Analysis Overview
SHA256
6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5
Threat Level: Known bad
The file 6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe was found to be: Known bad.
Malicious Activity Summary
Detects Windows executables referencing non-Windows User-Agents
StormKitty
Xworm
StormKitty payload
Contains code to disable Windows Defender
Xworm family
Detect Xworm Payload
Detects executables referencing credit card regular expressions
Detects executables containing artifacts associated with disabling Widnows Defender
Detects Windows executables referencing non-Windows User-Agents
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Detects executables referencing Windows vault credential objects. Observed in infostealers
Reads user/profile data of web browsers
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-01 01:36
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-01 01:36
Reported
2024-05-01 01:38
Platform
win7-20240221-en
Max time kernel
121s
Max time network
145s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing Windows vault credential objects. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing credit card regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe
"C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 91.92.242.85:3344 | tcp | |
| NL | 91.92.242.85:3344 | tcp |
Files
memory/2728-0-0x0000000000D30000-0x0000000000D3E000-memory.dmp
memory/2728-1-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp
memory/2728-2-0x000000001AD60000-0x000000001ADE0000-memory.dmp
memory/2728-3-0x0000000000D10000-0x0000000000D1E000-memory.dmp
memory/2728-4-0x000000001C130000-0x000000001C250000-memory.dmp
memory/2728-28-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp
memory/2728-29-0x000000001AD60000-0x000000001ADE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-01 01:36
Reported
2024-05-01 01:38
Platform
win10v2004-20240419-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe
"C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 91.92.242.85:3344 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| NL | 91.92.242.85:3344 | tcp | |
| NL | 91.92.242.85:3344 | tcp | |
| NL | 91.92.242.85:3344 | tcp | |
| NL | 91.92.242.85:3344 | tcp | |
| NL | 91.92.242.85:3344 | tcp |
Files
memory/1112-0-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/1112-1-0x00007FFA57FC0000-0x00007FFA58A81000-memory.dmp
memory/1112-2-0x000000001B2E0000-0x000000001B2F0000-memory.dmp
memory/1112-3-0x00007FFA57FC0000-0x00007FFA58A81000-memory.dmp
memory/1112-4-0x000000001B2E0000-0x000000001B2F0000-memory.dmp