Analysis Overview
SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc
Threat Level: Known bad
The file conhost.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 10:14
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 10:14
Reported
2024-06-01 10:17
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\conhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\conhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.0.2020348778\303117309" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aeeaf0c-184c-46db-84a1-7dee37f53022} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 1864 28e9672c158 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.1.593521344\1436880216" -parentBuildID 20230214051806 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60bf3140-3dc6-4955-a783-8980b8de3ba9} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 2432 28e89a86258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.2.2070281137\181182439" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2880 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8939ee76-6b95-490a-9729-e58f402955ac} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 3168 28e95690358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.3.717078698\27157595" -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f6d74f1-1609-4bf1-8704-c7a781f5048a} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 3708 28e9b3e1258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.4.1347696530\299796411" -childID 3 -isForBrowser -prefsHandle 5180 -prefMapHandle 5164 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d995cb4-4ecd-4567-a2f4-b92c40af55f3} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 5188 28e9bfafc58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.5.1490466236\1297066467" -childID 4 -isForBrowser -prefsHandle 5416 -prefMapHandle 5412 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af61cd1b-b9bb-418d-b7db-e55f7cc61bd4} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 5424 28e9d86fa58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.6.652684906\769858026" -childID 5 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ced5cbb-2345-4c1c-9558-472ecad0c9cb} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 5552 28e9d871258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.7.1129585626\526703874" -childID 6 -isForBrowser -prefsHandle 5604 -prefMapHandle 5440 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1819b832-22b1-4d36-920a-6a9221488a78} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 5600 28e9bea0458 tab
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | testarosa.duckdns.org | udp |
| FR | 5.39.43.50:7110 | testarosa.duckdns.org | tcp |
| US | 8.8.8.8:53 | 50.43.39.5.in-addr.arpa | udp |
| FR | 5.39.43.50:7110 | testarosa.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:63163 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 44.237.98.207:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 207.98.237.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:63170 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/4904-0-0x00007FF8010B3000-0x00007FF8010B5000-memory.dmp
memory/4904-1-0x0000000000C50000-0x0000000000C60000-memory.dmp
memory/1692-2-0x0000012BBC560000-0x0000012BBC582000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zkpzn0ff.lep.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1692-12-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp
memory/1692-13-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp
memory/1692-14-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp
memory/1692-15-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp
memory/1692-18-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 19e1e2a79d89d1a806d9f998551c82a8 |
| SHA1 | 3ea8c6b09bcaa874efc3a220f6f61eed4be85ebd |
| SHA256 | 210f353fbdf0ed0f95aec9d76a455c1e92f96000551a875c5de55cfa712f4adc |
| SHA512 | da427ad972596f8f795ae978337e943cb07f9c5a2ed1c8d1f1cad27c07dcec2f4d4ffe9424db2b90fcba3c2f301524f52931a863efae38fca2bef1def53567b8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 38a2262fb16df934106a14acb53aaeb0 |
| SHA1 | 44995f3ecfeef1136485135b0818ae7b6a11fee3 |
| SHA256 | 3f1f739bf5742b5962a330560d14b95ebdbdf8c4704e5852a4deddc01fce5dc1 |
| SHA512 | 43dccc1860a4dc260f5aa0fa1fcb3723836a7459e69649ce6482c8f360a8a0b674f0e461d2f82f437104c13e1e96c2d7806d72016162361a440ac59ccd9090d4 |
memory/4904-54-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp
memory/4904-55-0x00007FF8010B3000-0x00007FF8010B5000-memory.dmp
memory/4904-56-0x000000001C3B0000-0x000000001C3BC000-memory.dmp
memory/4904-57-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp
C:\Users\Admin\AppData\Roaming\Ondrive.exe
| MD5 | b37dd1a1f0507baf993471ae1b7a314c |
| SHA1 | 9aff9d71492ffff8d51f8e8d67f5770755899882 |
| SHA256 | e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc |
| SHA512 | ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | bd0f932d8a40768fa3ceebf3701a35d8 |
| SHA1 | cb325ba8e757ff1bacd14edc356f6a14b49377d5 |
| SHA256 | 87c3e4e107d618c3a1c89befd0b330b3807e038c8e8d157e43dfad0aba9097a0 |
| SHA512 | e819eea0baad8e3cd42ae1673e0bf62ae4598824d0323c20ac9a3d85ff6c872a04c58f44e0247979dadbcb4b3357400cdc0dac1e5e61da7b2fa78f3f3bf012a6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js
| MD5 | 3bf4cfd2391291b9c01dbe3d3b50e9cc |
| SHA1 | 152a9f21b95ade3129bf2e2597b8f88812ef6090 |
| SHA256 | 00811db6f4d5277bf721af2e2cd4357c8e2d6aa513d8acfd687ad7bd721a85a7 |
| SHA512 | bb1576527515dc9c1043c606e6895a331c5aaeb75a84f73e9c1bc60772ac89fc8f73b3fc6d098c8f77aa7d033743b75536d616c1accd75d488e5eda1ca0b6a90 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js
| MD5 | 1bf59f558128813b30d41f533ba6311e |
| SHA1 | 9a97ab0278d9b4cd253a2c0a51ddcdeff743be76 |
| SHA256 | 93fe7921817ad9737aad5be895a6cd0d9091e62665f8ecee4ca80d234493072f |
| SHA512 | 7afac295435f075571bd36ea987a0eda63729e92cfc7b8582ae4227038b3a2c6334e3956be5212ffd511c6254b24082be3a1ecce9692d881e624a72e50e630f8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 4f1bac6f37b423f8017399fc9ee7ca3b |
| SHA1 | 2e50e7c43fc77cc4e056113d768075bee4d42244 |
| SHA256 | 9ca2bd7cb629dfce7ea18fed21176235d76297f013a1d5192b50dcbea4253990 |
| SHA512 | c8bd7c8b9e2adfda8600c7eb06a45539e882ac284b11a9245d6568d02b62a34fccba255532be4b317e5a86d83393f231ce1bdb9d52dc1bd2134f11747ed22bef |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Ondrive.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js
| MD5 | 35e830677bffb0ab374d91c22025ae31 |
| SHA1 | ab8f57dab88a32c259fe594e2b9cbf60bc0c7626 |
| SHA256 | 22d1d35b6722ce15049c17565b675c3e3ebce1c68d5c602dc65d44509c06e2d9 |
| SHA512 | 2f64adccd8e52033b88409ec056a24d08fb948c50ef8ec1fec4bb51120cd4cc0d520eb87bf8823edbe0c7f93c0f36370d391cd007aa5db396c9f9450533b3eb0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 09fd910cf12abc1af3aba2e56052c2ab |
| SHA1 | ac755cbfebcb42926f1a359e2c9905e7e2e4f3d3 |
| SHA256 | efbb44e3277dca537b1abb106a07ff0d2630d1a5c8ebb0c850b8f7d24438d7a2 |
| SHA512 | 316ac32b7afebe8045080ed7c7c9e20895e6b6d7a20b6b6bc196a3805da3836262b14b70a143683c88548548659e4c0f60f8a6eccb4d14385b409c128afadff2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\entries\F418EE6A69EE0D4BEE92A028326F7F1CAA0585F3
| MD5 | 409a1bbfe03fbb9ec2feda488767cd98 |
| SHA1 | 111399e29072150ca32e898ff4fa6ded26807bc3 |
| SHA256 | 622ed601abbcf80be154570f4eb9ca735432ff9fac5b5a237cb1baba58b0d7d6 |
| SHA512 | d106b35d68515c9d1c25c9fa5716313767e85ceb261ce211ef506241893a050b112c07369adb812d84910b9dc37b87e6d205958acd90e79c0fa5c01d947ce05d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e45ee337f53373225f47147186eccd42 |
| SHA1 | d2aa53b511dc351b5f64ec7f5923098052641c4b |
| SHA256 | 1eb55951f0eea8e5531fdd1057309ca8fb64fb446b948262793e40e2d25ab911 |
| SHA512 | cd5f027a0a8d30dc146e58a1010d64967337054e1aa429e877798a90e03beefa88d3cab4d6a66fa25c065d0912422bbe9446253f81f17e9b32a120534a5810c8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d3de7c9624807dec94d9471e735dcae5 |
| SHA1 | 56e149a5b090eff57b556e379fec325e49a860e8 |
| SHA256 | 55474f86bba16b74ff531e952ab41a66d5664b4ac373fcdb4933ab7aca80d581 |
| SHA512 | 498a88196f74f55e78a0a0c08b2becc6a42709d4fc12e04500deeb4713a1a2b431fc360bc9ae403df6fe2f31ff47da12117a58be1211f48e7930f6939b10dc27 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e8d222b06c6f2351bc4615c26e823c37 |
| SHA1 | fff61ecf874f3920a8de18271fe76d8830715692 |
| SHA256 | 2d56b536e13cb2143292837588413816b232cce7007a24c7e433606f7f651312 |
| SHA512 | ee636cf1ef59b5c35b4ac8597d85007e53d9f7a55fb363fec62de01d7d84def3c38b1c905fa4e362f59ba6f50b2f78ec5bea735cde941ea404b7a5140c4e5fcd |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 10:14
Reported
2024-06-01 10:17
Platform
win7-20240221-en
Max time kernel
118s
Max time network
143s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\conhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {37B22A7A-4312-468E-8C62-0F5D4A895A66} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | testarosa.duckdns.org | udp |
| FR | 5.39.43.50:7110 | testarosa.duckdns.org | tcp |
Files
memory/2088-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp
memory/2088-1-0x0000000000A40000-0x0000000000A50000-memory.dmp
memory/3048-6-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/3048-7-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/3048-8-0x0000000002240000-0x0000000002248000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 41b34670946ae8bfed5c67c30d13cc70 |
| SHA1 | 08d6a16674358ee2ea75fbf493bc49d6f81e3b0f |
| SHA256 | 4c375f4d6acb58887ce842163c40d344576f7ba361205c081f9b431ddd6a1530 |
| SHA512 | cc3921da3423734b69fef748f0d2cde703b68a94faedb88a79eeb2c1c4616d514ae5ac52d6a573b020ea27a1da3ad3a78d66673b2525f864d3c18c98718333d1 |
memory/2688-15-0x0000000001DC0000-0x0000000001DC8000-memory.dmp
memory/2688-14-0x000000001B840000-0x000000001BB22000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2088-28-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/2088-29-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp
C:\Users\Admin\AppData\Roaming\Ondrive.exe
| MD5 | b37dd1a1f0507baf993471ae1b7a314c |
| SHA1 | 9aff9d71492ffff8d51f8e8d67f5770755899882 |
| SHA256 | e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc |
| SHA512 | ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460 |
memory/2784-33-0x0000000000F70000-0x0000000000F80000-memory.dmp
memory/1344-35-0x0000000000FA0000-0x0000000000FB0000-memory.dmp