53c1ef69f9babde3d2dbd822edc3cf33de4bb7e9bb8d21e418a386edb5694b54

Resubmissions

18-05-2023 14:39

max time kernel
26s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-05-2023 14:39

Target

XWorm V4.1.exe
Size

16.1MB
MD5

ed4b2bfaab042b706f8033b911c2c662
SHA1

1a6e90f8617bc9ed856a0bf261c36f15dc8f8f60
SHA256

53c1ef69f9babde3d2dbd822edc3cf33de4bb7e9bb8d21e418a386edb5694b54
SHA512

ee8db1a2b5a0d81cda1ac766827d3defd5ed699c5e0b74777de922e64ab2b9e43f91ecbe6a449e5fcd62160f0909a3a0ed6b1bdf70f72d7ba6fe941b54009fd8
SSDEEP

196608:1YYSTFTqtzJ3jwi+mF4yxIdLH1ETeyXknzFW66S/gIxzqWDbDn:9yLL1ETeVWSmWDbDn

Score

7^/10

agilenet

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

Processes:

resource	yara_rule
behavioral1/memory/860-54-0x0000000000DC0000-0x0000000001DDE000-memory.dmp	agile_net

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

928 860 WerFault.exe XWorm V4.1.exe

pid	pid_target	process	target process
928	860	WerFault.exe	XWorm V4.1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

XWorm V4.1.exe

description	pid	process	target process
PID 860 wrote to memory of 928	860	XWorm V4.1.exe	WerFault.exe
PID 860 wrote to memory of 928	860	XWorm V4.1.exe	WerFault.exe
PID 860 wrote to memory of 928	860	XWorm V4.1.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\XWorm V4.1.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V4.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 860 -s 536
2⤵
- Program crash
PID:928

memory/860-54-0x0000000000DC0000-0x0000000001DDE000-memory.dmp

Filesize
16.1MB

Download