Resubmissions

10-03-2024 06:56

240310-hqlbgseg66 3

10-03-2024 06:22

240310-g4whyaea98 10

Analysis

  • max time kernel
    303s
  • max time network
    1619s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-03-2024 06:56

General

  • Target

    XWorm V5.3.7z

  • Size

    43.4MB

  • MD5

    d06bfd3b8385b6da7d7cefa963ea7288

  • SHA1

    f97c1cd79b033be1b3487eb25a18a23839c06fcc

  • SHA256

    4d274a49cb04b5de876fd1c22ef6a42dd1625a33b4c045c207fd1fbc0a8f3b6c

  • SHA512

    32738af730ba3f25637cbe3256f1090bd797eefadf29ff6a09e6d75c90a64f35a5078895fa8b297b85cfaed219904c74d6b9d6ae5ddfe94299be1ebe46ca66a9

  • SSDEEP

    786432:B2fNnRSmGbKu8sHm5R/6MGWgIjvpoURlhWlJzNgeVCWoRLhfl6Bj:B2smu8/v/6xt8Dlh6JzdLoRLP6Bj

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.3.7z"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.3.7z"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4488
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4304

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads