b3e84350add4d1b2f392299a024 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\A4BC0C99327D7691FF360F07D11373B5791EB30C
| MD5 | 88f53a2c5b0f66876b8d642ffc41a8e9 |
| SHA1 | f878fbffb40cbdf28af4c3859513af84feff7eb7 |
| SHA256 | 74cc545d751d6c91d7876667acbd9be8fcf1dbc62912abbd8df9e2efd9493106 |
| SHA512 | 7196704c65c7995f7afbd5df71899c295a88b1d0304bf918593a3ccf86fc9bb92b9903b66ffd3809b9e9b95832376628fa64a702445d23fe0d45858f3626493a |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
| MD5 | ed2990155ce684338b4aee5ef9e25f56 |
| SHA1 | 25b37c40aca0ca4d32b1920550c3b38984f177d3 |
| SHA256 | c50f53b21be54b9838ec6c5db4e7dd5296c69cef547092524e79af7f5aa5d8ee |
| SHA512 | e67da12a4105d38bcafba228d132dc39405d240ddd7e77a9789718f4f7656e3970a3deb92d54aed0b0ead301405f1c1ba5f67947d14236d47e1e870bffce0236 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
105s
Max time network
147s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main.zip
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6529758,0x7fef6529768,0x7fef6529778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1324,i,11621186563022115270,2890432994080848135,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1324,i,11621186563022115270,2890432994080848135,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1324,i,11621186563022115270,2890432994080848135,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2200 --field-trial-handle=1324,i,11621186563022115270,2890432994080848135,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1324,i,11621186563022115270,2890432994080848135,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1324,i,11621186563022115270,2890432994080848135,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1392 --field-trial-handle=1324,i,11621186563022115270,2890432994080848135,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3920 --field-trial-handle=1324,i,11621186563022115270,2890432994080848135,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4080 --field-trial-handle=1324,i,11621186563022115270,2890432994080848135,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | apis.google.com | udp |
| DE | 172.217.23.206:443 | apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_1360_YPBNATQZWTBTBLGQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c57f52ee02cdc493069f75a9954b1cfa |
| SHA1 | 8d96ee60562db060c06f5f1b27e69eec12d98e62 |
| SHA256 | 6dd0a0cf14a7d6283eadd85161725908883cf4570ef6e693d751576bf128bab7 |
| SHA512 | 707e1e38cd2b7e7a32ac7c7d7dcc24ba19a4b7b6afaa753f616e805b4cede764858479bddb7b21add77feed8026bbc30b9f17aaefeabe20f25c5104dde796c54 |
Analysis: behavioral7
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\Fixer.bat"
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\Guna.UI2.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
Network
Files
memory/1060-54-0x00000000008F0000-0x0000000000ADA000-memory.dmp
memory/1060-55-0x0000000005970000-0x0000000005B94000-memory.dmp
\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
memory/1060-62-0x0000000074AF0000-0x0000000074B70000-memory.dmp
memory/1060-63-0x0000000005620000-0x0000000005660000-memory.dmp
memory/1060-64-0x0000000005620000-0x0000000005660000-memory.dmp
memory/1060-65-0x0000000005620000-0x0000000005660000-memory.dmp
memory/1060-66-0x0000000005620000-0x0000000005660000-memory.dmp
memory/1060-67-0x0000000005620000-0x0000000005660000-memory.dmp
memory/1060-68-0x0000000005620000-0x0000000005660000-memory.dmp
memory/1060-69-0x0000000005620000-0x0000000005660000-memory.dmp
memory/1060-70-0x0000000005620000-0x0000000005660000-memory.dmp
memory/1060-71-0x0000000005620000-0x0000000005660000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ChromeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA0AA.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ChromeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| TR | 37.18.62.18:8060 | tcp | |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| TR | 37.18.62.18:8060 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| TR | 37.18.62.18:8060 | tcp | |
| US | 8.8.8.8:53 | 121.252.72.23.in-addr.arpa | udp |
| TR | 37.18.62.18:8060 | tcp | |
| TR | 37.18.62.18:8060 | tcp | |
| TR | 37.18.62.18:8060 | tcp |
Files
memory/4828-133-0x0000000000C70000-0x0000000000C82000-memory.dmp
memory/4828-134-0x0000000005720000-0x0000000005730000-memory.dmp
memory/4828-135-0x0000000005730000-0x00000000057CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA0AA.tmp.bat
| MD5 | df43e396af7073b8af4af9aee5460687 |
| SHA1 | 1e07abcf80549e2460ddc1213f09c61d14e5dcf1 |
| SHA256 | a7baeb1ba4e5d4a5da6b1d8f4de37d846b7b9e4bfe70f0e19741eeae0e90ba6c |
| SHA512 | ac1eff6517b28dbb4c257ee1c37adba3952f186a7953494a3b35d51c9431710e6cab31a8f320d4f24a394d1f95f729284981e96033f1a86bcca24457faf5863b |
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
| MD5 | 9b64d05f82ebaa3e51a79c1beeed2181 |
| SHA1 | 28b89cd9f181c41586b06f3e3c1f90e2270781ef |
| SHA256 | 93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8 |
| SHA512 | 580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13 |
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
| MD5 | 9b64d05f82ebaa3e51a79c1beeed2181 |
| SHA1 | 28b89cd9f181c41586b06f3e3c1f90e2270781ef |
| SHA256 | 93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8 |
| SHA512 | 580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13 |
memory/2888-144-0x0000000005270000-0x0000000005280000-memory.dmp
memory/2888-145-0x0000000005270000-0x0000000005280000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win7-20230220-en
Max time kernel
32s
Max time network
35s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\FastColoredTextBox.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-04-19 14:45
Reported
2023-04-19 14:48
Platform
win10v2004-20230220-en
Max time kernel
112s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\Fixer.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |