Analysis Overview
SHA256
b158304df91dfaeff7bc29fd2d5994999451389ac6b5ef6fd8a0f4bc116cedae
Threat Level: Known bad
The file xworm.iso was found to be: Known bad.
Malicious Activity Summary
Stormkitty family
StormKitty payload
Agenttesla family
Contains code to disable Windows Defender
AgentTesla payload
AgentTesla
AgentTesla payload
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-20 20:18
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Agenttesla family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stormkitty family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-20 20:18
Reported
2024-03-20 20:23
Platform
win10v2004-20240226-en
Max time kernel
166s
Max time network
174s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c8 0x3d0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/4556-0-0x0000000000030000-0x0000000000050000-memory.dmp
memory/4556-1-0x0000026DE0000000-0x0000026DE0042000-memory.dmp
memory/4556-2-0x00007FF802640000-0x00007FF803101000-memory.dmp
memory/4556-3-0x0000026DE0090000-0x0000026DE00B8000-memory.dmp
memory/4556-4-0x0000026DDE8B0000-0x0000026DDE8B6000-memory.dmp
memory/4556-5-0x0000026DF87F0000-0x0000026DF884E000-memory.dmp
memory/4556-6-0x0000026DF8990000-0x0000026DF89E6000-memory.dmp
memory/4556-7-0x0000026DF8A80000-0x0000026DF8A90000-memory.dmp
memory/4556-8-0x0000026DDE6E0000-0x0000026DDE6E6000-memory.dmp
memory/4556-9-0x0000026DDE6F0000-0x0000026DDE6F6000-memory.dmp
memory/4556-10-0x0000026DF89F0000-0x0000026DF8A2C000-memory.dmp
memory/1968-11-0x000001FE961C0000-0x000001FE961C1000-memory.dmp
memory/1968-12-0x000001FE961C0000-0x000001FE961C1000-memory.dmp
memory/1968-13-0x000001FE961C0000-0x000001FE961C1000-memory.dmp
memory/4556-14-0x0000026DF87B0000-0x0000026DF87CA000-memory.dmp
memory/1968-19-0x000001FE961C0000-0x000001FE961C1000-memory.dmp
memory/1968-20-0x000001FE961C0000-0x000001FE961C1000-memory.dmp
memory/1968-18-0x000001FE961C0000-0x000001FE961C1000-memory.dmp
memory/1968-21-0x000001FE961C0000-0x000001FE961C1000-memory.dmp
memory/1968-22-0x000001FE961C0000-0x000001FE961C1000-memory.dmp
memory/1968-23-0x000001FE961C0000-0x000001FE961C1000-memory.dmp
memory/1968-24-0x000001FE961C0000-0x000001FE961C1000-memory.dmp
memory/4556-25-0x0000026DF96D0000-0x0000026DFA308000-memory.dmp
memory/4556-26-0x00007FF8015E7000-0x00007FF8015E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll
| MD5 | 2f1a50031dcf5c87d92e8b2491fdcea6 |
| SHA1 | 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f |
| SHA256 | 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed |
| SHA512 | 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8 |
memory/4556-33-0x00007FF801EF8000-0x00007FF801EF9000-memory.dmp
memory/4556-34-0x00007FF801EF9000-0x00007FF801EFA000-memory.dmp
memory/4556-35-0x0000026DFAB10000-0x0000026DFB6FC000-memory.dmp
memory/4556-36-0x0000026DF93F0000-0x0000026DF95E4000-memory.dmp
memory/4556-37-0x00007FF80024D000-0x00007FF80024E000-memory.dmp
memory/4556-38-0x0000026DF8A80000-0x0000026DF8A90000-memory.dmp
memory/4556-39-0x0000026DF8A80000-0x0000026DF8A90000-memory.dmp
memory/4556-40-0x00007FF800264000-0x00007FF800265000-memory.dmp
memory/4556-41-0x00007FF802640000-0x00007FF803101000-memory.dmp
memory/4556-42-0x0000026DF8A80000-0x0000026DF8A90000-memory.dmp
memory/4556-44-0x00007FF80025D000-0x00007FF80025E000-memory.dmp
memory/4556-43-0x0000026DF8A80000-0x0000026DF8A90000-memory.dmp
memory/4556-46-0x0000026DF8A80000-0x0000026DF8A90000-memory.dmp
memory/4556-45-0x0000026DF8A80000-0x0000026DF8A90000-memory.dmp
memory/4556-49-0x0000026DF8A80000-0x0000026DF8A90000-memory.dmp
memory/4556-50-0x0000026DF8A80000-0x0000026DF8A90000-memory.dmp
memory/4556-51-0x0000026DF8A80000-0x0000026DF8A90000-memory.dmp