Overview

overview

10

Static

static

10

XWorm V5.0...db.dll

windows10-1703-x64

XWorm V5.0...db.dll

windows10-1703-x64

1

XWorm V5.0...ks.dll

windows10-1703-x64

1

XWorm V5.0...il.dll

windows10-1703-x64

1

XWorm V5.0...ts.dll

windows10-1703-x64

1

XWorm V5.0...re.dll

windows10-1703-x64

1

XWorm V5.0...rs.dll

windows10-1703-x64

1

XWorm V5.0...ed.dll

windows10-1703-x64

1

XWorm V5.0...ls.dll

windows10-1703-x64

1

XWorm V5.0...io.dll

windows10-1703-x64

1

XWorm V5.0...ws.dll

windows10-1703-x64

1

XWorm V5.0...ne.dll

windows10-1703-x64

1

XWorm V5.0...at.dll

windows10-1703-x64

1

XWorm V5.0...rd.dll

windows10-1703-x64

1

XWorm V5.0...er.dll

windows10-1703-x64

1

XWorm V5.0...er.dll

windows10-1703-x64

1

XWorm V5.0...DP.dll

windows10-1703-x64

1

XWorm V5.0...NC.dll

windows10-1703-x64

1

XWorm V5.0...ry.dll

windows10-1703-x64

1

XWorm V5.0...ns.dll

windows10-1703-x64

1

XWorm V5.0...er.dll

windows10-1703-x64

1

XWorm V5.0...ps.dll

windows10-1703-x64

1

XWorm V5.0...ox.dll

windows10-1703-x64

1

XWorm V5.0...ne.dll

windows10-1703-x64

1

XWorm V5.0...sk.dll

windows10-1703-x64

1

XWorm V5.0...ns.dll

windows10-1703-x64

1

XWorm V5.0...me.dll

windows10-1703-x64

1

XWorm V5.0...ce.dll

windows10-1703-x64

1

XWorm V5.0...er.dll

windows10-1703-x64

1

XWorm V5.0...ms.dll

windows10-1703-x64

1

XWorm V5.0...re.dll

windows10-1703-x64

1

XWorm V5.0...ry.dll

windows10-1703-x64

1

Resubmissions

07/04/2024, 11:37

240407-nrb24abg9x 10

09/10/2023, 19:06

231009-xsc58aff91 10

09/10/2023, 19:00

231009-xnxn3ahg55 10

09/10/2023, 18:59

231009-xncc5aff7x 10

01/10/2023, 10:08

231001-l6g6jsaa3t 10

Analysis

  • max time kernel
    35s
  • max time network
    38s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/04/2024, 11:37

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    XWorm V5.0_Cracked/XWorm V5.0/Mono.Cecil.Mdb.dll

  • Size

    42KB

  • MD5

    1c6aca0f1b1fa1661fc1e43c79334f7c

  • SHA1

    ec0f591a6d12e1ea7dc8714ec7e5ad7a04ef455d

  • SHA256

    411f8ed8c49738fa38a56ed8f991d556227d13602e83186e66ae1c4f821c940b

  • SHA512

    1c59e939d108f15881d29fe4ced4e5fa4a4476394b58b6eb464da77192cb8fe9221b7cd780af4596914d4cce7c3fc53f1bb567f944c58829de8efbe1fd87be76

  • SSDEEP

    768:Ar5EYZep98C87KHeBUZwrEzsEAnbF+em50KktmM4CRIcZwMRTIzMAtpw:Ar59g98C87KHeBUb5AnZG+zdwMRTzAtS

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Mono.Cecil.Mdb.dll",#1
    1⤵
      PID:2304
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.0.1243318081\1215043186" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40d6576e-3c43-4019-b73c-8c25ac045cc3} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 1796 201d93d9e58 gpu
          3⤵
            PID:4488
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.1.420503794\433420976" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfca690b-72ee-45e1-a49b-9456c9bf2b81} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 2152 201c6d72558 socket
            3⤵
            • Checks processor information in registry
            PID:4516
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.2.597577449\340148217" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3060 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {156b0d9c-9cd7-4c89-b461-0e963cfe0b86} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 2848 201dd49be58 tab
            3⤵
              PID:3392
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.3.574625870\370867071" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {496d59a6-9856-4d58-aebd-7998982ccb62} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 3504 201c6d62b58 tab
              3⤵
                PID:4604
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.4.1942085002\1464252934" -childID 3 -isForBrowser -prefsHandle 4200 -prefMapHandle 4196 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28fda15c-c140-4e67-94be-2dee18bf8097} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 3256 201c6d69358 tab
                3⤵
                  PID:3184
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.5.279377489\1473760144" -childID 4 -isForBrowser -prefsHandle 4732 -prefMapHandle 4728 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce73f68a-9ff9-4da6-94ae-62251aa13c9b} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 4716 201df8bf258 tab
                  3⤵
                    PID:1128
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.6.364073343\525516213" -childID 5 -isForBrowser -prefsHandle 4872 -prefMapHandle 4876 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afc16e98-c758-4fb4-abe5-295df11410e2} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 4864 201df8bfe58 tab
                    3⤵
                      PID:4268
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.7.604467966\739666953" -childID 6 -isForBrowser -prefsHandle 5084 -prefMapHandle 5144 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f8e4839-80a2-4adb-9201-6553ae62f4b5} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 5136 201df8c2558 tab
                      3⤵
                        PID:3732
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.8.541032723\38259035" -childID 7 -isForBrowser -prefsHandle 5656 -prefMapHandle 5652 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a14ea20-0b27-4632-8abe-09d3713b88c1} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 5668 201e12dc758 tab
                        3⤵
                          PID:2980
                    • C:\Windows\system32\LogonUI.exe
                      "LogonUI.exe" /flags:0x0 /state0:0xa3aeb855 /state1:0x41c64e6d
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:2336

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      8d8dabdf24215494e3b131d13a37503c

                      SHA1

                      b9596bd35d3f5d03bed139b39911591bc76abd50

                      SHA256

                      764387b74776ab40f148ba259322d735a95021617d0c9d7ee9ce1a9b0188f9a9

                      SHA512

                      5d1ad74e47d0393cb3a1106916493d7065143543223be433a026ba29cbc676441762418d1680fbdeff2365830c90c72624503ebd0ed94a938243c533e369bc59

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\791e6820-8334-49c3-b5d5-97ebc2008093
                      Filesize

                      746B

                      MD5

                      cffe5c10d5f328f5db7ebc796bc79666

                      SHA1

                      a40bb1b8cfe9245903e3431d5242d20d6433a9a7

                      SHA256

                      a4d66bc5c88cbe12fc40c071450984a63b4eefdba0068a250ef86ff9414cfeb6

                      SHA512

                      526701af2e3bd7d25b98402d556a54d53704c6ab9ee9082f2e6d81b36f625f58e6109b676e9ce5c590c9d1090c9d07f862d388cac341ec26b329b904cdd19684

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\b46368f7-ba37-4a2c-b47a-144c10663cb5
                      Filesize

                      10KB

                      MD5

                      8a5bfe2ae68de0c158147c3c4a50bb7d

                      SHA1

                      d3ef7104dc4aa632b016eb468d016fd18c8cdc45

                      SHA256

                      b15ebaf400892118d1b607b40494ec1a36182304c1c52ae908f501e6c059406a

                      SHA512

                      32e69b0d6d79fb181a87bb9cc85a571dd573c6de775fd13b89594dafa5cc6075b6a98ee1182bc9016a93b82e631800cb0f069c8b86454ed6e7be39da4d0d62f1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      5c19871bf50d4d6a5e0e16feb14c54e8

                      SHA1

                      5b42858ecc2e52182cf6e749a58029b2a657ce50

                      SHA256

                      d01b3f10154b0e65c343f1f845ef0aa6c558c84c45c094b069159ddef30b1b71

                      SHA512

                      86cde32197e4c3f0b25425d02140ed47f29bdec0f0cf169e5d9be54aa0f05715edc7246a8b3d637e81271f6b5d38bed07dad144f878e00a42f9332e0c3cf39cf

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      5227db9712d17ce11a5369309ce710b4

                      SHA1

                      6a9153997dc82f44622967a8ed1af1c2f3de8440

                      SHA256

                      4fd2777a43aa5b3e369dbd1ce74d5f8bb95e4050328589f47665bccd6054ae11

                      SHA512

                      7b79a79eaa7c6617356a535c1031cba7c8051a6c4ee209f82490d4b52bedc49b82067fffd05467343228bb182538d639f2acc6390eb3b8c004953a4c011c87bd

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      ec0c7a80444485e746140c2369181cb3

                      SHA1

                      8ec49527f612f5ba46a89e71fbdba802a02f1f72

                      SHA256

                      47c7a08a87fe47176f21cf9a8eae072abad366473718bbb64c77ee9dad27bfa8

                      SHA512

                      1e2f9b32bc7acac40d4d28d1be97004b70568b4a6ea34e3f1f95ff13543ea1afe747e07a7f64a9409bdfc914d63d25ff3bea08bb68f6b83c158457d0c7b67578

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
                      Filesize

                      4KB

                      MD5

                      9a0d82eeb9b1c9584e899e2dcf04e280

                      SHA1

                      0e5cd2f0580b698174cca8af7a123c0e27572dc1

                      SHA256

                      ad3419214d5b4c6e6ed0f001a3f461ae381bb81a5b7c510014f395270da6b365

                      SHA512

                      0c26de426e090cceafa39e485686ec2351bbb55a23ee1280f1063d76639460615888c21108d1f760d870e69468c3dee99d2c3517fe35cb61ec3bd979778cf9b6

                      Download Submit