Analysis Overview
SHA256
f4cbcc2254e8b74d272b7148322a08159d4e4293fa825cb7547e319fff13ca8d
Threat Level: Known bad
The file feather.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
AsyncRat
Detect Xworm Payload
Async RAT payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops startup file
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-30 16:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 16:09
Reported
2024-05-30 16:12
Platform
win11-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\feather.exe
"C:\Users\Admin\AppData\Local\Temp\feather.exe"
C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD12B.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| US | 8.8.8.8:53 | 19.ip.gl.ply.gg | udp |
| US | 147.185.221.19:38173 | 19.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp | |
| N/A | 127.0.0.1:38173 | tcp |
Files
memory/1568-0-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp
memory/1568-1-0x0000000000090000-0x00000000000C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Client.exe
| MD5 | f8ec02f0ad41f3e984037b398641f3bb |
| SHA1 | 88d64ad9840e65bcd5d27323a0fe2214d00d7346 |
| SHA256 | 12cdd3df8d582bc30a49c2b4f8cf96d522e0f01d64f2e7df17276dc89fdb1a75 |
| SHA512 | 31d177cceba0a3698f696c5daa0265ebe3fecf8a2a2934290e574789811a68c7313c1b0b40b1bae88666088c87fc9336941e10f26952a442c9cc3ca9637f5322 |
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | 74fcef65a288af74b2a36dd6895264f8 |
| SHA1 | d5d73bb877f0aee6962f49c87603eec9d5b4846b |
| SHA256 | ed308d6d8768d98145916f4529e0b444058105f401acf1e01bdacadf39a637b1 |
| SHA512 | c342445070326c126ae5841cc88a3cdcd2ae6bd995a37903ca6cacb517dc3ed7ada4c9fb7c020ad814824d2a5a29fd909da895c40475aec5ec6499778e25772a |
memory/1756-26-0x0000000000AE0000-0x0000000000AFA000-memory.dmp
memory/1540-25-0x0000000000EA0000-0x0000000000EB8000-memory.dmp
memory/1540-28-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp
memory/1756-29-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp
memory/964-30-0x000002A3ACE20000-0x000002A3ACE42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xii14lyk.nwc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 05b3cd21c1ec02f04caba773186ee8d0 |
| SHA1 | 39e790bfe10abf55b74dfb3603df8fcf6b5e6edb |
| SHA256 | 911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8 |
| SHA512 | e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b26e5bedfb520c4c341b64a636b83fe1 |
| SHA1 | 991188792f4778e59ff166007bebc549107128dc |
| SHA256 | 34836bf15fe6bf8a0903f9065338c160ea03b4f26d1217dd0c294fec4a7feafb |
| SHA512 | b93c4eb59fffdc7ba829442156b5af536d4865362a2abecef717ed92612e2e14c10a702f25bb2a1ed0b43dcdbd2e62ef7bfdf6d435c21fc06873d9a4642efd7b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cef328ddb1ee8916e7a658919323edd8 |
| SHA1 | a676234d426917535e174f85eabe4ef8b88256a5 |
| SHA256 | a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90 |
| SHA512 | 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb |
C:\Users\Admin\AppData\Local\Temp\tmpD12B.tmp.bat
| MD5 | 6028d5fd1b35b081ae6ab06df998a3b7 |
| SHA1 | dfb5de12aca5414adee65a09f0583270e9306f5c |
| SHA256 | 5f9ee0a2f5ef0e070d0ff48a2e51e7d4db6693de221e0332d884fa089592650b |
| SHA512 | 9a9ca4e9d6a9ebd45f5e1663064872a61b884dcb3b50c5f12d806e6b1d655c3b3e78ce1e3f04486dfea2c718bde99960d8caaf46cde2e4f7dfbf21b7cecf3c8e |
memory/1756-83-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp
memory/1540-84-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp