Analysis Overview
SHA256
d4c990c378fac48ea03b65c09c3ee495f691da21784b8066172e8c573b8ce8b0
Threat Level: Known bad
The file Проверка.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm family
Xworm
Command and Scripting Interpreter: PowerShell
Drops startup file
Checks computer location settings
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 10:51
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 10:51
Reported
2024-06-15 10:53
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Проверка.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\Проверка.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\Проверка.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Проверка.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Проверка.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Проверка.exe
"C:\Users\Admin\AppData\Local\Temp\Проверка.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Проверка.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Проверка.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | cameras-happen.gl.at.ply.gg | udp |
Files
memory/5072-0-0x0000000000820000-0x0000000000838000-memory.dmp
memory/5072-1-0x00007FF842863000-0x00007FF842865000-memory.dmp
memory/5072-2-0x00007FF842860000-0x00007FF843321000-memory.dmp
memory/5072-3-0x000000001C340000-0x000000001C442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y31uzsmq.5ep.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1120-13-0x00007FF842860000-0x00007FF843321000-memory.dmp
memory/1120-14-0x00007FF842860000-0x00007FF843321000-memory.dmp
memory/1120-15-0x000002E0745A0000-0x000002E0745C2000-memory.dmp
memory/1120-16-0x00007FF842860000-0x00007FF843321000-memory.dmp
memory/1120-19-0x00007FF842860000-0x00007FF843321000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 09c38bf09493920e93b25f37f1ae4efe |
| SHA1 | 42e5d800056f08481870c4ca2d0d48181ca8edc8 |
| SHA256 | 37874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255 |
| SHA512 | 91eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d22d90563c4f6cc8a57bace873aa4f97 |
| SHA1 | fb3d2c2be8f7ed986304bffd0ebb6f3223c574c5 |
| SHA256 | 94702f9806e6e649e739a0f3eb9c3bb7bdf2f90c3b37c1c1c5b9ab9eceb0aa2f |
| SHA512 | 8188e7bd2bce34592e233cc0965ea654cb6b78969b867446d0e230b3d0243da4d9b135c5da72f3ea95ea7361d64e43db094ca06cc7957e339e7307c05f6181d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da5c82b0e070047f7377042d08093ff4 |
| SHA1 | 89d05987cd60828cca516c5c40c18935c35e8bd3 |
| SHA256 | 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5 |
| SHA512 | 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b51dc9e5ec3c97f72b4ca9488bbb4462 |
| SHA1 | 5c1e8c0b728cd124edcacefb399bbd5e25b21bd3 |
| SHA256 | 976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db |
| SHA512 | 0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280 |
memory/5072-59-0x00007FF842860000-0x00007FF843321000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 10:51
Reported
2024-06-15 10:53
Platform
win7-20240611-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\Проверка.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\Проверка.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Проверка.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Проверка.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Проверка.exe
"C:\Users\Admin\AppData\Local\Temp\Проверка.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Проверка.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Проверка.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:23386 | tcp | |
| US | 8.8.8.8:53 | cameras-happen.gl.at.ply.gg | udp |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23386 | tcp | |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23386 | tcp | |
| N/A | 127.0.0.1:23386 | tcp | |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23386 | tcp | |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23386 | cameras-happen.gl.at.ply.gg | tcp |
Files
memory/2988-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp
memory/2988-1-0x0000000000D80000-0x0000000000D98000-memory.dmp
memory/2988-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/2736-7-0x000000001B0E0000-0x000000001B3C2000-memory.dmp
memory/2736-8-0x0000000002490000-0x0000000002498000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 87fb7c8d9b4b682445eaf7c103de6a3a |
| SHA1 | f4bfe0bd2573efe9a3f8b7fb630c8f12345ea534 |
| SHA256 | 56e66e76c296c84dd1af63e272308382ab91df1609c8c8db7c6b41d6e98fbd39 |
| SHA512 | e9d8b65112a5bf995f6b552cf39db14a354500aacb1080c3a33399f86fdd1a6ed9ddcd8253c59bcb969a304d8cf0cda559860b8b178ab937226c95fd3f1419cc |
memory/2624-14-0x000000001B1A0000-0x000000001B482000-memory.dmp
memory/2624-15-0x00000000020C0000-0x00000000020C8000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2988-32-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp
memory/2988-33-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp