Analysis Overview
SHA256
c3673d01d7ccd2a3c7735b8b00b050f731e73af3feb6e5b14bf3689bf89b884c
Threat Level: Known bad
The file 3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 22:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 22:03
Reported
2024-10-29 22:04
Platform
win10ltsc2021-20241023-en
Max time kernel
30s
Max time network
6s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe
"C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.bat" "
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\mode.com
mode 103,5
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\mode.com
mode 120,17
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 4.245.163.56:443 | tcp |
Files
memory/3020-0-0x00007FFA346C3000-0x00007FFA346C5000-memory.dmp
memory/3020-1-0x0000000000480000-0x000000000049C000-memory.dmp
C:\Users\Admin\AppData\Roaming\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.bat
| MD5 | 1a29286ae9d746284b195a34811f5e89 |
| SHA1 | 2418da95e35c84e8b922cd6c525463bab7e43a06 |
| SHA256 | 061d3b55f7cfd4bd35e48768fb993a1444d5ed4990cda5ef813220715325f630 |
| SHA512 | 370288124edecdfb611d65b93f2ed9c0205299653a0819d351b226a595c4a4fda636c50444d3bac2c43c4678119cf53b7c9e5d1bc69f16452be16eb720b90c07 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | ae702d156a2ee10aa0df4e5a365654a1 |
| SHA1 | bad92787d53da53bda2f180f770752e679ba80c0 |
| SHA256 | 07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716 |
| SHA512 | 3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c |
memory/4876-23-0x0000000000CA0000-0x0000000000CB8000-memory.dmp
memory/4876-25-0x00007FFA346C0000-0x00007FFA35182000-memory.dmp
memory/4876-26-0x00007FFA346C0000-0x00007FFA35182000-memory.dmp