Analysis Overview
SHA256
78245f94d0b369843b5aa7d56936ffb1b035bb16a4df863cabdaf3f986081afa
Threat Level: Known bad
The file Stand.Launchpad.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 20:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 20:27
Reported
2024-05-31 20:30
Platform
win11-20240426-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\conhost.exe | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe
"C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"
C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe
"C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"
C:\Users\Admin\AppData\Roaming\conhost.exe
"C:\Users\Admin\AppData\Roaming\conhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stand.gg | udp |
| US | 172.67.188.90:443 | stand.gg | tcp |
| US | 172.67.188.90:443 | stand.gg | tcp |
| US | 8.8.8.8:53 | 50.43.39.5.in-addr.arpa | udp |
| FR | 5.39.43.50:7110 | testarosa.duckdns.org | tcp |
| FR | 5.39.43.50:7110 | testarosa.duckdns.org | tcp |
| US | 52.111.229.43:443 | tcp |
Files
memory/2164-0-0x00007FFF244F3000-0x00007FFF244F5000-memory.dmp
memory/2164-1-0x0000000000BE0000-0x0000000000C08000-memory.dmp
C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe
| MD5 | 9c6b82e8191fe81dc873b9aa936eafe3 |
| SHA1 | fe0813eabfcd7f6c0c62ef01a327b0f1e222119f |
| SHA256 | 87403d832ec357593e22d9fe211daa9f22964b3ecc59cd68a312fe3b8bc9f556 |
| SHA512 | d122c04a250f285521fce7c12f6dc2971ad0e7f24c60350b99a128e96160c6da06834303ad9a485be833165752265e083c747c656bc62d854b2be4c41e89edec |
C:\Users\Admin\AppData\Roaming\conhost.exe
| MD5 | b37dd1a1f0507baf993471ae1b7a314c |
| SHA1 | 9aff9d71492ffff8d51f8e8d67f5770755899882 |
| SHA256 | e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc |
| SHA512 | ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460 |
memory/720-25-0x0000000000B00000-0x0000000000B10000-memory.dmp
memory/4900-26-0x000001A8B6A20000-0x000001A8B6A36000-memory.dmp
memory/4900-27-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp
memory/720-28-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0b110cz4.11q.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4304-34-0x00000151A2580000-0x00000151A25A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d0a4a3b9a52b8fe3b019f6cd0ef3dad6 |
| SHA1 | fed70ce7834c3b97edbd078eccda1e5effa527cd |
| SHA256 | 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31 |
| SHA512 | 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e07eea85a8893f23fb814cf4b3ed974c |
| SHA1 | 8a8125b2890bbddbfc3531d0ee4393dbbf5936fe |
| SHA256 | 83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea |
| SHA512 | 9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80b42fe4c6cf64624e6c31e5d7f2d3b3 |
| SHA1 | 1f93e7dd83b86cb900810b7e3e43797868bf7d93 |
| SHA256 | ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d |
| SHA512 | 83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573 |
memory/4900-76-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp
memory/720-77-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp
memory/720-80-0x000000001CB10000-0x000000001CBC0000-memory.dmp
C:\Users\Admin\AppData\Local\Calamity,_Inc\Stand.Launchpad.exe_Url_rxanxxbu4srmj115yvji3p4n1zoatvms\1.9.0.0\user.config
| MD5 | b4ae24f20e59e454d57443d663a7581e |
| SHA1 | 68ab33e7fcea8bf79d76728fc49338d0d10a12f6 |
| SHA256 | 8409dd0aa292b3bf50903a7ca1a1a0d6697d5c7b0ed3d1c5e43ebdf6f82db074 |
| SHA512 | 25a7cbc382609d298ecaedea567231ac6ba0856bc523550912fd7b8393a29664ad68e9490dff0ff25b18b7a018476798c4df1000ebc99174bb6f2d5604e383f5 |
C:\Users\Admin\AppData\Local\Calamity,_Inc\Stand.Launchpad.exe_Url_rxanxxbu4srmj115yvji3p4n1zoatvms\1.9.0.0\ib4g2chl.newcfg
| MD5 | 4914bef93f236a5cb24b4c07e9d4a98a |
| SHA1 | b53f8fb945a449dd8a76d4412c5439b29b929b9e |
| SHA256 | 0abb6c072277956c8e3d6810dc9d9795544098f46a1fc79ab2e39c3f70d84a5a |
| SHA512 | 3242dbf1f58263ab1409d558b5ba1846e235da17246f1abbab768ec1ed449367e30c6d17d4986aa117c42ea225e87ff2c438d46765f1b5841e3a5b9b571ccb10 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Stand.Launchpad.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
memory/4900-96-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp
memory/720-97-0x000000001D2F0000-0x000000001D818000-memory.dmp