Analysis Overview
SHA256
21dcb388ee5eeb9ff54802794de0a765b7a4613d93dd6564694e88e48a75c798
Threat Level: Known bad
The file chrome.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Xworm family
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops startup file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 14:51
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 14:51
Reported
2024-05-30 15:02
Platform
win10-20240404-en
Max time kernel
597s
Max time network
599s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk | C:\Users\Admin\AppData\Local\Temp\chrome.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk | C:\Users\Admin\AppData\Local\Temp\chrome.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\chrome | N/A |
| N/A | N/A | C:\Users\Admin\chrome | N/A |
| N/A | N/A | C:\Users\Admin\chrome | N/A |
| N/A | N/A | C:\Users\Admin\chrome | N/A |
| N/A | N/A | C:\Users\Admin\chrome | N/A |
| N/A | N/A | C:\Users\Admin\chrome | N/A |
| N/A | N/A | C:\Users\Admin\chrome | N/A |
| N/A | N/A | C:\Users\Admin\chrome | N/A |
| N/A | N/A | C:\Users\Admin\chrome | N/A |
| N/A | N/A | C:\Users\Admin\chrome | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\chrome" | C:\Users\Admin\AppData\Local\Temp\chrome.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\chrome'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "chrome" /tr "C:\Users\Admin\chrome"
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
C:\Users\Admin\chrome
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:16292 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 94.209.125.3.in-addr.arpa | udp |
Files
memory/3780-0-0x0000000000340000-0x0000000000374000-memory.dmp
memory/3780-1-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp
memory/3780-2-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp
memory/192-7-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp
memory/192-8-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp
memory/192-9-0x00000291EA180000-0x00000291EA1A2000-memory.dmp
memory/192-12-0x00000291EA340000-0x00000291EA3B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nq1lgmhj.4se.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/192-51-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62c8561f755430780a652d626c597227 |
| SHA1 | c30910319267f5bd2942d20334f29f8117788a2f |
| SHA256 | e2ef29f0c46e5e534cf2e39c70f9be50ba0fc248b009015c1d768a7892c6b75b |
| SHA512 | 12e52c18417f2b77db9d34f9b043cc962c3806ecf7ddd2f915280d173a0803e6a880cf5f6243bbd65cbe377a52d335f704d0b0cb38f48d2defe6752aaf72d3b8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 68a1eec0cc923c6e7d7b83422ffc08b4 |
| SHA1 | 4091f5622f97103d0501f220452699cdf329cb35 |
| SHA256 | 26e337536d5aaa4683bb85e317778d02954eb076a4898f8e8a1a38c0c70c423a |
| SHA512 | 42e55d34ad8e0a65e5f00ce26c9b0e6c914278c8d03cece7ddbb2fef0ee0a7c229547acd7ca9ed6e54df545c8f28b6b982c28b9b45eb0aff723bcd440ba91980 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9ab0d79b6ea2fb17b006c4c2c5c05084 |
| SHA1 | 238d7803bf6d67dfd6cb45d4c3f4a20a804f230a |
| SHA256 | 7ebbda07e65800a519800abfbbcafa1af50cff28db3674b0b2ae9361674fc156 |
| SHA512 | 4ffb6af87dbb9c102c062c95e843c25c97bf8f8d616863347d3d58f6eb7cfabe4aa2d848c3dfb421558aaeb0ea069820fe5f480f97e4576bcceb4324c830eb6b |
memory/3780-187-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp
C:\Users\Admin\chrome
| MD5 | 2b26b084c03ef96db3cda61ec42b9780 |
| SHA1 | d285abb4911dbb747b8cc0fb61d90c424905d71f |
| SHA256 | 21dcb388ee5eeb9ff54802794de0a765b7a4613d93dd6564694e88e48a75c798 |
| SHA512 | 9fff7138ce7101c78e67e2f41181876b67d76c134757c61e151af5ffbca647b6fe965d60a41666f0dabf3508e0c43f6a56126c048ffc00bfe5909221732d2271 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |