Analysis Overview
SHA256
7734c88d0f1a588938bacf0505aaf50595b26cbc880f005f683990749822a81e
Threat Level: Known bad
The file Qoexqml.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 05:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 05:07
Reported
2024-06-15 05:08
Platform
win11-20240419-en
Max time kernel
59s
Max time network
60s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3220 set thread context of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\Qoexqml.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Qoexqml.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Qoexqml.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Qoexqml.exe
"C:\Users\Admin\AppData\Local\Temp\Qoexqml.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
Files
memory/3220-0-0x000000007458E000-0x000000007458F000-memory.dmp
memory/3220-1-0x00000000001C0000-0x000000000062E000-memory.dmp
memory/3220-2-0x00000000062D0000-0x00000000064F0000-memory.dmp
memory/3220-3-0x0000000006AA0000-0x0000000007046000-memory.dmp
memory/3220-4-0x0000000006590000-0x0000000006622000-memory.dmp
memory/3220-10-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-14-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-60-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-64-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-62-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-59-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-57-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-54-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-52-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-48-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-46-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-44-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-42-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-38-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-36-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-34-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-50-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-40-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-30-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-28-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-26-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-24-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-22-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-20-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-18-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-16-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-12-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-8-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-6-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-68-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-66-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-32-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-5-0x00000000062D0000-0x00000000064EB000-memory.dmp
memory/3220-4891-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/3220-4892-0x0000000005320000-0x000000000537C000-memory.dmp
memory/3220-4894-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/3220-4893-0x0000000005380000-0x00000000053CC000-memory.dmp
memory/3220-4895-0x0000000005470000-0x00000000054C4000-memory.dmp
memory/2192-4900-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/2192-4901-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2192-4902-0x00000000058A0000-0x000000000593C000-memory.dmp
memory/3220-4899-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/2192-4903-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/2192-4904-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/1112-4906-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/1112-4908-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/1112-4907-0x00000000052B0000-0x00000000058DA000-memory.dmp
memory/1112-4905-0x0000000004AF0000-0x0000000004B26000-memory.dmp
memory/1112-4909-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/1112-4910-0x00000000058E0000-0x0000000005902000-memory.dmp
memory/1112-4911-0x0000000005980000-0x00000000059E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2neftjgz.fyq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1112-4920-0x0000000005AD0000-0x0000000005E27000-memory.dmp
memory/1112-4921-0x0000000005F40000-0x0000000005F5E000-memory.dmp
memory/1112-4922-0x0000000005FF0000-0x000000000603C000-memory.dmp
memory/1112-4923-0x0000000006F00000-0x0000000006F34000-memory.dmp
memory/1112-4924-0x000000006F6B0000-0x000000006F6FC000-memory.dmp
memory/1112-4933-0x0000000006F40000-0x0000000006F5E000-memory.dmp
memory/1112-4934-0x0000000007160000-0x0000000007204000-memory.dmp
memory/1112-4935-0x00000000078E0000-0x0000000007F5A000-memory.dmp
memory/1112-4936-0x00000000072A0000-0x00000000072BA000-memory.dmp
memory/1112-4937-0x0000000007310000-0x000000000731A000-memory.dmp
memory/1112-4938-0x0000000007540000-0x00000000075D6000-memory.dmp
memory/1112-4939-0x00000000074B0000-0x00000000074C1000-memory.dmp
memory/1112-4940-0x00000000074E0000-0x00000000074EE000-memory.dmp
memory/2192-4941-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/1112-4942-0x00000000074F0000-0x0000000007505000-memory.dmp
memory/1112-4943-0x0000000007600000-0x000000000761A000-memory.dmp
memory/1112-4944-0x00000000075E0000-0x00000000075E8000-memory.dmp
memory/1112-4947-0x0000000074580000-0x0000000074D31000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac4917a885cf6050b1a483e4bc4d2ea5 |
| SHA1 | b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f |
| SHA256 | e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9 |
| SHA512 | 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9087843f4b1a9f337ad54899f901902d |
| SHA1 | f397165544af971304a77168f746bee52eeb5384 |
| SHA256 | dae8fee29e344ca8ef1fddb8cf2620b3fa1247fefd606038df65de990f169b1a |
| SHA512 | f6356a3c9e3cd386c4b48dac28729d339ee602ef59d2b6f57e9801ff6724897fdac4432f5437510c425e82406460904984a993d3c564cc666f09e692df6d6dc0 |
memory/3688-4958-0x000000006F6B0000-0x000000006F6FC000-memory.dmp
memory/2192-4968-0x0000000074580000-0x0000000074D31000-memory.dmp