Analysis Overview
SHA256
015d90cb2d696c35b623c2f2283ae931a52fa06eabb162289b183f5bf6c5cafe
Threat Level: Known bad
The file Injector.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Deletes itself
Looks up external IP address via web service
Unsigned PE
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-26 17:41
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 17:41
Reported
2024-05-26 17:43
Platform
win7-20240215-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2824 wrote to memory of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | C:\Windows\system32\cmd.exe |
| PID 2824 wrote to memory of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | C:\Windows\system32\cmd.exe |
| PID 2824 wrote to memory of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | C:\Windows\system32\cmd.exe |
| PID 2796 wrote to memory of 2804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 2796 wrote to memory of 2804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 2796 wrote to memory of 2804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1FFF.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | said-webcam.gl.at.ply.gg | udp |
| US | 147.185.221.19:64349 | said-webcam.gl.at.ply.gg | tcp |
Files
memory/2824-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp
memory/2824-1-0x0000000000BB0000-0x0000000000BC0000-memory.dmp
memory/2824-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/2824-3-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp
memory/2824-4-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1FFF.tmp.bat
| MD5 | d8dc004c8343981caa95d4bf509c6d05 |
| SHA1 | 045e943bf7083060edffad0009251b1b2be3be97 |
| SHA256 | 0f6ef40c96167e40cc98d81cf71976f14bef96211fb6fa33134f7986f961351d |
| SHA512 | 8de89c6110cb0cdf61ed6ae9fa351bf373550ed807d0dfcbdd833587ddd823c35e8214a4a69d25f1aa5fda5f37c5dac7643dbb7f7c01aaf0d05c6d6ac43d5f22 |
memory/2824-14-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 17:41
Reported
2024-05-26 17:44
Platform
win10v2004-20240226-en
Max time kernel
136s
Max time network
143s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2604 wrote to memory of 3808 | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | C:\Windows\system32\cmd.exe |
| PID 2604 wrote to memory of 3808 | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | C:\Windows\system32\cmd.exe |
| PID 3808 wrote to memory of 4136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 3808 wrote to memory of 4136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1AE.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | said-webcam.gl.at.ply.gg | udp |
| US | 147.185.221.19:64349 | said-webcam.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
memory/2604-0-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp
memory/2604-1-0x0000000000530000-0x0000000000540000-memory.dmp
memory/2604-2-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
memory/2604-3-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp
memory/2604-4-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF1AE.tmp.bat
| MD5 | 5514ff68cab0839bb0d24b01cbcc9ab3 |
| SHA1 | 7efb192b3bf450724ceef96f3f22a3d7bf409e3a |
| SHA256 | a291a80444885cf70fd44afd73d76f6b560cadf5bb18328d1327287967c1192c |
| SHA512 | b21a04858630c7b087b4ab8a2be599602be4174f9ec77cc7aa04737cd3cad92b76b03dc1580c631af9f546b8d85dfe081998d18dd4e4f20892a96aa83667fe20 |
memory/2604-9-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp