Analysis Overview
SHA256
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2
Threat Level: Known bad
The file Obustro.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Xworm family
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops startup file
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 14:25
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 14:25
Reported
2024-05-30 14:43
Platform
win7-20231129-en
Max time kernel
1047s
Max time network
1044s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\detektivhuedblyat.lnk | C:\Users\Admin\AppData\Local\Temp\Obustro.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\detektivhuedblyat.lnk | C:\Users\Admin\AppData\Local\Temp\Obustro.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\detektivhuedblyat = "C:\\Users\\Admin\\AppData\\Roaming\\detektivhuedblyat.exe" | C:\Users\Admin\AppData\Local\Temp\Obustro.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Obustro.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Obustro.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Obustro.exe
"C:\Users\Admin\AppData\Local\Temp\Obustro.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Obustro.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Obustro.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'detektivhuedblyat.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "detektivhuedblyat" /tr "C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {2DA570C6-BAC6-4F20-BA8C-40C4492ED7BA} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Local\Temp\Obustro.exe
"C:\Users\Admin\AppData\Local\Temp\Obustro.exe"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Obustro.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO837D19B9\version.txt
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ads-enabled.gl.at.ply.gg | udp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.ip.gl.ply.gg | udp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | ads-enabled.gl.at.ply.gg | udp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.ip.gl.ply.gg | udp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.ip.gl.ply.gg | udp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | ads-enabled.gl.at.ply.gg | udp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.ip.gl.ply.gg | udp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 147.185.221.19:45758 | 19.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | ads-enabled.gl.at.ply.gg | udp |
| US | 147.185.221.19:45758 | ads-enabled.gl.at.ply.gg | tcp |
Files
memory/2372-0-0x000007FEF5533000-0x000007FEF5534000-memory.dmp
memory/2372-1-0x00000000002E0000-0x00000000002FA000-memory.dmp
memory/2816-6-0x0000000002CF0000-0x0000000002D70000-memory.dmp
memory/2816-7-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/2816-8-0x00000000021D0000-0x00000000021D8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 087b56ce4122f1b75a1c92689cdabcc6 |
| SHA1 | 9ed5f2f135660b8abea8ccb78b14dce6e70e79ba |
| SHA256 | c1da1c32322504eee6650e34ea88fe878a9c4a301ed18ba523eb5630414e0665 |
| SHA512 | 5d94625eaa0bca4e08912e3f9f275d6464a20edfdd374730da7a6470662a7f1c56679c84ecf80723c33a885956e89cfc7cae0e810fa401120661e0ebe059eb46 |
memory/2608-14-0x000000001B810000-0x000000001BAF2000-memory.dmp
memory/2608-15-0x0000000001E10000-0x0000000001E18000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2372-32-0x00000000020D0000-0x0000000002150000-memory.dmp
memory/2372-33-0x000007FEF5533000-0x000007FEF5534000-memory.dmp
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
| MD5 | b107fbdbd7e5a97172b3974216a78886 |
| SHA1 | 410f9c227a901e2721fd4471e8a5069bd6af43da |
| SHA256 | 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2 |
| SHA512 | b7485652c502a95a258d106166419dc3679e8a69906b7634dc440db9fa3db506a1c5597024fa0b275b556dbce55f51877bfef6d779817a0c83f51395bc734de6 |
memory/1872-37-0x00000000000B0000-0x00000000000CA000-memory.dmp
memory/2232-58-0x0000000000C00000-0x0000000000C1A000-memory.dmp
memory/2832-79-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2832-80-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2832-81-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2832-82-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1868-84-0x00000000001F0000-0x000000000020A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO837D19B9\version.txt
| MD5 | 4230e1121100316a114c7aa4df304c71 |
| SHA1 | e4c18efed44d30877b31e7763adc815e68feab49 |
| SHA256 | bb01715aba0e2ea0f3dd325c92a36827eff8d6431754cafac54e51703f408283 |
| SHA512 | 42387317c908c07256390139dcc39d25786e6b305a3c1c50719133f3526c1deb78024a3a52ac731857f8a24a44952640dde1d063a3a7811e3f97e0ea3dc533ac |
memory/2680-101-0x0000000000DA0000-0x0000000000DBA000-memory.dmp
memory/1612-104-0x00000000003B0000-0x00000000003CA000-memory.dmp
memory/1056-106-0x0000000000E60000-0x0000000000E7A000-memory.dmp
memory/2252-108-0x00000000010D0000-0x00000000010EA000-memory.dmp
memory/2644-110-0x00000000011C0000-0x00000000011DA000-memory.dmp
memory/1524-112-0x0000000000050000-0x000000000006A000-memory.dmp
memory/2628-114-0x0000000000130000-0x000000000014A000-memory.dmp
memory/2752-116-0x0000000000DC0000-0x0000000000DDA000-memory.dmp
memory/1632-120-0x0000000001360000-0x000000000137A000-memory.dmp