Analysis
-
max time kernel
166s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 20:18
General
-
Target
XWorm V5.2/XWormLoader 5.2 x64.exe
-
Size
109KB
-
MD5
e6a20535b636d6402164a8e2d871ef6d
-
SHA1
981cb1fd9361ca58f8985104e00132d1836a8736
-
SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2
-
SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30
-
SSDEEP
1536:TYogSlNwXosKwOYtV1AS9m3xQyVGNNiLkWNF7XxFqmyVttdGFQeOPigx:TvgSlqGS9m3xQyKNbWNV3qmyBeu
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4556-36-0x0000026DF93F0000-0x0000026DF95E4000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
XWormLoader 5.2 x64.exepid process 4556 XWormLoader 5.2 x64.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/4556-25-0x0000026DF96D0000-0x0000026DFA308000-memory.dmp agile_net -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
XWormLoader 5.2 x64.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x64.exe -
Processes:
XWormLoader 5.2 x64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\TypedURLs XWormLoader 5.2 x64.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exeXWormLoader 5.2 x64.exepid process 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe 4556 XWormLoader 5.2 x64.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exeXWormLoader 5.2 x64.exepid process 1968 taskmgr.exe 4556 XWormLoader 5.2 x64.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
taskmgr.exeXWormLoader 5.2 x64.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1968 taskmgr.exe Token: SeSystemProfilePrivilege 1968 taskmgr.exe Token: SeCreateGlobalPrivilege 1968 taskmgr.exe Token: SeDebugPrivilege 4556 XWormLoader 5.2 x64.exe Token: 33 3532 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3532 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exeXWormLoader 5.2 x64.exepid process 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 4556 XWormLoader 5.2 x64.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exeXWormLoader 5.2 x64.exepid process 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 4556 XWormLoader 5.2 x64.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe 1968 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4556
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1968
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3416
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4c8 0x3d01⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8