Analysis
-
max time kernel
303s -
max time network
1619s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
10-03-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
XWorm V5.3.7z
Resource
win10-20240221-en
5 signatures
1800 seconds
General
-
Target
XWorm V5.3.7z
-
Size
43.4MB
-
MD5
d06bfd3b8385b6da7d7cefa963ea7288
-
SHA1
f97c1cd79b033be1b3487eb25a18a23839c06fcc
-
SHA256
4d274a49cb04b5de876fd1c22ef6a42dd1625a33b4c045c207fd1fbc0a8f3b6c
-
SHA512
32738af730ba3f25637cbe3256f1090bd797eefadf29ff6a09e6d75c90a64f35a5078895fa8b297b85cfaed219904c74d6b9d6ae5ddfe94299be1ebe46ca66a9
-
SSDEEP
786432:B2fNnRSmGbKu8sHm5R/6MGWgIjvpoURlhWlJzNgeVCWoRLhfl6Bj:B2smu8/v/6xt8Dlh6JzdLoRLP6Bj
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7zFM.exedescription pid Process Token: SeRestorePrivilege 4488 7zFM.exe Token: 35 4488 7zFM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zFM.exepid Process 4488 7zFM.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 5068 wrote to memory of 4488 5068 cmd.exe 74 PID 5068 wrote to memory of 4488 5068 cmd.exe 74
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.3.7z"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.3.7z"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4488
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4304