Analysis Overview
SHA256
ae6f59d14ce7584e9dccf8e88f540fac601d92d35c6e6b0013f4e6682d08e7e5
Threat Level: Known bad
The file ae6f59d14ce7584e9dccf8e88f540fac601d92d35c6e6b0013f4e6682d08e7e5 was found to be: Known bad.
Malicious Activity Summary
LatentBot
Latentbot family
StormKitty payload
StormKitty
Detect Xworm Payload
Xworm
Xworm family
Stormkitty family
Suspicious use of SetThreadContext
Program crash
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 00:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 00:07
Reported
2024-11-07 00:10
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
161s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Xworm
Xworm family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4136 set thread context of 800 | N/A | C:\Users\Admin\AppData\Local\Temp\ORDER DRAWING AND PHOTOS.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ORDER DRAWING AND PHOTOS.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER DRAWING AND PHOTOS.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 800 -ip 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 1568
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | weidmachane.zapto.org | udp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
| US | 8.8.8.8:53 | 131.113.120.87.in-addr.arpa | udp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
memory/4136-0-0x00007FFB27EC3000-0x00007FFB27EC5000-memory.dmp
memory/4136-1-0x000002AF7DE70000-0x000002AF7DE76000-memory.dmp
memory/4136-2-0x000002AF18390000-0x000002AF183F2000-memory.dmp
memory/4136-3-0x00007FFB27EC0000-0x00007FFB28981000-memory.dmp
memory/800-4-0x0000000000400000-0x000000000040E000-memory.dmp
memory/800-5-0x000000007523E000-0x000000007523F000-memory.dmp
memory/4136-6-0x00007FFB27EC0000-0x00007FFB28981000-memory.dmp
memory/800-7-0x0000000005900000-0x000000000599C000-memory.dmp
memory/800-8-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/800-9-0x000000007523E000-0x000000007523F000-memory.dmp
memory/800-10-0x0000000006050000-0x00000000060B6000-memory.dmp
memory/800-11-0x0000000006C90000-0x0000000006D22000-memory.dmp
memory/800-12-0x00000000072E0000-0x0000000007884000-memory.dmp
memory/800-13-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/800-14-0x0000000006AD0000-0x0000000006BF0000-memory.dmp
memory/800-15-0x0000000006D30000-0x0000000007084000-memory.dmp
memory/800-16-0x00000000070D0000-0x000000000711C000-memory.dmp
memory/800-55-0x0000000075230000-0x00000000759E0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 00:07
Reported
2024-11-07 00:10
Platform
win7-20240903-en
Max time kernel
122s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Xworm
Xworm family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1832 set thread context of 2412 | N/A | C:\Users\Admin\AppData\Local\Temp\ORDER DRAWING AND PHOTOS.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ORDER DRAWING AND PHOTOS.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER DRAWING AND PHOTOS.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1832 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | weidmachane.zapto.org | udp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
| BG | 87.120.113.131:7000 | weidmachane.zapto.org | tcp |
Files
memory/2412-14-0x0000000074C0E000-0x0000000074C0F000-memory.dmp
memory/2412-13-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2412-11-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2412-9-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2412-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2412-7-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2412-6-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2412-5-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2412-4-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1832-3-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp
memory/1832-2-0x0000000000680000-0x00000000006E2000-memory.dmp
memory/1832-1-0x0000000001150000-0x0000000001156000-memory.dmp
memory/1832-0-0x000007FEF6523000-0x000007FEF6524000-memory.dmp
memory/1832-15-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp
memory/2412-16-0x0000000074C00000-0x00000000752EE000-memory.dmp
memory/2412-17-0x0000000074C0E000-0x0000000074C0F000-memory.dmp
memory/2412-18-0x0000000074C00000-0x00000000752EE000-memory.dmp
memory/2412-19-0x0000000005D20000-0x0000000005E40000-memory.dmp
memory/2412-43-0x0000000004FE0000-0x0000000004FEE000-memory.dmp
memory/2412-44-0x00000000080A0000-0x00000000083F0000-memory.dmp