Analysis Overview
SHA256
1f03986d28f33070e9d13e9337f8a1f84b1e4c3cb02db0613b7f3ca4c0aa02b5
Threat Level: Known bad
The file DisconnectLoader.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm family
Xworm
Command and Scripting Interpreter: PowerShell
Drops startup file
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 22:55
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 22:55
Reported
2024-10-29 22:55
Platform
win10ltsc2021-20241023-en
Max time kernel
20s
Max time network
22s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DisconnectLoader.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DisconnectCheats.lnk | C:\Users\Admin\AppData\Local\Temp\DisconnectLoader.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DisconnectCheats.lnk | C:\Users\Admin\AppData\Local\Temp\DisconnectLoader.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DisconnectLoader.exe
"C:\Users\Admin\AppData\Local\Temp\DisconnectLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DisconnectLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DisconnectLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\DisconnectCheats'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DisconnectCheats'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dane1c-58098.portmap.host | udp |
| DE | 193.161.193.99:58098 | dane1c-58098.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
Files
memory/2748-0-0x00007FFFC44C3000-0x00007FFFC44C5000-memory.dmp
memory/2748-1-0x0000000000430000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jqrlajfo.4hd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4724-11-0x00000233FD2C0000-0x00000233FD2E2000-memory.dmp
memory/4724-12-0x00007FFFC44C0000-0x00007FFFC4F82000-memory.dmp
memory/4724-13-0x00007FFFC44C0000-0x00007FFFC4F82000-memory.dmp
memory/4724-14-0x00007FFFC44C0000-0x00007FFFC4F82000-memory.dmp
memory/4724-15-0x00007FFFC44C0000-0x00007FFFC4F82000-memory.dmp
memory/4724-16-0x00007FFFC44C0000-0x00007FFFC4F82000-memory.dmp
memory/4724-19-0x00007FFFC44C0000-0x00007FFFC4F82000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 60b3262c3163ee3d466199160b9ed07d |
| SHA1 | 994ece4ea4e61de0be2fdd580f87e3415f9e1ff6 |
| SHA256 | e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb |
| SHA512 | 081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af |
memory/4136-32-0x0000026C65E40000-0x0000026C6605D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | becf00b8822243d7ad41ee23eb4b1e03 |
| SHA1 | 870dda32552f2ca6eaee65e9137575a747333be2 |
| SHA256 | 99d37b5d8d26ef278b47e18b7387df39e4b5af984c0a5f654e1f7a1d6ff65732 |
| SHA512 | 8a001354ac0b6d4f59f386cdece44218bb47678f74278e90d02443f13ab706fc98a8ac51ac4698f3b4135dc9ac1f36a24dd0648c5453b53fe3cb0c29640503f2 |
memory/2168-44-0x000001A1F5970000-0x000001A1F5B8D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9369c43c8a53001f4ed6cba1d86a7129 |
| SHA1 | 6e5d12b3f50640b3e3839462a92c3a13491ca9f8 |
| SHA256 | 167717e456d884560eeb5fafa95e686b27ac84b5c4c77f1d73f66ccd08362b28 |
| SHA512 | 8161471d75088be99a6f66845e9d73aaca4c86b6b6132f3257f337920ada6d4c1a4f965ed9796a11452cd365ca5b052a948a53bf7dcad213688ab524bb5b5fc2 |
memory/4840-56-0x0000018C35210000-0x0000018C3542D000-memory.dmp
memory/2748-57-0x00007FFFC44C3000-0x00007FFFC44C5000-memory.dmp
memory/2748-61-0x00007FFFC44C0000-0x00007FFFC4F82000-memory.dmp
memory/2748-62-0x00007FFFC44C0000-0x00007FFFC4F82000-memory.dmp