Analysis Overview
SHA256
421c75559f7b0eca701764dadc3ec9f580bb1bb2a8c9fb14f41bd0a5d00a6c30
Threat Level: Known bad
The file moonlightserver.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Xworm family
Detect Xworm Payload
Drops startup file
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 18:48
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 18:48
Reported
2024-05-29 18:52
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
140s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe
"C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | that-various.gl.at.ply.gg | udp |
| US | 147.185.221.18:11297 | that-various.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:11297 | tcp | |
| N/A | 127.0.0.1:11297 | tcp | |
| US | 8.8.8.8:53 | great-vacation.gl.at.ply.gg | udp |
| US | 147.185.221.19:11297 | great-vacation.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:11297 | tcp | |
| N/A | 127.0.0.1:11297 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:11297 | great-vacation.gl.at.ply.gg | tcp |
| US | 147.185.221.19:11297 | great-vacation.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:11297 | tcp |
Files
memory/3652-0-0x00007FFA0F183000-0x00007FFA0F185000-memory.dmp
memory/3652-1-0x0000000000F10000-0x0000000000F30000-memory.dmp
memory/3652-6-0x00007FFA0F180000-0x00007FFA0FC41000-memory.dmp
memory/3652-7-0x00007FFA0F183000-0x00007FFA0F185000-memory.dmp
memory/3652-8-0x00007FFA0F180000-0x00007FFA0FC41000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 18:48
Reported
2024-05-29 18:52
Platform
win7-20240508-en
Max time kernel
143s
Max time network
125s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe
"C:\Users\Admin\AppData\Local\Temp\moonlightserver.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:11297 | tcp | |
| N/A | 127.0.0.1:11297 | tcp | |
| US | 8.8.8.8:53 | that-various.gl.at.ply.gg | udp |
| US | 147.185.221.18:11297 | that-various.gl.at.ply.gg | tcp |
| US | 147.185.221.18:11297 | that-various.gl.at.ply.gg | tcp |
| US | 147.185.221.18:11297 | that-various.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:11297 | tcp | |
| US | 147.185.221.18:11297 | that-various.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:11297 | tcp |
Files
memory/1632-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp
memory/1632-1-0x0000000000AB0000-0x0000000000AD0000-memory.dmp
memory/1632-6-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
memory/1632-7-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp
memory/1632-8-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp