Malware Analysis Report

2024-11-16 13:35

Sample ID 240526-s3e1cabd4v
Target siski.exe
SHA256 db17812e10401ae3cdc44e07272758c155e215ccc2d4859833d7a26e38706d92
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db17812e10401ae3cdc44e07272758c155e215ccc2d4859833d7a26e38706d92

Threat Level: Known bad

The file siski.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm family

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 15:38

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 15:38

Reported

2024-05-26 15:41

Platform

win7-20240508-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\siski.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\siski.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\siski.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\siski.exe

"C:\Users\Admin\AppData\Local\Temp\siski.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\siski.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'siski.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 character-estimate.gl.at.ply.gg udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp

Files

memory/2188-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

memory/2188-1-0x00000000000B0000-0x00000000000CC000-memory.dmp

memory/2188-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

memory/2792-7-0x000000001B710000-0x000000001B9F2000-memory.dmp

memory/2792-8-0x0000000001F40000-0x0000000001F48000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 eb6c3b836cc2b9a2c52c34e1b67e489a
SHA1 8f52062856c9899d8fb4a9ef79431ad86445f679
SHA256 f1319cb46b55522f34813a3fafc3da69821961a2e89faf4fd199cf0d7383d3ce
SHA512 40fdbaf6e0c5c0cd82af4bf90398e59ec637921a27f0777191a3c128a61dd3d5fadab7f61b2902e597736f3b7d12f669ab5f85701982ea02b321a28d0826b23e

memory/2552-14-0x000000001B790000-0x000000001BA72000-memory.dmp

memory/2552-15-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/2188-30-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

memory/2188-31-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 15:38

Reported

2024-05-26 15:41

Platform

win10-20240404-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\siski.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\siski.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\siski.exe

"C:\Users\Admin\AppData\Local\Temp\siski.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\siski.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'siski.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 character-estimate.gl.at.ply.gg udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 character-estimate.gl.at.ply.gg udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp

Files

memory/2272-0-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp

memory/2272-1-0x0000000000060000-0x000000000007C000-memory.dmp

memory/2272-2-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/196-7-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/196-8-0x000001A54BA40000-0x000001A54BA62000-memory.dmp

memory/196-10-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/196-12-0x000001A5640C0000-0x000001A564136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4sarzqs1.o3k.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/196-49-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 211593cd6723611b5ebf2a03404ecb9a
SHA1 a9e63470784a937751f63ac81ccd381583eaf0ab
SHA256 798626ac35e4effd0cff2e53ec6a2cd4ebcdf076ca3f022c4b26d52dab2c1d5d
SHA512 d77e5382f47454acdbccb35aa409241980f59e4a897233adc6bb4c8b09544ceb5566d3383058b59e9dd43ad9ab74b6ed90a0e3f1bf50a692db9360e16c577927

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6b6a7f8236c91c29ab2de94263a92649
SHA1 3bd2dabad59fa88a74c3b7622fa9db9b8bd6b45d
SHA256 99acbf67c0733d7b0becce98acc8f477b8a98ff742f3ce95219a292539546a09
SHA512 9603cca3e4ce07bf1ba2416f412b41489cea28ec219327b35c017c3d206d391ce2b6f1f916bf15aeb4a4f5461446636a913f0417ba160078fd1b801948c6b6a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d2e234d4418da3e3998a0e50cbbe18f0
SHA1 64ad02d3cf61309b6dc5dbe1732e2d145177fb52
SHA256 f5070bcbb12d49bdac970dc8dd76f5cd44de08d319a060e9de18d31c8a43c9fd
SHA512 738770fc023e3ed01b1223537cb0bf4cc07ad7fead7415b610cccb36cce7dffb66a1ceb1c1ec02b26402a994677ecfb80b90c542c8c6b8f5a5655735bf562e5a

memory/2272-183-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-26 15:38

Reported

2024-05-26 15:41

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\siski.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\siski.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\siski.exe

"C:\Users\Admin\AppData\Local\Temp\siski.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\siski.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'siski.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4388 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 character-estimate.gl.at.ply.gg udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp

Files

memory/636-0-0x00007FFAE92C3000-0x00007FFAE92C5000-memory.dmp

memory/636-1-0x0000000000570000-0x000000000058C000-memory.dmp

memory/636-2-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phtjbhiw.0py.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4232-8-0x00000153D0F60000-0x00000153D0F82000-memory.dmp

memory/4232-9-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

memory/4232-14-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

memory/4232-15-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

memory/4232-16-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

memory/4232-17-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

memory/4232-20-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 65a68df1062af34622552c4f644a5708
SHA1 6f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256 718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA512 4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef72c47dbfaae0b9b0d09f22ad4afe20
SHA1 5357f66ba69b89440b99d4273b74221670129338
SHA256 692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA512 7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

memory/636-59-0x00007FFAE92C3000-0x00007FFAE92C5000-memory.dmp

memory/636-60-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-26 15:38

Reported

2024-05-26 15:41

Platform

win11-20240426-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\siski.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\siski.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\siski.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\siski.exe

"C:\Users\Admin\AppData\Local\Temp\siski.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\siski.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'siski.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp

Files

memory/5000-1-0x00007FFF0D8F3000-0x00007FFF0D8F5000-memory.dmp

memory/5000-0-0x0000000000980000-0x000000000099C000-memory.dmp

memory/5000-2-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/3432-11-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/3432-12-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwlvdq4k.rjn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3432-13-0x00000249AE330000-0x00000249AE352000-memory.dmp

memory/3432-14-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/3432-15-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/3432-18-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/3432-19-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4093e5ab3812960039eba1a814c2ffb0
SHA1 b5e4a98a80be72fccd3cc910e93113d2febef298
SHA256 c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c
SHA512 f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa6b748cd8f3e3c0e41549529b919e21
SHA1 5a4b9721f9fb5042f6ef7afd698d5ac5216a88bb
SHA256 d7d665a42f940443efb28eb231dfe1c4062394e71fba145d6eea9ec075b0f0e8
SHA512 361c523f49428a7e430279099e669a1a8af8764653f42e83105c0da3f8e8dd3be6c1719ea8c158d8f2e8425d74457147a4683190eb4a67019b9d02be44c13534

memory/5000-55-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp