Analysis Overview
SHA256
41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0
Threat Level: Known bad
The file 41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0 was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Detects Windows executables referencing non-Windows User-Agents
Modifies Windows Firewall
Drops startup file
Adds Run key to start application
Drops autorun.inf file
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-10 11:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 11:27
Reported
2024-06-10 11:30
Platform
win7-20240508-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05333d62df5dcf1b7c291de0564cff1d.exe | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05333d62df5dcf1b7c291de0564cff1d.exe | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\05333d62df5dcf1b7c291de0564cff1d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe\" .." | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\05333d62df5dcf1b7c291de0564cff1d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe\" .." | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| File created | D:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe
"C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe"
C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe" "41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe" ENABLE
C:\Windows\system32\taskkill.exe
taskkill /F /IM Exsample.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | asthbalhacker.ddns.net | udp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| US | 8.8.8.8:53 | adult-purchased.gl.at.ply.gg | udp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | asthbalhacker.ddns.net | udp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
Files
memory/2932-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp
memory/2932-1-0x0000000000020000-0x000000000008C000-memory.dmp
memory/2932-3-0x00000000002C0000-0x00000000002E4000-memory.dmp
memory/2932-2-0x00000000002E0000-0x00000000002EE000-memory.dmp
memory/2932-4-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp
F:\svchost.exe
| MD5 | 17e29d4867a27fa612e1d02715a2b7c2 |
| SHA1 | 2a59279845ccff829f193d884bb73d3248131974 |
| SHA256 | 41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0 |
| SHA512 | 7549f12d1663a422612980e5a42670b806e25a25cad06c8712c1a0f785e9dccfc11300901ac5888be9d49a33c21cfb6a94b03be469d9d709fff027314a0ec037 |
memory/2932-14-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp
memory/2932-15-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 11:27
Reported
2024-06-10 11:31
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05333d62df5dcf1b7c291de0564cff1d.exe | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05333d62df5dcf1b7c291de0564cff1d.exe | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\05333d62df5dcf1b7c291de0564cff1d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe\" .." | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\05333d62df5dcf1b7c291de0564cff1d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe\" .." | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| File created | D:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3204 wrote to memory of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | C:\Windows\SYSTEM32\netsh.exe |
| PID 3204 wrote to memory of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | C:\Windows\SYSTEM32\netsh.exe |
| PID 3204 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | C:\Windows\SYSTEM32\taskkill.exe |
| PID 3204 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe | C:\Windows\SYSTEM32\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe
"C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=996,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8
C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe" "41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0.exe" ENABLE
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM Exsample.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | adult-purchased.gl.at.ply.gg | udp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | asthbalhacker.ddns.net | udp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | asthbalhacker.ddns.net | udp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| SA | 94.96.159.189:4444 | asthbalhacker.ddns.net | tcp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
Files
memory/3204-1-0x00007FF94B923000-0x00007FF94B925000-memory.dmp
memory/3204-0-0x0000000000770000-0x00000000007DC000-memory.dmp
memory/3204-3-0x00000000010B0000-0x00000000010BE000-memory.dmp
memory/3204-2-0x0000000001090000-0x00000000010B4000-memory.dmp
memory/3204-4-0x00007FF94B920000-0x00007FF94C3E1000-memory.dmp
F:\svchost.exe
| MD5 | 17e29d4867a27fa612e1d02715a2b7c2 |
| SHA1 | 2a59279845ccff829f193d884bb73d3248131974 |
| SHA256 | 41418ba257c718d3e04166402ae09fd22b2ec6611abf01f66fef1c1d01cc67a0 |
| SHA512 | 7549f12d1663a422612980e5a42670b806e25a25cad06c8712c1a0f785e9dccfc11300901ac5888be9d49a33c21cfb6a94b03be469d9d709fff027314a0ec037 |
memory/3204-14-0x00007FF94B923000-0x00007FF94B925000-memory.dmp
memory/3204-15-0x00007FF94B920000-0x00007FF94C3E1000-memory.dmp