Analysis Overview
SHA256
be8b784930db373c77c4af35def8dd62bab00b25e7980a2198e6292610074aa6
Threat Level: Known bad
The file install.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-09 20:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-09 20:38
Reported
2024-06-09 20:38
Platform
win10v2004-20240226-en
Max time kernel
30s
Max time network
34s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\install.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service = "C:\\ProgramData\\Service.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4196 set thread context of 4100 | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
C:\Users\Admin\AppData\LocalefUjwRZZGA.exe
"C:\Users\Admin\AppData\LocalefUjwRZZGA.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Service" /tr "C:\ProgramData\Service.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | h2cker.ddns.net | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
Files
memory/3672-0-0x00007FF894515000-0x00007FF894516000-memory.dmp
memory/3672-1-0x00007FF894260000-0x00007FF894C01000-memory.dmp
memory/3672-2-0x00007FF894260000-0x00007FF894C01000-memory.dmp
C:\Users\Admin\AppData\LocalefUjwRZZGA.exe
| MD5 | d0d7e34964fdf38d5465e5e3bad009fd |
| SHA1 | dd081d07172fd96326a810ca2f93fed0eed0e086 |
| SHA256 | 54f2e357163305a265fd3cbd6bc287c1338e691a4e6975e1e9631b0ebddb920a |
| SHA512 | b9e81cc19b7b539fd74540a616876586d73bcc24a92d4ac9ccb552a51056832a22497ab6ef23b48360213dd8beeebcdf5fcbcc5ef96d2e050b974f416d60b7ee |
C:\Users\Admin\AppData\LocalUMDWjUBbvf.exe
| MD5 | bd5ca3638a485637b6d24dbf73de9fe8 |
| SHA1 | afe95ea71ac7c16f0c12f44b20dde34d8eb8b0c3 |
| SHA256 | cbd4cd8faf323e43498462325d242d54b52b60550629491d118fbbc31fd64594 |
| SHA512 | 021f335e3f8ede8375fef50310a87ec54395f4392bbf95dec0cc2b7ef386ee3be6aae992fcae2236b5d25f2a4cadc2fb3333eda16dc6b1b8a65a937ebafb1884 |
memory/4196-21-0x00007FF891CD3000-0x00007FF891CD5000-memory.dmp
memory/4196-23-0x0000000000D90000-0x0000000000DBC000-memory.dmp
memory/4196-25-0x0000000002F10000-0x0000000002F1C000-memory.dmp
memory/3672-27-0x00007FF894260000-0x00007FF894C01000-memory.dmp
memory/4196-28-0x00007FF891CD0000-0x00007FF892791000-memory.dmp
memory/4196-31-0x00007FF891CD0000-0x00007FF892791000-memory.dmp
memory/4100-32-0x00000000003A0000-0x00000000003B0000-memory.dmp
memory/4100-33-0x0000000004C60000-0x0000000004CFC000-memory.dmp
memory/4100-34-0x0000000004D00000-0x0000000004D66000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-09 20:38
Reported
2024-06-09 20:38
Platform
win11-20240426-en
Max time kernel
28s
Max time network
16s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service = "C:\\ProgramData\\Service.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1664 set thread context of 4116 | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
C:\Users\Admin\AppData\LocalefUjwRZZGA.exe
"C:\Users\Admin\AppData\LocalefUjwRZZGA.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Service" /tr "C:\ProgramData\Service.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/4548-0-0x00007FFF1E285000-0x00007FFF1E286000-memory.dmp
memory/4548-1-0x00007FFF1DFD0000-0x00007FFF1E971000-memory.dmp
memory/4548-3-0x00007FFF1DFD0000-0x00007FFF1E971000-memory.dmp
C:\Users\Admin\AppData\LocalefUjwRZZGA.exe
| MD5 | d0d7e34964fdf38d5465e5e3bad009fd |
| SHA1 | dd081d07172fd96326a810ca2f93fed0eed0e086 |
| SHA256 | 54f2e357163305a265fd3cbd6bc287c1338e691a4e6975e1e9631b0ebddb920a |
| SHA512 | b9e81cc19b7b539fd74540a616876586d73bcc24a92d4ac9ccb552a51056832a22497ab6ef23b48360213dd8beeebcdf5fcbcc5ef96d2e050b974f416d60b7ee |
memory/1664-14-0x00007FFF1BBD3000-0x00007FFF1BBD5000-memory.dmp
memory/1664-15-0x0000000000340000-0x000000000036C000-memory.dmp
C:\Users\Admin\AppData\LocalUMDWjUBbvf.exe
| MD5 | bd5ca3638a485637b6d24dbf73de9fe8 |
| SHA1 | afe95ea71ac7c16f0c12f44b20dde34d8eb8b0c3 |
| SHA256 | cbd4cd8faf323e43498462325d242d54b52b60550629491d118fbbc31fd64594 |
| SHA512 | 021f335e3f8ede8375fef50310a87ec54395f4392bbf95dec0cc2b7ef386ee3be6aae992fcae2236b5d25f2a4cadc2fb3333eda16dc6b1b8a65a937ebafb1884 |
memory/1664-26-0x000000001AE20000-0x000000001AE2C000-memory.dmp
memory/4548-27-0x00007FFF1DFD0000-0x00007FFF1E971000-memory.dmp
memory/1664-28-0x00007FFF1BBD0000-0x00007FFF1C692000-memory.dmp
memory/4116-29-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1664-31-0x00007FFF1BBD0000-0x00007FFF1C692000-memory.dmp
memory/4116-32-0x0000000004E90000-0x0000000004F2C000-memory.dmp
memory/4116-33-0x0000000004F30000-0x0000000004F96000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 20:38
Reported
2024-06-09 20:38
Platform
win10-20240404-en
Max time kernel
27s
Max time network
20s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4568 wrote to memory of 3916 | N/A | C:\Users\Admin\AppData\Local\Temp\install.exe | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe |
| PID 4568 wrote to memory of 3916 | N/A | C:\Users\Admin\AppData\Local\Temp\install.exe | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
C:\Users\Admin\AppData\LocalefUjwRZZGA.exe
"C:\Users\Admin\AppData\LocalefUjwRZZGA.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 66.43.201.23.in-addr.arpa | udp |
Files
memory/4568-0-0x00007FFA7F190000-0x00007FFA7F36B000-memory.dmp
memory/4568-1-0x00007FFA7F190000-0x00007FFA7F36B000-memory.dmp
memory/4568-2-0x00007FFA7F190000-0x00007FFA7F36B000-memory.dmp
C:\Users\Admin\AppData\LocalefUjwRZZGA.exe
| MD5 | d0d7e34964fdf38d5465e5e3bad009fd |
| SHA1 | dd081d07172fd96326a810ca2f93fed0eed0e086 |
| SHA256 | 54f2e357163305a265fd3cbd6bc287c1338e691a4e6975e1e9631b0ebddb920a |
| SHA512 | b9e81cc19b7b539fd74540a616876586d73bcc24a92d4ac9ccb552a51056832a22497ab6ef23b48360213dd8beeebcdf5fcbcc5ef96d2e050b974f416d60b7ee |
memory/3916-14-0x00007FFA7F190000-0x00007FFA7F36B000-memory.dmp
memory/4568-15-0x00007FFA7F190000-0x00007FFA7F36B000-memory.dmp
memory/3916-12-0x0000000000680000-0x00000000006AC000-memory.dmp
memory/3916-16-0x00000000026E0000-0x00000000026EC000-memory.dmp
memory/3916-17-0x00007FFA7F190000-0x00007FFA7F36B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 20:38
Reported
2024-06-09 20:38
Platform
win7-20240221-en
Max time kernel
23s
Max time network
16s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1912 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\install.exe | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe |
| PID 1912 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\install.exe | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe |
| PID 1912 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\install.exe | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe |
| PID 2152 wrote to memory of 1248 | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | C:\Windows\system32\WerFault.exe |
| PID 2152 wrote to memory of 1248 | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | C:\Windows\system32\WerFault.exe |
| PID 2152 wrote to memory of 1248 | N/A | C:\Users\Admin\AppData\LocalefUjwRZZGA.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
C:\Users\Admin\AppData\LocalefUjwRZZGA.exe
"C:\Users\Admin\AppData\LocalefUjwRZZGA.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2152 -s 6852
Network
Files
memory/1912-0-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp
C:\Users\Admin\AppData\LocalefUjwRZZGA.exe
| MD5 | d0d7e34964fdf38d5465e5e3bad009fd |
| SHA1 | dd081d07172fd96326a810ca2f93fed0eed0e086 |
| SHA256 | 54f2e357163305a265fd3cbd6bc287c1338e691a4e6975e1e9631b0ebddb920a |
| SHA512 | b9e81cc19b7b539fd74540a616876586d73bcc24a92d4ac9ccb552a51056832a22497ab6ef23b48360213dd8beeebcdf5fcbcc5ef96d2e050b974f416d60b7ee |
memory/1912-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2152-10-0x000007FEF3833000-0x000007FEF3834000-memory.dmp
memory/2152-11-0x0000000000A90000-0x0000000000ABC000-memory.dmp
memory/2152-12-0x0000000000240000-0x000000000024C000-memory.dmp
memory/2152-13-0x000007FEF3833000-0x000007FEF3834000-memory.dmp