Analysis
-
max time kernel
62s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2023, 16:58
General
-
Target
XWorm V5.0.exe
-
Size
11.2MB
-
MD5
3167d13d705dce86c4cd6b9765e220aa
-
SHA1
ec50d9b045753173f9f6aa18af5c684a619fd616
-
SHA256
9836b324a9a693050de20893b9ec1f6bd9c7d9b03eaf21112947cb82183c2016
-
SHA512
88e59013ca52f9e62975d16d2085e90a0fceffc8de1f0d7aed0bff589a09720cce8e24c147edeeada4af5d5319f5ac5df5a686b21fa1f41bdd3ffab1bc54a3d4
-
SSDEEP
196608:359nhcOWSxxgQHl2np1eY5J5itQaZWtU8i/MJYR:3RRWQBQnpji1W+8i/T
Malware Config
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/1996-7-0x0000000000400000-0x0000000000F40000-memory.dmp family_xworm -
Detect rhadamanthys stealer shellcode 5 IoCs
resource yara_rule behavioral1/memory/3180-14-0x0000000003050000-0x0000000003450000-memory.dmp family_rhadamanthys behavioral1/memory/3180-16-0x0000000003050000-0x0000000003450000-memory.dmp family_rhadamanthys behavioral1/memory/3180-15-0x0000000003050000-0x0000000003450000-memory.dmp family_rhadamanthys behavioral1/memory/3180-17-0x0000000003050000-0x0000000003450000-memory.dmp family_rhadamanthys behavioral1/memory/3180-19-0x0000000003050000-0x0000000003450000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation XWorm V5.0.exe -
Executes dropped EXE 1 IoCs
pid Process 4188 Client.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/1996-7-0x0000000000400000-0x0000000000F40000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4188 set thread context of 3180 4188 Client.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 232 4188 WerFault.exe 83 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 AppLaunch.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3180 AppLaunch.exe 3180 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3180 AppLaunch.exe Token: SeCreatePagefilePrivilege 3180 AppLaunch.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1996 wrote to memory of 4188 1996 XWorm V5.0.exe 83 PID 1996 wrote to memory of 4188 1996 XWorm V5.0.exe 83 PID 1996 wrote to memory of 4188 1996 XWorm V5.0.exe 83 PID 4188 wrote to memory of 480 4188 Client.exe 87 PID 4188 wrote to memory of 480 4188 Client.exe 87 PID 4188 wrote to memory of 480 4188 Client.exe 87 PID 4188 wrote to memory of 3180 4188 Client.exe 88 PID 4188 wrote to memory of 3180 4188 Client.exe 88 PID 4188 wrote to memory of 3180 4188 Client.exe 88 PID 4188 wrote to memory of 3180 4188 Client.exe 88 PID 4188 wrote to memory of 3180 4188 Client.exe 88 PID 4188 wrote to memory of 3180 4188 Client.exe 88 PID 4188 wrote to memory of 3180 4188 Client.exe 88 PID 4188 wrote to memory of 3180 4188 Client.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 2843⤵
- Program crash
PID:232
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4188 -ip 41881⤵PID:5100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
672KB
MD5dbf35eac1c87ed287c8f7cba33d133b5
SHA1d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA25616094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532
-
Filesize
672KB
MD5dbf35eac1c87ed287c8f7cba33d133b5
SHA1d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA25616094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532
-
Filesize
672KB
MD5dbf35eac1c87ed287c8f7cba33d133b5
SHA1d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA25616094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532