Analysis Overview
SHA256
f38da3e39db37247e99bcbebfcd72a7ccc5811bbb1a7aef61ee310d15f7b1564
Threat Level: Known bad
The file hack.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm family
Xworm
Looks up external IP address via web service
Unsigned PE
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 17:31
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 17:31
Reported
2024-05-31 17:34
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hack.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hack.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hack.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\hack.exe
"C:\Users\Admin\AppData\Local\Temp\hack.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | glass-coffee.gl.at.ply.gg | udp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
Files
memory/552-0-0x00007FFA95283000-0x00007FFA95285000-memory.dmp
memory/552-1-0x0000000000E70000-0x0000000000E9C000-memory.dmp
memory/552-2-0x00007FFA95280000-0x00007FFA95D41000-memory.dmp
memory/2500-3-0x0000019B76C80000-0x0000019B76C81000-memory.dmp
memory/2500-4-0x0000019B76C80000-0x0000019B76C81000-memory.dmp
memory/2500-5-0x0000019B76C80000-0x0000019B76C81000-memory.dmp
memory/2500-13-0x0000019B76C80000-0x0000019B76C81000-memory.dmp
memory/2500-15-0x0000019B76C80000-0x0000019B76C81000-memory.dmp
memory/2500-14-0x0000019B76C80000-0x0000019B76C81000-memory.dmp
memory/2500-12-0x0000019B76C80000-0x0000019B76C81000-memory.dmp
memory/2500-11-0x0000019B76C80000-0x0000019B76C81000-memory.dmp
memory/2500-9-0x0000019B76C80000-0x0000019B76C81000-memory.dmp
memory/2500-10-0x0000019B76C80000-0x0000019B76C81000-memory.dmp
memory/552-16-0x00007FFA95283000-0x00007FFA95285000-memory.dmp
memory/552-17-0x00007FFA95280000-0x00007FFA95D41000-memory.dmp