Analysis Overview
SHA256
d4bbab55c9a16739abf7b2b722788c3386a5a6fdc2cc017d8a86629b92c55210
Threat Level: Known bad
The file ffe9b9de145969a32320dbbfa6dd5fe6.bin was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 03:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 03:49
Reported
2024-06-21 03:52
Platform
win7-20240611-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2988 set thread context of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\x.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\x.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8.vbe"
C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\x.exe
| MD5 | 457eb489d5963eaeaae9c822dccaa34e |
| SHA1 | c29da6a29955ea363d2084cf374ad35e225dea28 |
| SHA256 | 8af889d616db6a411b4cbb7729acd8d2e64b96841e44e9dd9760302f5c1e878f |
| SHA512 | f5dc88d6a8efd33fc280945a39f64055de251b902396ea2ee3b92c26695666147c1cd4136af68fe7bdc20300cd2d17ceea535617f9f398774d76fa9ab7ad957d |
memory/2988-6-0x000000007498E000-0x000000007498F000-memory.dmp
memory/2988-7-0x0000000000FB0000-0x0000000000FEA000-memory.dmp
memory/2816-9-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2816-11-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2816-10-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2816-17-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2816-15-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2816-13-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2816-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2816-8-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2816-18-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2816-19-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2816-20-0x0000000074980000-0x000000007506E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 03:49
Reported
2024-06-21 03:52
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2588 set thread context of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\x.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\x.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8.vbe"
C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| DE | 193.161.193.99:22849 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| DE | 193.161.193.99:22849 | tcp | |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| DE | 193.161.193.99:22849 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\x.exe
| MD5 | 457eb489d5963eaeaae9c822dccaa34e |
| SHA1 | c29da6a29955ea363d2084cf374ad35e225dea28 |
| SHA256 | 8af889d616db6a411b4cbb7729acd8d2e64b96841e44e9dd9760302f5c1e878f |
| SHA512 | f5dc88d6a8efd33fc280945a39f64055de251b902396ea2ee3b92c26695666147c1cd4136af68fe7bdc20300cd2d17ceea535617f9f398774d76fa9ab7ad957d |
memory/2588-11-0x00000000744BE000-0x00000000744BF000-memory.dmp
memory/2588-12-0x0000000000560000-0x000000000059A000-memory.dmp
memory/1712-13-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1712-15-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/1712-16-0x0000000005240000-0x00000000052DC000-memory.dmp
memory/1712-17-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/1712-18-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/1712-19-0x00000000744B0000-0x0000000074C60000-memory.dmp