Analysis Overview
SHA256
f38da3e39db37247e99bcbebfcd72a7ccc5811bbb1a7aef61ee310d15f7b1564
Threat Level: Known bad
The file Способ для робуксов.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xworm
Detect Xworm Payload
Looks up external IP address via web service
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-31 19:17
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 19:17
Reported
2024-05-31 19:20
Platform
win11-20240419-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe
"C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5417 | glass-coffee.gl.at.ply.gg | tcp |
Files
memory/3244-0-0x00007FFE59E73000-0x00007FFE59E75000-memory.dmp
memory/3244-1-0x0000000000780000-0x00000000007AC000-memory.dmp
memory/3244-2-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp
memory/3244-3-0x00007FFE59E73000-0x00007FFE59E75000-memory.dmp
memory/3244-4-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp
memory/3244-5-0x000000001B350000-0x000000001B35C000-memory.dmp
memory/3244-6-0x000000001B6E0000-0x000000001B76E000-memory.dmp