Resubmissions
18-05-2023 14:39
230518-r1pw4abe8s 7Analysis
-
max time kernel
26s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18-05-2023 14:39
Behavioral task
behavioral1
Sample
XWorm V4.1.exe
Resource
win7-20230220-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
XWorm V4.1.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
XWorm V4.1.exe
-
Size
16.1MB
-
MD5
ed4b2bfaab042b706f8033b911c2c662
-
SHA1
1a6e90f8617bc9ed856a0bf261c36f15dc8f8f60
-
SHA256
53c1ef69f9babde3d2dbd822edc3cf33de4bb7e9bb8d21e418a386edb5694b54
-
SHA512
ee8db1a2b5a0d81cda1ac766827d3defd5ed699c5e0b74777de922e64ab2b9e43f91ecbe6a449e5fcd62160f0909a3a0ed6b1bdf70f72d7ba6fe941b54009fd8
-
SSDEEP
196608:1YYSTFTqtzJ3jwi+mF4yxIdLH1ETeyXknzFW66S/gIxzqWDbDn:9yLL1ETeVWSmWDbDn
Score
7/10
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/860-54-0x0000000000DC0000-0x0000000001DDE000-memory.dmp agile_net -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 928 860 WerFault.exe XWorm V4.1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
XWorm V4.1.exedescription pid process target process PID 860 wrote to memory of 928 860 XWorm V4.1.exe WerFault.exe PID 860 wrote to memory of 928 860 XWorm V4.1.exe WerFault.exe PID 860 wrote to memory of 928 860 XWorm V4.1.exe WerFault.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/860-54-0x0000000000DC0000-0x0000000001DDE000-memory.dmpFilesize
16.1MB