Analysis Overview
SHA256
eb0eac20db3f8e71bc53d2527452cf18acb95b7541cdf61c6520d113194f7cc6
Threat Level: Known bad
The file Steam (3).exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 08:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 08:14
Reported
2024-05-27 08:14
Platform
win10-20240404-en
Max time kernel
26s
Max time network
28s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\ProgramData\\Steam.exe" | C:\Users\Admin\AppData\Local\Temp\Steam (3).exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Steam (3).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Steam (3).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Steam (3).exe
"C:\Users\Admin\AppData\Local\Temp\Steam (3).exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Steam (3).exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam (3).exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Steam.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\ProgramData\Steam.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | region-vip.gl.at.ply.gg | udp |
| US | 147.185.221.18:52733 | region-vip.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
Files
memory/4520-0-0x0000000073E4E000-0x0000000073E4F000-memory.dmp
memory/4520-1-0x0000000000030000-0x00000000000F6000-memory.dmp
memory/4520-2-0x0000000004900000-0x0000000004992000-memory.dmp
memory/4520-3-0x0000000073E40000-0x000000007452E000-memory.dmp
memory/4520-4-0x0000000004CF0000-0x0000000004D46000-memory.dmp
memory/4520-5-0x0000000004E70000-0x0000000004F0C000-memory.dmp
memory/3620-8-0x00000000047B0000-0x00000000047E6000-memory.dmp
memory/3620-9-0x0000000073E40000-0x000000007452E000-memory.dmp
memory/3620-10-0x0000000073E40000-0x000000007452E000-memory.dmp
memory/3620-11-0x00000000071E0000-0x0000000007808000-memory.dmp
memory/3620-12-0x00000000071B0000-0x00000000071D2000-memory.dmp
memory/3620-13-0x0000000007A60000-0x0000000007AC6000-memory.dmp
memory/3620-14-0x0000000007AD0000-0x0000000007B36000-memory.dmp
memory/3620-15-0x0000000007B50000-0x0000000007EA0000-memory.dmp
memory/3620-16-0x0000000007A20000-0x0000000007A3C000-memory.dmp
memory/3620-17-0x0000000007FA0000-0x0000000007FEB000-memory.dmp
memory/3620-18-0x0000000008230000-0x00000000082A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_poozkox3.sl0.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3620-36-0x000000006FA90000-0x000000006FADB000-memory.dmp
memory/3620-37-0x0000000073E40000-0x000000007452E000-memory.dmp
memory/3620-35-0x0000000009350000-0x0000000009383000-memory.dmp
memory/3620-38-0x0000000009310000-0x000000000932E000-memory.dmp
memory/3620-43-0x0000000009480000-0x0000000009525000-memory.dmp
memory/3620-44-0x0000000073E40000-0x000000007452E000-memory.dmp
memory/3620-45-0x0000000009650000-0x00000000096E4000-memory.dmp
memory/3620-238-0x00000000095F0000-0x000000000960A000-memory.dmp
memory/3620-243-0x00000000095E0000-0x00000000095E8000-memory.dmp
memory/3620-259-0x0000000073E40000-0x000000007452E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1c817096184011a2343f7d77236078a7 |
| SHA1 | 046bef697e301067df418dbdf1b987d00d8a506f |
| SHA256 | f9c83b28eab1d0aa74f31bc67d2c456d9b84b67698b1d28d9f9abc03276beab4 |
| SHA512 | 050bb5b412af930f6b1ae3314523db418ab19fa30c736bf520aa9e5cc08a499468cf1aaa720e7a129bd1001056b33a86866028c85011824898de5cb5e20292b7 |
memory/4064-280-0x000000006FA90000-0x000000006FADB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 68a741a1c96dc74f34293d1e9a2fbfd3 |
| SHA1 | a10f63555a7b3b4e4aba24343bdb476fa5fb03e1 |
| SHA256 | d6687c6045e3289ffd0ba7bf1338f480afd581888c048652c5ff909ae9f3c88d |
| SHA512 | afefebcb6de37ebc221615bf36f18e0cb93ffedfcd1ec8c0adb959a03701bf2472f16f9d5d29eb69f188a133ead60b6c485bfc5e7796fc63bb5fd293d9a48a91 |
memory/2288-514-0x000000006FA90000-0x000000006FADB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9fd2177fd268ea8f1eda721b1bd43958 |
| SHA1 | 1d0515045532f103bd0749ff735eb5b4259898c6 |
| SHA256 | 1f64588560d39ae672ae1e65a1422cbfa3215123aef48539e2e2adf496ab6454 |
| SHA512 | 4b2e655e86dcdcfb6d223929350e5ff8cfb60a17fa3b9d72dded4967a666017400a1231a79810b015b13ce1fa5b26b37e5c2de77026cf26a581db170516f7c33 |
memory/3640-748-0x000000006FA90000-0x000000006FADB000-memory.dmp
memory/4520-964-0x0000000073E4E000-0x0000000073E4F000-memory.dmp
memory/4520-965-0x0000000073E40000-0x000000007452E000-memory.dmp