Analysis Overview
SHA256
5d95c0868fefe2bf2ac14a5c09f455fb459d3b68da392f499ae60679c122bfcf
Threat Level: Known bad
The file 5d95c0868fefe2bf2ac14a5c09f455fb459d3b68da392f499ae60679c122bfcf was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 13:45
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 13:45
Reported
2024-06-14 13:48
Platform
win11-20240508-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5d95c0868fefe2bf2ac14a5c09f455fb459d3b68da392f499ae60679c122bfcf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5d95c0868fefe2bf2ac14a5c09f455fb459d3b68da392f499ae60679c122bfcf.exe
"C:\Users\Admin\AppData\Local\Temp\5d95c0868fefe2bf2ac14a5c09f455fb459d3b68da392f499ae60679c122bfcf.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 185.91.127.220:7000 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 185.91.127.220:7000 | tcp | |
| DE | 185.91.127.220:7000 | tcp | |
| DE | 185.91.127.220:7000 | tcp | |
| DE | 185.91.127.220:7000 | tcp |
Files
memory/3304-0-0x00007FFD124B3000-0x00007FFD124B5000-memory.dmp
memory/3304-1-0x0000000000640000-0x0000000000666000-memory.dmp
memory/3304-2-0x00007FFD124B0000-0x00007FFD12F72000-memory.dmp
memory/3304-3-0x00007FFD124B0000-0x00007FFD12F72000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 13:45
Reported
2024-06-14 13:48
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5d95c0868fefe2bf2ac14a5c09f455fb459d3b68da392f499ae60679c122bfcf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5d95c0868fefe2bf2ac14a5c09f455fb459d3b68da392f499ae60679c122bfcf.exe
"C:\Users\Admin\AppData\Local\Temp\5d95c0868fefe2bf2ac14a5c09f455fb459d3b68da392f499ae60679c122bfcf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 185.91.127.220:7000 | tcp | |
| DE | 185.91.127.220:7000 | tcp | |
| DE | 185.91.127.220:7000 | tcp | |
| DE | 185.91.127.220:7000 | tcp | |
| DE | 185.91.127.220:7000 | tcp | |
| DE | 185.91.127.220:7000 | tcp |
Files
memory/1464-1-0x0000000000350000-0x0000000000376000-memory.dmp
memory/1464-0-0x00007FFF04093000-0x00007FFF04095000-memory.dmp
memory/1464-2-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/1464-3-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp