Analysis Overview
SHA256
60ddff3747cec6439d564d036b7a0f15ac22de87fe3d41dc3f6eca9292ca1cee
Threat Level: Known bad
The file XWormLоader 5.6 x64.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Xworm family
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Checks SCSI registry key(s)
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 20:34
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 20:34
Reported
2024-06-21 20:35
Platform
win10v2004-20240611-en
Max time kernel
41s
Max time network
43s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Serrvice Executable.lnk | C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Serrvice Executable.lnk | C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Serrvice Executable = "C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Serrvice Executable.exe" | C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe
"C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWormLоader 5.6 x64.exe'
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLоader 5.6 x64.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Antimalware Serrvice Executable.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Antimalware Serrvice Executable" /tr "C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe"
C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe
"C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | min-clusters.gl.at.ply.gg | udp |
| US | 147.185.221.20:12082 | min-clusters.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | feb-victorian.gl.at.ply.gg | udp |
| US | 147.185.221.20:12082 | feb-victorian.gl.at.ply.gg | tcp |
Files
memory/4616-0-0x00007FFDAABB3000-0x00007FFDAABB5000-memory.dmp
memory/4616-1-0x0000000000D80000-0x0000000000D96000-memory.dmp
memory/4616-2-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp
memory/4724-3-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp
memory/4724-13-0x0000014EFA220000-0x0000014EFA242000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lkudcqvs.w1a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4724-14-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp
memory/4724-15-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp
memory/4724-18-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/3300-32-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp
memory/3300-30-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp
memory/3300-31-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp
memory/3300-42-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp
memory/3300-41-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp
memory/3300-40-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp
memory/3300-39-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp
memory/3300-38-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp
memory/3300-37-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp
memory/3300-36-0x0000023CDDF60000-0x0000023CDDF61000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15dde0683cd1ca19785d7262f554ba93 |
| SHA1 | d039c577e438546d10ac64837b05da480d06bf69 |
| SHA256 | d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961 |
| SHA512 | 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 73d375b957e6a571723660974cc79bef |
| SHA1 | dde4d7c074f345a25610bc2d0f85dfe16ec9855c |
| SHA256 | 9e10486480c7d54577b7290fc129284d7fcc435f93cbee4e07a9cabc681cb485 |
| SHA512 | f2d4e3e50736889b721493bb458238f48ce05fc2e0ec4fae87983d26d9876abb7be53d9eac65a42c12a4cd88b1aec884f5a89f34b3f2ccdbe03ad383ce47b781 |
C:\Users\Admin\AppData\Roaming\Antimalware Serrvice Executable.exe
| MD5 | e166dd45fd4a6d4e228f0a89fa3730c1 |
| SHA1 | 98b15dc0ca3fde498d3ad1f53d542ee0b5024075 |
| SHA256 | 60ddff3747cec6439d564d036b7a0f15ac22de87fe3d41dc3f6eca9292ca1cee |
| SHA512 | beb7db6cb84ff8953d2892e710832b84d08cbc9daf68f0297ed169612fc30d9cc5ee9d7dda5a4cb4b19b407a34e94a26b117de0b7d4b831c348ff8a4715cd624 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Serrvice Executable.lnk
| MD5 | be947da1f0084c0ecbd18f9cc1d73d95 |
| SHA1 | 898fecf25ca7412661951b636df0acbfb4a52efb |
| SHA256 | 257f8a7df9c264b35a2fef997cbe32787edd8cf1e3fa40675097fc04e3424450 |
| SHA512 | e2182b67b4961e782d256bc8f51630f947916faa5e0d6532ac512eb5eb3f8e9c8962aa0c555c0373d1ec312dfb946724585425db828b8fb0aa5b1413ffad70c0 |
memory/4616-73-0x0000000002E60000-0x0000000002E95000-memory.dmp
memory/4616-72-0x000000001BF40000-0x000000001C042000-memory.dmp
memory/4616-76-0x00007FFDAABB3000-0x00007FFDAABB5000-memory.dmp
memory/4616-77-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp