Analysis Overview
SHA256
5e5b928e89a0aabc7226211093683fea9e573ed82fd0286eacfdf3953c9062e8
Threat Level: Known bad
The file tmp.bin was found to be: Known bad.
Malicious Activity Summary
StormKitty
Detect Xworm Payload
StormKitty payload
Xworm
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-05 07:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 07:21
Reported
2024-07-05 07:24
Platform
win7-20240704-en
Max time kernel
120s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1840 set thread context of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1840 -s 620
Network
| Country | Destination | Domain | Proto |
| NL | 185.29.11.111:7000 | tcp | |
| NL | 185.29.11.111:7000 | tcp |
Files
memory/1840-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp
memory/1840-1-0x0000000001250000-0x000000000125E000-memory.dmp
memory/1840-2-0x000000001B0E0000-0x000000001B0EE000-memory.dmp
memory/1840-4-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp
memory/1840-3-0x0000000000560000-0x00000000005C2000-memory.dmp
memory/2464-11-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2464-14-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2464-9-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2464-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2464-7-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2464-5-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2464-16-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2464-18-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2464-19-0x000000007444E000-0x000000007444F000-memory.dmp
memory/2464-20-0x0000000074440000-0x0000000074B2E000-memory.dmp
memory/1840-21-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp
memory/2464-22-0x00000000063A0000-0x00000000064C0000-memory.dmp
memory/1840-46-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp
memory/2464-47-0x000000007444E000-0x000000007444F000-memory.dmp
memory/2464-48-0x0000000074440000-0x0000000074B2E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-05 07:21
Reported
2024-07-05 07:25
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1104 set thread context of 628 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 628 -ip 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1744
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| NL | 185.29.11.111:7000 | tcp | |
| US | 8.8.8.8:53 | 111.11.29.185.in-addr.arpa | udp |
| NL | 185.29.11.111:7000 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/1104-0-0x00007FFAC8E43000-0x00007FFAC8E45000-memory.dmp
memory/1104-1-0x000001A57E0A0000-0x000001A57E0AE000-memory.dmp
memory/1104-2-0x000001A518770000-0x000001A51877E000-memory.dmp
memory/1104-3-0x000001A5186E0000-0x000001A518742000-memory.dmp
memory/1104-4-0x00007FFAC8E40000-0x00007FFAC9901000-memory.dmp
memory/628-5-0x0000000000400000-0x000000000040E000-memory.dmp
memory/628-6-0x0000000074ACE000-0x0000000074ACF000-memory.dmp
memory/628-7-0x0000000005510000-0x00000000055AC000-memory.dmp
memory/1104-8-0x00007FFAC8E40000-0x00007FFAC9901000-memory.dmp
memory/628-9-0x0000000074AC0000-0x0000000075270000-memory.dmp
memory/628-10-0x0000000005BB0000-0x0000000005C16000-memory.dmp
memory/628-11-0x00000000065B0000-0x0000000006642000-memory.dmp
memory/628-12-0x0000000006C00000-0x00000000071A4000-memory.dmp
memory/628-13-0x0000000006790000-0x00000000068B0000-memory.dmp
memory/628-14-0x00000000071B0000-0x0000000007504000-memory.dmp
memory/628-15-0x0000000006A10000-0x0000000006A5C000-memory.dmp
memory/628-54-0x0000000074AC0000-0x0000000075270000-memory.dmp
memory/1264-55-0x0000017274CF0000-0x0000017274CF1000-memory.dmp
memory/1264-57-0x0000017274CF0000-0x0000017274CF1000-memory.dmp
memory/1264-56-0x0000017274CF0000-0x0000017274CF1000-memory.dmp
memory/1264-66-0x0000017274CF0000-0x0000017274CF1000-memory.dmp
memory/1264-67-0x0000017274CF0000-0x0000017274CF1000-memory.dmp
memory/1264-64-0x0000017274CF0000-0x0000017274CF1000-memory.dmp
memory/1264-65-0x0000017274CF0000-0x0000017274CF1000-memory.dmp
memory/1264-63-0x0000017274CF0000-0x0000017274CF1000-memory.dmp
memory/1264-62-0x0000017274CF0000-0x0000017274CF1000-memory.dmp
memory/1264-61-0x0000017274CF0000-0x0000017274CF1000-memory.dmp