Analysis Overview
SHA256
9a697d8f7158b3e91f0a01f9196590114c443bb5acdbc17cc3822046283b2a5d
Threat Level: Known bad
The file Feather Nowy.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
Drops startup file
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 20:37
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 20:37
Reported
2024-06-20 20:38
Platform
win10-20240404-en
Max time kernel
58s
Max time network
59s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Feather Patch Nowy.lnk | C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Feather Patch Nowy.lnk | C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Feather Patch Nowy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Feather Patch Nowy.exe" | C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe
"C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Feather Nowy.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Feather Patch Nowy.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Feather Patch Nowy" /tr "C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"
C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe
"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lake-french.gl.at.ply.gg | udp |
| US | 147.185.221.20:33694 | lake-french.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.20:33694 | lake-french.gl.at.ply.gg | tcp |
| US | 147.185.221.20:33694 | lake-french.gl.at.ply.gg | tcp |
| US | 147.185.221.20:33694 | lake-french.gl.at.ply.gg | tcp |
Files
memory/824-0-0x00007FFDC79F3000-0x00007FFDC79F4000-memory.dmp
memory/824-1-0x0000000000130000-0x000000000015E000-memory.dmp
memory/824-2-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1796-7-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1796-8-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1796-9-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1796-10-0x00000217A9820000-0x00000217A9842000-memory.dmp
memory/1796-13-0x00000217A99D0000-0x00000217A9A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g13yxcdu.qyn.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1796-51-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 04d2f0712ccc62188017020ffef28d27 |
| SHA1 | 7f8ce7b20a1514155daf9723681accee49e87c70 |
| SHA256 | aa55bd0c1a7403c29de328f395642607e2aa2758db0b51843c65cbfe9da54628 |
| SHA512 | cb6c85176e5978460792af436e4c7f9a5255d332ee8d427729eb372761de2e2962dd4361f4f5082a377d13eda516a9eba5d57d016f6bb2f2d15479c2198761cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8e83259f6c1289ed88e665a1e346fe45 |
| SHA1 | e5d7964fa363af384d32a3d02f6732a4219c2452 |
| SHA256 | 1580a89452f0d425bd1a748372bd06b9e64c7848f4aecce0711d2d4a26f34f24 |
| SHA512 | f4afa2d035185349153e49cd0fd917150201b45e41d27dca8b7ab3f9c4ff627113ecf1299217af6b2e04ea060d3d76a035327ddc7ceb5b46f254a41ee5eef812 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15709f46875514cec448e25b300f0482 |
| SHA1 | 55486ce274a0e8a6eb4cb6511d074b5530d9faf4 |
| SHA256 | 5ddf9dffb72d59cc8d476ae1f27ec46966ae3ee1d5559ab40280fa10d3109a94 |
| SHA512 | bfa40f9a5d5ffe9b1656c2686e6fac380b90939b440e0f2ae82c51e1cec404a4fe7c59b87d015746035c579dfec3ba6334ddd4be7280ef6be32b4243abb6d5e1 |
memory/824-185-0x00007FFDC79F3000-0x00007FFDC79F4000-memory.dmp
memory/824-186-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe
| MD5 | dbf36667c73c5e1bd6dcf2005c84aa29 |
| SHA1 | 1db961a84cc78184868aecc362067162bef19397 |
| SHA256 | 9a697d8f7158b3e91f0a01f9196590114c443bb5acdbc17cc3822046283b2a5d |
| SHA512 | 0798159097fc143b03573b8129af4b34a7304ae515723819dd818a63c2dcdf434c98c4d5cddd8c9e648c0d36e133ad3f95edbf175b32cce1d7fd31a191b7eeab |