Analysis Overview
SHA256
d4edd94a065d71ae37cb48c64a09e3dab0996096f8a98a378185b26816655e42
Threat Level: Known bad
The file 03072024164603072024OC13065.rar was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
StormKitty
StormKitty payload
Xworm
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-07-03 17:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-03 17:56
Reported
2024-07-03 17:58
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4776 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\OC 13065.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OC 13065.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\OC 13065.exe
"C:\Users\Admin\AppData\Local\Temp\OC 13065.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2632 -ip 2632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 1656
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 185.29.11.111:7000 | tcp | |
| US | 8.8.8.8:53 | 111.11.29.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| NL | 185.29.11.111:7000 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4776-1-0x00007FFCCD2C3000-0x00007FFCCD2C5000-memory.dmp
memory/4776-0-0x0000023E64F00000-0x0000023E64F0E000-memory.dmp
memory/4776-2-0x0000023E7F5D0000-0x0000023E7F5DE000-memory.dmp
memory/4776-3-0x0000023E652E0000-0x0000023E65342000-memory.dmp
memory/4776-4-0x00007FFCCD2C0000-0x00007FFCCDD81000-memory.dmp
memory/2632-5-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2632-6-0x0000000074D1E000-0x0000000074D1F000-memory.dmp
memory/2632-7-0x0000000005880000-0x000000000591C000-memory.dmp
memory/4776-8-0x00007FFCCD2C0000-0x00007FFCCDD81000-memory.dmp
memory/2632-9-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/2632-10-0x0000000005FA0000-0x0000000006006000-memory.dmp
memory/2632-11-0x0000000074D1E000-0x0000000074D1F000-memory.dmp
memory/2632-12-0x0000000006960000-0x00000000069F2000-memory.dmp
memory/2632-13-0x0000000006FB0000-0x0000000007554000-memory.dmp
memory/2632-14-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/2632-15-0x0000000006B00000-0x0000000006C20000-memory.dmp
memory/2632-16-0x0000000007560000-0x00000000078B4000-memory.dmp
memory/2632-17-0x0000000006D80000-0x0000000006DCC000-memory.dmp
memory/2632-56-0x0000000074D10000-0x00000000754C0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-03 17:56
Reported
2024-07-03 17:58
Platform
win7-20240220-en
Max time kernel
122s
Max time network
145s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2036 set thread context of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\OC 13065.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OC 13065.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\OC 13065.exe
"C:\Users\Admin\AppData\Local\Temp\OC 13065.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2036 -s 616
Network
| Country | Destination | Domain | Proto |
| NL | 185.29.11.111:7000 | tcp | |
| NL | 185.29.11.111:7000 | tcp |
Files
memory/2036-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp
memory/2036-1-0x0000000000820000-0x000000000082E000-memory.dmp
memory/2036-2-0x000000001B010000-0x000000001B01E000-memory.dmp
memory/2036-3-0x0000000000770000-0x00000000007D2000-memory.dmp
memory/2036-4-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/2476-9-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2476-8-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2476-7-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2476-5-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2476-11-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2476-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2476-13-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2476-15-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2476-16-0x00000000747CE000-0x00000000747CF000-memory.dmp
memory/2476-17-0x00000000747C0000-0x0000000074EAE000-memory.dmp
memory/2036-18-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp
memory/2036-19-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/2476-20-0x00000000747CE000-0x00000000747CF000-memory.dmp
memory/2476-21-0x00000000747C0000-0x0000000074EAE000-memory.dmp
memory/2476-22-0x0000000006340000-0x0000000006460000-memory.dmp