Analysis Overview
SHA256
bd749917837b3e6a48c15277cb0d5b39fd0c89e4f52be26a72e30b11816fc895
Threat Level: Known bad
The file SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Xworm family
Stormkitty family
StormKitty payload
StormKitty
Latentbot family
LatentBot
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 13:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 13:00
Reported
2024-11-06 13:02
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
137s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2360 set thread context of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DxVTeXwK.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DxVTeXwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3505.tmp"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1648
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | weidmachane.zapto.org | udp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
| US | 8.8.8.8:53 | 131.113.120.87.in-addr.arpa | udp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
Files
memory/2360-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp
memory/2360-1-0x00000000008A0000-0x000000000091A000-memory.dmp
memory/2360-2-0x0000000005910000-0x0000000005EB4000-memory.dmp
memory/2360-3-0x0000000005360000-0x00000000053F2000-memory.dmp
memory/2360-4-0x00000000052D0000-0x00000000052DA000-memory.dmp
memory/2360-5-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/2360-6-0x0000000005620000-0x00000000056BC000-memory.dmp
memory/2360-7-0x0000000005520000-0x000000000553C000-memory.dmp
memory/2360-8-0x0000000074BFE000-0x0000000074BFF000-memory.dmp
memory/2360-9-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/2360-10-0x0000000002D20000-0x0000000002D70000-memory.dmp
memory/4504-15-0x0000000002120000-0x0000000002156000-memory.dmp
memory/4504-16-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4504-18-0x0000000004CA0000-0x00000000052C8000-memory.dmp
memory/4504-17-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4504-19-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/2516-20-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/2516-29-0x0000000074BF0000-0x00000000753A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3505.tmp
| MD5 | d4c9675f6f3f53daa0f0120ddbad80f8 |
| SHA1 | 0728c4bc15df65bb7b295e1a7341e1f648f3fdc9 |
| SHA256 | 7032666b4012d311186e002a9207c531e863d3dc2268be23bc286972132805cd |
| SHA512 | 350eb895b5776d80081c488a0fed7f78adef364d6b0775f02442c8f0e680d4576c728dad41852370b24cc55d15cb0c5413bafb75b7a248d43d70c9fa6ba2e11d |
memory/4504-28-0x00000000053B0000-0x0000000005416000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ltqxzeoo.pq3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2516-45-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/2820-46-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4504-40-0x0000000005540000-0x0000000005894000-memory.dmp
memory/4504-24-0x0000000005340000-0x00000000053A6000-memory.dmp
memory/4504-21-0x0000000004C70000-0x0000000004C92000-memory.dmp
memory/2360-48-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4504-49-0x0000000005A10000-0x0000000005A2E000-memory.dmp
memory/4504-50-0x0000000005AB0000-0x0000000005AFC000-memory.dmp
memory/2516-52-0x00000000754A0000-0x00000000754EC000-memory.dmp
memory/2516-51-0x0000000006EF0000-0x0000000006F22000-memory.dmp
memory/2516-71-0x0000000007130000-0x000000000714E000-memory.dmp
memory/4504-53-0x00000000754A0000-0x00000000754EC000-memory.dmp
memory/2516-73-0x0000000007150000-0x00000000071F3000-memory.dmp
memory/2516-74-0x00000000078D0000-0x0000000007F4A000-memory.dmp
memory/2516-75-0x0000000007290000-0x00000000072AA000-memory.dmp
memory/4504-76-0x0000000006DD0000-0x0000000006DDA000-memory.dmp
memory/2516-77-0x0000000007510000-0x00000000075A6000-memory.dmp
memory/2516-78-0x0000000007490000-0x00000000074A1000-memory.dmp
memory/4504-79-0x0000000006F90000-0x0000000006F9E000-memory.dmp
memory/4504-80-0x0000000006FA0000-0x0000000006FB4000-memory.dmp
memory/2516-81-0x00000000075D0000-0x00000000075EA000-memory.dmp
memory/2516-82-0x00000000075B0000-0x00000000075B8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f7e4298cceba8ee92a5c09d9a9df079d |
| SHA1 | 3d200a4663a2aaa9ec99a9480c3c9ec963c79b5d |
| SHA256 | a683d8b1362193b4732fcf82d9fd97dd7f4245568d8a6c2356b4359aa906fd98 |
| SHA512 | e8810169af7006379b799e00b6ae9ad2a4a0fbcffb662c637f216bf656546e76c4eeac31fc811bf348ddbdaf967a98ff9b4db0f599bdf1f4122573d71b418066 |
memory/4504-88-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/2516-89-0x0000000074BF0000-0x00000000753A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/2820-90-0x0000000006B00000-0x0000000006C20000-memory.dmp
memory/2820-91-0x0000000007420000-0x0000000007774000-memory.dmp
memory/2820-92-0x0000000006930000-0x000000000697C000-memory.dmp
memory/2820-93-0x0000000006DD0000-0x0000000006DDE000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 13:00
Reported
2024-11-06 13:02
Platform
win7-20240903-en
Max time kernel
122s
Max time network
137s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1480 set thread context of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DxVTeXwK.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DxVTeXwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B19.tmp"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | weidmachane.zapto.org | udp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
Files
memory/1480-0-0x00000000740BE000-0x00000000740BF000-memory.dmp
memory/1480-1-0x00000000011D0000-0x000000000124A000-memory.dmp
memory/1480-2-0x00000000740B0000-0x000000007479E000-memory.dmp
memory/1480-3-0x00000000004F0000-0x000000000050C000-memory.dmp
memory/1480-4-0x00000000740BE000-0x00000000740BF000-memory.dmp
memory/1480-5-0x00000000740B0000-0x000000007479E000-memory.dmp
memory/1480-6-0x00000000001D0000-0x0000000000220000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | b90631edc365051a24e9da4a3c8a5b98 |
| SHA1 | 5188b5a37a8b1c7cbbc4d680dea081ae72b2ec6c |
| SHA256 | 87d74a440b5a5cec51438bceeba9f98c72508188284d204efc59ec845fd78eb7 |
| SHA512 | 48431f27a1250f5cf7bd8733888d52538437193627fcc84da34292d5b26216158becf27502b4e2542ea6661f2c131d2d63364846e29c61ede77331a708d470b2 |
C:\Users\Admin\AppData\Local\Temp\tmp7B19.tmp
| MD5 | 43cde4b1bc08ca653fa9e9f5a25d014b |
| SHA1 | d70e87530f97434687304f1a14770ae032b1fe8e |
| SHA256 | 0d8c983bbb1593f871f21c6316b5b1825d56533da27ea7ba3a1969d52a3d2f39 |
| SHA512 | 52fc4b4efeabc47945962b3e9f75a3604077a9109d84d52988ec5263e81c007bc263ffc5232bea31dd440838f9c1a4157f3fd79ab2aeecb92a93f8627024c1a0 |
memory/2676-22-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2676-29-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2676-28-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2676-20-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2676-19-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2676-27-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2676-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2676-24-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1480-30-0x00000000740B0000-0x000000007479E000-memory.dmp
memory/2676-31-0x0000000000530000-0x000000000053E000-memory.dmp
memory/2676-32-0x0000000006C50000-0x0000000006FA0000-memory.dmp
memory/2676-33-0x0000000006630000-0x0000000006750000-memory.dmp