Analysis Overview
SHA256
cde6b414622136dd14a5a025f6d8fe2313c36a347086fceb168b5dff1a6c288b
Threat Level: Known bad
The file shtorm_sb.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
DcRat
Xworm
Xworm family
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-18 14:40
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-18 14:40
Reported
2024-07-18 15:12
Platform
win7-20240705-en
Max time kernel
1795s
Max time network
1800s
Command Line
Signatures
DcRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qvoafb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qvoafb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\(DL) Nivea-Man.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\(DL) Nivea-Man.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svсhost = "C:\\Users\\Admin\\AppData\\Roaming\\svсhost.exe" | C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\mssessionbroker.exe | C:\Users\Admin\AppData\Local\Temp\qvoafb.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7427.tmp\(DL) Nivea-Man.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe
"C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'shtorm_sb.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svсhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svсhost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svсhost" /tr "C:\Users\Admin\AppData\Roaming\svсhost.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {A15E35D5-E14A-445F-AC3C-C470C92FAE13} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Local\Temp\ycbjdh.exe
"C:\Users\Admin\AppData\Local\Temp\ycbjdh.exe"
C:\Users\Admin\AppData\Local\Temp\qvoafb.exe
"C:\Users\Admin\AppData\Local\Temp\qvoafb.exe"
C:\Windows\mssessionbroker.exe
"C:\Windows\mssessionbroker.exe"
C:\Users\Admin\AppData\Local\Temp\(DL) Nivea-Man.exe
"C:\Users\Admin\AppData\Local\Temp\(DL) Nivea-Man.exe"
C:\Users\Admin\AppData\Local\Temp\7427.tmp\(DL) Nivea-Man.exe
"C:\Users\Admin\AppData\Local\Temp\7427.tmp\(DL) Nivea-Man.exe" -window_title "(DL) Nivea-Man" "C:\Users\Admin\AppData\Local\Temp\7427.tmp\(DL) Nivea-Man"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | close-material.gl.at.ply.gg | udp |
| US | 147.185.221.19:13244 | close-material.gl.at.ply.gg | tcp |
| US | 147.185.221.19:13244 | close-material.gl.at.ply.gg | tcp |
Files
memory/2372-0-0x000007FEF5563000-0x000007FEF5564000-memory.dmp
memory/2372-1-0x00000000008B0000-0x00000000008F2000-memory.dmp
memory/2372-2-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp
memory/2884-7-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
memory/2884-8-0x0000000002790000-0x0000000002798000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R2OFUKY2SGCDCR6PLVS5.temp
| MD5 | ada4259560f6f01796eed495958c6778 |
| SHA1 | b4d3d669998f23bcfd29edd86c8086924618760b |
| SHA256 | b85ac37a4811a0191b73c652a5fedf10ae53aa84973577f81aa77fe07e3fa878 |
| SHA512 | 24d7c51142158e6d38df69e97ba8c7dbbdd7ab0fe07f269d26dafcc18fae90003a627570b23354bae6891482a73217989fd91c3f399720fbc879fee4a06b0a7c |
memory/2580-15-0x0000000001F00000-0x0000000001F08000-memory.dmp
memory/2580-14-0x000000001B760000-0x000000001BA42000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2372-28-0x000007FEF5563000-0x000007FEF5564000-memory.dmp
memory/2372-29-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\svсhost.exe
| MD5 | 2faf13feda202796051c439b5abd8d48 |
| SHA1 | 5c2d1f4be4f7dcef2f5577a15ea3f31c59ddbe8b |
| SHA256 | cde6b414622136dd14a5a025f6d8fe2313c36a347086fceb168b5dff1a6c288b |
| SHA512 | dd46a3f553ff3bf0a39b8f4132d1053ac1758b2befb8a1b096455bd7812f2bcaf29fc9dcf00ef0bb972b4c27e47cc2b347f3fe4e58bab7708be1855fd7bdf2b9 |
memory/2128-33-0x0000000001110000-0x0000000001152000-memory.dmp
memory/2372-35-0x0000000002300000-0x000000000230C000-memory.dmp
memory/1648-37-0x0000000001380000-0x00000000013C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ycbjdh.exe
| MD5 | df2f4fe97492b1655354f2727648e083 |
| SHA1 | 2d1835c7f35b04056a2f36412ca2ba398dcc4661 |
| SHA256 | 7e1d01a3daa51e2a19e78890912a44fd0aa1446582531cc897771c675046f83d |
| SHA512 | b53c369c7df267e0980e12dbfbea76b35069a192017bc5e8487a2500ac1e591b1a6857392bda47f57c1b2e565af1448c5f5f6cd8c4f693c780a415c701048e2c |
memory/2272-44-0x0000000001000000-0x000000000109D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qvoafb.exe
| MD5 | 6e272b8474169998bc3f0ec4478e0171 |
| SHA1 | 713ad762decb0d2e2994c79f2795fd38352b2ea6 |
| SHA256 | 9c92031bc960410a3207e53c6223d60d2d6f08c1c6be7d2ab5581612ff478888 |
| SHA512 | 676ee151d8b6b7fe313bb0efe60b615fc27ee065faef22d6f09fb9f26c2054cb8b0d02c0aadfb6e42ba86c3ad5c8b36429069c77eee99fe04d86b1cca1acf506 |
C:\Windows\mssessionbroker.exe
| MD5 | 92a5e51542295394c53461b13e665c43 |
| SHA1 | a08c4add16ed45d29438e738f7596bf49515158b |
| SHA256 | 9a2840d13c3c8084fea89ebd5ab0db184f6133369ce2f84f3759bf9a2594bca9 |
| SHA512 | 203d4d81e05729d24422f96bc6ddea249d3f3a5779580a46d40b705b63f2aa3a3f51e5100af871b35c52f455611e2e0dcdd8eb7671bc066b3452ef0e440813bd |
memory/740-58-0x0000000000830000-0x0000000000B6A000-memory.dmp
\Users\Admin\AppData\Local\Temp\(DL) Nivea-Man.exe
| MD5 | a93dbfca3fd421c8c41d7c30b330533e |
| SHA1 | d69b2f10f6dc9a1a784d3bab2d88a77fa2ab4cc1 |
| SHA256 | 09461701c82c17bc4e0c168ddc67d1ec17a3d1bb58a727bc0444e116261e1432 |
| SHA512 | b7ce11d658a215b40f3440515b97e755341c2ae6867f5d4a290ef865d05d79e5f527dd55ccdb5b14f41c3512c997865127685b84a615138899f752e4001cb297 |
memory/296-68-0x0000000000400000-0x00000000021CF000-memory.dmp
memory/740-70-0x00000000004E0000-0x00000000004EE000-memory.dmp
memory/740-69-0x00000000004D0000-0x00000000004DE000-memory.dmp
\Users\Admin\AppData\Local\Temp\7427.tmp\(DL) Nivea-Man.exe
| MD5 | 79786ad55686b649dc45f84fbce344be |
| SHA1 | 0bb8bc9ebcde6f093a1a41f71c7bd7a21ee3b406 |
| SHA256 | 9ffb6d0a907fc8fde590301ad78fa7aca2dc9372066e2eb62b08bcc58f0d2ae4 |
| SHA512 | 9358156124fd65351960e2a1034e547fbc0ab1403824702f198213c017c7626c890ab54008531484866eb1f745e1ef8f0e6eaede7869039768983aa90ef3221a |
C:\Users\Admin\AppData\Local\Temp\7427.tmp\(DL) Nivea-Man
| MD5 | 89fcf4c656705a2596d335313c6c2ce6 |
| SHA1 | 1b449658ce64f51e9490678b50056c1247e8c1e6 |
| SHA256 | d9740cf98cd90d309f6c416de11116821e98932f5aa4e3f0caffd8deac298d97 |
| SHA512 | 70d658a96249bec692dbbce76fb7d8c2e42a2499954402231121f1786b8c5d129d154f4e2f9058a29b107623d648ff10f8f51f690f15db90ae82a48e3a357851 |
memory/3044-85-0x0000000000680000-0x000000000068A000-memory.dmp
memory/3044-84-0x0000000000680000-0x000000000068A000-memory.dmp
memory/3044-87-0x00000000006A0000-0x00000000006AA000-memory.dmp
memory/3044-86-0x00000000006A0000-0x00000000006AA000-memory.dmp
memory/2272-88-0x0000000001000000-0x000000000109D000-memory.dmp
memory/3044-90-0x0000000000680000-0x000000000068A000-memory.dmp
memory/3044-89-0x0000000000680000-0x000000000068A000-memory.dmp
memory/3044-92-0x00000000006A0000-0x00000000006AA000-memory.dmp
memory/3044-91-0x00000000006A0000-0x00000000006AA000-memory.dmp
memory/3044-93-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-94-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-95-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-96-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-97-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-98-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-100-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-101-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-102-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-103-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-104-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-105-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-107-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-108-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/2272-109-0x0000000001000000-0x000000000109D000-memory.dmp
memory/3044-110-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-111-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-112-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3040-114-0x00000000003E0000-0x0000000000422000-memory.dmp
memory/3044-115-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-116-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-117-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-118-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-119-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-120-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/1780-123-0x0000000000390000-0x00000000003D2000-memory.dmp
memory/3044-121-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-124-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-125-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-126-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-127-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-128-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-129-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/2208-131-0x0000000000BF0000-0x0000000000C32000-memory.dmp
memory/3044-132-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-133-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-134-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-135-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-136-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3040-138-0x00000000003A0000-0x00000000003E2000-memory.dmp
memory/3044-139-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-140-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-141-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-142-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-143-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-144-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-145-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/2440-147-0x0000000000890000-0x00000000008D2000-memory.dmp
memory/3044-148-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-149-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-150-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-151-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-152-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/1356-154-0x0000000000930000-0x0000000000972000-memory.dmp
memory/3044-155-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-156-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-157-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-158-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-159-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-160-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-161-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-163-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-164-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-165-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-166-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-167-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/680-169-0x0000000000EB0000-0x0000000000EF2000-memory.dmp
memory/3044-170-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-171-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-172-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/3044-173-0x0000000001350000-0x0000000004A40000-memory.dmp
memory/1068-192-0x0000000001340000-0x0000000001382000-memory.dmp
memory/2796-207-0x0000000000080000-0x00000000000C2000-memory.dmp
memory/960-215-0x0000000001080000-0x00000000010C2000-memory.dmp
memory/652-237-0x00000000002C0000-0x0000000000302000-memory.dmp
memory/1028-245-0x0000000001130000-0x0000000001172000-memory.dmp
memory/1728-267-0x00000000001D0000-0x0000000000212000-memory.dmp
memory/2908-275-0x0000000000DB0000-0x0000000000DF2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-18 14:40
Reported
2024-07-18 15:12
Platform
win10v2004-20240709-en
Max time kernel
1795s
Max time network
1796s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svсhost = "C:\\Users\\Admin\\AppData\\Roaming\\svсhost.exe" | C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe
"C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'shtorm_sb.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svсhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svсhost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svсhost" /tr "C:\Users\Admin\AppData\Roaming\svсhost.exe"
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
C:\Users\Admin\AppData\Roaming\svсhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | close-material.gl.at.ply.gg | udp |
| US | 147.185.221.19:13244 | close-material.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
Files
memory/3512-0-0x0000000000940000-0x0000000000982000-memory.dmp
memory/3512-1-0x00007FFE20033000-0x00007FFE20035000-memory.dmp
memory/3512-2-0x00007FFE20030000-0x00007FFE20AF1000-memory.dmp
memory/1560-8-0x000001B0DAA50000-0x000001B0DAA72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_waiyrzdy.hfp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1560-9-0x00007FFE20030000-0x00007FFE20AF1000-memory.dmp
memory/1560-14-0x00007FFE20030000-0x00007FFE20AF1000-memory.dmp
memory/1560-15-0x00007FFE20030000-0x00007FFE20AF1000-memory.dmp
memory/1560-18-0x00007FFE20030000-0x00007FFE20AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb1ad317bd25b55b2bbdce8a28a74a94 |
| SHA1 | 98a3978be4d10d62e7411946474579ee5bdc5ea6 |
| SHA256 | 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98 |
| SHA512 | d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0 |
memory/3512-54-0x00007FFE20033000-0x00007FFE20035000-memory.dmp
memory/3512-55-0x00007FFE20030000-0x00007FFE20AF1000-memory.dmp
C:\Users\Admin\AppData\Roaming\svсhost.exe
| MD5 | 2faf13feda202796051c439b5abd8d48 |
| SHA1 | 5c2d1f4be4f7dcef2f5577a15ea3f31c59ddbe8b |
| SHA256 | cde6b414622136dd14a5a025f6d8fe2313c36a347086fceb168b5dff1a6c288b |
| SHA512 | dd46a3f553ff3bf0a39b8f4132d1053ac1758b2befb8a1b096455bd7812f2bcaf29fc9dcf00ef0bb972b4c27e47cc2b347f3fe4e58bab7708be1855fd7bdf2b9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svсhost.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |