Overview

overview

10

Static

static

1

Qfnhrnpt.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    60s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-06-2024 05:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Qfnhrnpt.exe

  • Size

    4.6MB

  • MD5

    0798156faad67e667b6fafbcb3149426

  • SHA1

    df890c45d0c9c777e1869b26628feaf26fda169b

  • SHA256

    64574bb980eeffa711f72d3f457235516cf2edd20529fc28aeab59401ae221a6

  • SHA512

    114092beb32eb2b0f6d10e5fabf39d727b5575fa1eb09c56fd9d8d48ad586434972d7990d395f61cc45f22734f22764329341a35236f50dfa7eb99f04c8bf667

  • SSDEEP

    24576:VYE9CtqvlrtxeDS0AT+UNytsBhqegseUVbUZs/vywF6teRbz8UAuGrymg4FypS9l:Vy

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Qfnhrnpt.exe
    "C:\Users\Admin\AppData\Local\Temp\Qfnhrnpt.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Users\Admin\AppData\Local\Temp\Qfnhrnpt.exe
      "C:\Users\Admin\AppData\Local\Temp\Qfnhrnpt.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Qfnhrnpt.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2328
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Qfnhrnpt.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qfnhrnpt.exe.log
    Filesize

    805B

    MD5

    9d0cacca373731660e8268a162d9d4ff

    SHA1

    a82111d00132cdf7ef46af5681601d55c6a0e17c

    SHA256

    95932f81206717ff86f0974ee37dc40d5d914f730f00a08344b4c1765d663394

    SHA512

    8c971ab501fc322b13f53b03325b2295e1eedb12b6d50a4225e6e3b4bf5128665b1a3d8b560a8b04f14bfa6f5cba41058e4f546139101fc303f3b8393f5ca485

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d0c46cad6c0778401e21910bd6b56b70

    SHA1

    7be418951ea96326aca445b8dfe449b2bfa0dca6

    SHA256

    9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

    SHA512

    057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    6df87c63b54ca788e43f547bfa21fdf3

    SHA1

    7f4f3a4b9569ffc36ef6dc0c6574395993f572da

    SHA256

    e574859e1626825e3f7262df4a795251e54220820e48d025c4474997598ae7ee

    SHA512

    fc4a391c10161187c53449d6f3836c7bed7d0589646a02ee534e19fbe7f3ca323c8bedf60b24a1e861ea29f32b64379211eec90b0000be34cabb3a0df10a8c0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qbitoob1.qv1.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/896-4892-0x00000000055B0000-0x000000000561E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/896-38-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-24-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-32-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-66-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-68-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-64-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-62-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-60-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-58-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-56-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-54-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-52-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-50-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-48-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-46-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-44-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-42-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-40-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-36-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-34-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-28-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-26-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-2-0x0000000006650000-0x0000000006884000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-30-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-4896-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/896-20-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-18-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-16-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-14-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-12-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-11-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-8-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-6-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-5-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-4891-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/896-3-0x0000000006E30000-0x00000000073D6000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/896-4894-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/896-4-0x0000000006920000-0x00000000069B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/896-0-0x00000000749BE000-0x00000000749BF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/896-22-0x0000000006650000-0x000000000687E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/896-4901-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/896-4893-0x0000000005620000-0x000000000566C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/896-1-0x00000000004A0000-0x0000000000936000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/896-4895-0x0000000005420000-0x0000000005474000-memory.dmp
    Filesize

    336KB

    Download
  • memory/1068-4958-0x0000000006110000-0x0000000006467000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1068-4960-0x000000006FAE0000-0x000000006FB2C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2328-4939-0x00000000071E0000-0x0000000007276000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2328-4920-0x0000000005750000-0x0000000005AA7000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2328-4941-0x0000000007180000-0x000000000718E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2328-4921-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2328-4922-0x0000000005BE0000-0x0000000005BFE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2328-4923-0x0000000005C20000-0x0000000005C6C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2328-4925-0x000000006FAE0000-0x000000006FB2C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2328-4934-0x0000000006DD0000-0x0000000006DEE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2328-4924-0x0000000006D90000-0x0000000006DC4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2328-4935-0x0000000006E00000-0x0000000006EA4000-memory.dmp
    Filesize

    656KB

    Download
  • memory/2328-4936-0x0000000007580000-0x0000000007BFA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2328-4937-0x0000000006F40000-0x0000000006F5A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2328-4938-0x0000000006FB0000-0x0000000006FBA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2328-4940-0x0000000007150000-0x0000000007161000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2328-4911-0x0000000005540000-0x00000000055A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2328-4910-0x0000000004E40000-0x0000000004E62000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2328-4942-0x0000000007190000-0x00000000071A5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2328-4943-0x00000000072A0000-0x00000000072BA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2328-4908-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2328-4907-0x0000000004760000-0x0000000004796000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2328-4909-0x0000000004EA0000-0x00000000054CA000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2328-4948-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2328-4945-0x0000000007280000-0x0000000007288000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3184-4944-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3184-4906-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3184-4905-0x00000000058A0000-0x0000000005906000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3184-4904-0x0000000005940000-0x00000000059DC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3184-4902-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3184-4970-0x00000000749B0000-0x0000000075161000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3184-4903-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download