Analysis Overview
SHA256
7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25
Threat Level: Known bad
The file 7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25 was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Xworm family
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 23:35
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 23:35
Reported
2024-11-13 23:38
Platform
win10v2004-20241007-en
Max time kernel
132s
Max time network
148s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smartscreen.lnk | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smartscreen.lnk | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe
"C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\smartscreen.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'smartscreen.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| SG | 146.190.110.91:3389 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp |
Files
memory/3908-0-0x00007FFA0AAB3000-0x00007FFA0AAB5000-memory.dmp
memory/3908-1-0x0000000000BD0000-0x0000000000BE6000-memory.dmp
memory/4344-7-0x000001CFBCB50000-0x000001CFBCB72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hytmrle.gxu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4344-12-0x00007FFA0AAB0000-0x00007FFA0B571000-memory.dmp
memory/4344-13-0x00007FFA0AAB0000-0x00007FFA0B571000-memory.dmp
memory/4344-14-0x00007FFA0AAB0000-0x00007FFA0B571000-memory.dmp
memory/4344-15-0x00007FFA0AAB0000-0x00007FFA0B571000-memory.dmp
memory/4344-18-0x00007FFA0AAB0000-0x00007FFA0B571000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ef72c47dbfaae0b9b0d09f22ad4afe20 |
| SHA1 | 5357f66ba69b89440b99d4273b74221670129338 |
| SHA256 | 692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f |
| SHA512 | 7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b51dc9e5ec3c97f72b4ca9488bbb4462 |
| SHA1 | 5c1e8c0b728cd124edcacefb399bbd5e25b21bd3 |
| SHA256 | 976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db |
| SHA512 | 0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280 |
memory/3908-57-0x00007FFA0AAB0000-0x00007FFA0B571000-memory.dmp
memory/3908-58-0x00007FFA0AAB0000-0x00007FFA0B571000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 23:35
Reported
2024-11-13 23:38
Platform
win7-20240903-en
Max time kernel
127s
Max time network
137s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smartscreen.lnk | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smartscreen.lnk | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe
"C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7a8fe7d881adece62bb6057d8306d8a0d417a810a81882149587958bbf39ff25.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\smartscreen.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'smartscreen.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp |
Files
memory/540-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp
memory/540-1-0x00000000012F0000-0x0000000001306000-memory.dmp
memory/2060-6-0x0000000002AA0000-0x0000000002B20000-memory.dmp
memory/2060-7-0x000000001B490000-0x000000001B772000-memory.dmp
memory/2060-8-0x0000000001FF0000-0x0000000001FF8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | f213568b0afd3a3a3ccb4a25491c9c93 |
| SHA1 | 29e9ebcd728bfba2c80717274f847528630e91cb |
| SHA256 | abcec55df439269c58860f247b31d3f49313e5feb44ecdeb1a7227a5c9a82a25 |
| SHA512 | e52b3032f7a3b193987817ee8cdc3ea3d9e8bbc260b7d583010ac42008a54eb26a8a6eac6803108e7b5a35b04f5f1fb2fb04c6cb15243c9c64bb2496ed711091 |
memory/3024-15-0x0000000002A10000-0x0000000002A18000-memory.dmp
memory/3024-14-0x000000001B620000-0x000000001B902000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/540-31-0x000000001B110000-0x000000001B190000-memory.dmp
memory/540-32-0x000007FEF5623000-0x000007FEF5624000-memory.dmp
memory/540-33-0x000000001B110000-0x000000001B190000-memory.dmp