Analysis
-
max time kernel
70s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13/10/2023, 02:29
Behavioral task
behavioral1
Sample
XWorm V5.0.exe
Resource
win7-20230831-en
General
-
Target
XWorm V5.0.exe
-
Size
11.2MB
-
MD5
3167d13d705dce86c4cd6b9765e220aa
-
SHA1
ec50d9b045753173f9f6aa18af5c684a619fd616
-
SHA256
9836b324a9a693050de20893b9ec1f6bd9c7d9b03eaf21112947cb82183c2016
-
SHA512
88e59013ca52f9e62975d16d2085e90a0fceffc8de1f0d7aed0bff589a09720cce8e24c147edeeada4af5d5319f5ac5df5a686b21fa1f41bdd3ffab1bc54a3d4
-
SSDEEP
196608:359nhcOWSxxgQHl2np1eY5J5itQaZWtU8i/MJYR:3RRWQBQnpji1W+8i/T
Malware Config
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2204-9-0x0000000000400000-0x0000000000F40000-memory.dmp family_xworm -
Executes dropped EXE 1 IoCs
pid Process 1616 Client.exe -
Loads dropped DLL 2 IoCs
pid Process 2204 XWorm V5.0.exe 2204 XWorm V5.0.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2204-9-0x0000000000400000-0x0000000000F40000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1616 2204 XWorm V5.0.exe 29 PID 2204 wrote to memory of 1616 2204 XWorm V5.0.exe 29 PID 2204 wrote to memory of 1616 2204 XWorm V5.0.exe 29 PID 2204 wrote to memory of 1616 2204 XWorm V5.0.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:2624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
672KB
MD5dbf35eac1c87ed287c8f7cba33d133b5
SHA1d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA25616094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532
-
Filesize
672KB
MD5dbf35eac1c87ed287c8f7cba33d133b5
SHA1d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA25616094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532
-
Filesize
672KB
MD5dbf35eac1c87ed287c8f7cba33d133b5
SHA1d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA25616094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532
-
Filesize
672KB
MD5dbf35eac1c87ed287c8f7cba33d133b5
SHA1d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA25616094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532