Analysis Overview
SHA256
bdb400432a963d7557a75735f5ece80ec87720f49d074bbfc9b29b67a454c0b8
Threat Level: Known bad
The file Minecraft.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
Drops startup file
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 19:11
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 19:11
Reported
2024-05-31 19:16
Platform
win10-20240404-en
Max time kernel
299s
Max time network
305s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtkAudUService64.lnk | C:\Users\Admin\AppData\Local\Temp\Minecraft.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtkAudUService64.lnk | C:\Users\Admin\AppData\Local\Temp\Minecraft.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RtkAudUService64.exe | N/A |
| N/A | N/A | C:\ProgramData\RtkAudUService64.exe | N/A |
| N/A | N/A | C:\ProgramData\RtkAudUService64.exe | N/A |
| N/A | N/A | C:\ProgramData\RtkAudUService64.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Minecraft.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Minecraft.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RtkAudUService64.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RtkAudUService64" /tr "C:\ProgramData\RtkAudUService64.exe"
C:\ProgramData\RtkAudUService64.exe
C:\ProgramData\RtkAudUService64.exe
C:\ProgramData\RtkAudUService64.exe
C:\ProgramData\RtkAudUService64.exe
C:\ProgramData\RtkAudUService64.exe
C:\ProgramData\RtkAudUService64.exe
C:\ProgramData\RtkAudUService64.exe
C:\ProgramData\RtkAudUService64.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:14188 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 102.112.67.3.in-addr.arpa | udp |
| DE | 3.67.112.102:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:14188 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.64.4.198:14188 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 198.4.64.3.in-addr.arpa | udp |
| DE | 3.64.4.198:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.64.4.198:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.64.4.198:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.64.4.198:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.64.4.198:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.64.4.198:14188 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| DE | 3.64.4.198:14188 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 133.161.67.3.in-addr.arpa | udp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.127.181.115:14188 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 115.181.127.3.in-addr.arpa | udp |
| DE | 3.127.181.115:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.127.181.115:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.127.181.115:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.127.181.115:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.127.181.115:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.127.181.115:14188 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:14188 | 5.tcp.eu.ngrok.io | tcp |
Files
memory/616-0-0x00007FFC5D583000-0x00007FFC5D584000-memory.dmp
memory/616-1-0x0000000000580000-0x0000000000596000-memory.dmp
memory/616-2-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
memory/5056-7-0x00000261D0990000-0x00000261D09B2000-memory.dmp
memory/5056-9-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
memory/5056-11-0x00000261D0B40000-0x00000261D0BB6000-memory.dmp
memory/5056-12-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wneelje3.wwz.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5056-21-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
memory/5056-51-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fa2fd96a0cefb3443e3d5d36dcf49bdb |
| SHA1 | 62f89c94f6ef4b9f4cc1ffccf4b9e87e36d81755 |
| SHA256 | 9269962ccbd30f9caed70951584ae74b4a78fe7c949e7d6d174d80633dd16924 |
| SHA512 | 1e36cb55b41512329cf3cc33ed84f80bb6eccc94f015ec5ee84f1dbb604f9ea18d4bc7144f07a406d24e02974fc04cf51181884f9df3285fcd9e8a36d36b06b4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9d5826f0fcf664cbbf2da87246cf318e |
| SHA1 | 81218593b57ce77c2706629cd9d8390861568553 |
| SHA256 | d904bc72243cde76b6e9861ad64637ae98e52beddbcc3449b4358e0fdcdd9b0e |
| SHA512 | 7e3f5b112987278e1555c38f5dd5ceb712947d21bdea779081b26bee827b6e989454ac469639367bbcbe28d9d90f01492dcfb405e9d6202108e017b48d29149d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8c695b100350f61a836fe82019fe5f8 |
| SHA1 | 10a3ead9eca17c37a6133ae5ec771e07b19b49ef |
| SHA256 | 5f6a93dfa69caae1e126930d03bf0f0e2e339faed17cac038ef0454468ab4841 |
| SHA512 | 3e8f8716aefbc59924928ab9957e0df352d0e9ea6275011269b2915303281dadfab4155c517090da5825e5b80cac953448369bc0047ed5b0a759f2863b6d89dc |
memory/616-185-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
C:\ProgramData\RtkAudUService64.exe
| MD5 | ebaf38949ddaf75042b5680707117745 |
| SHA1 | b1e45ef043bd2dbf4d2c3511bc3a8b742f4f237e |
| SHA256 | bdb400432a963d7557a75735f5ece80ec87720f49d074bbfc9b29b67a454c0b8 |
| SHA512 | 34997d945013294d4c3fa42dc0ad99435fd6848184cf4a2dcdfa35b2c1aa849f4d4d96267663c38c7a805548b92bba973cb28bcb136377b06335cad2695ab3c1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RtkAudUService64.exe.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |