Analysis
-
max time kernel
298s -
max time network
307s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
11-04-2024 14:10
General
-
Target
http://telegra.ph/XWorm-50-09-06
Malware Config
Extracted
xworm
5.0
testarosa.duckdns.org:7110
Rg1w8TcZ1AXGhMnB
-
Install_directory
%ProgramData%
-
install_file
WindowsDefender.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Executes dropped EXE 15 IoCs
-
Loads dropped DLL 6 IoCs
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
NTFS ADS 19 IoCs
-
Opens file in notepad (likely ransom note) 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://telegra.ph/XWorm-50-09-061⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff83f2f3cb8,0x7ff83f2f3cc8,0x7ff83f2f3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"2⤵
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe"C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 8724⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO0F234F38\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO0F234F38\XWorm V5.0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7zO0F23FB88\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO0F23FB88\XWorm V5.0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7zO0F26BCB8\Fix64.exe"C:\Users\Admin\AppData\Local\Temp\7zO0F26BCB8\Fix64.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 8724⤵
- Program crash
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0F2FF049\FixNoStart.txt3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO0F298639\Fixer.bat" "3⤵
-
C:\Windows\system32\lodctr.exelodctr /r4⤵
- Drops file in System32 directory
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO0F2CCCF9\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO0F2CCCF9\XWorm V5.0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6928 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4376 -ip 43761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4152 -ip 41521⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"1⤵
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7zO80F95F1A\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\7zO80F95F1A\XWormLoader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7zO80F55A2A\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO80F55A2A\XWorm V5.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO80FE64EA\FixNoStart.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO80FE298A\FixNoStart.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Users\Admin\AppData\Local\Temp\7zO80FDD38A\Fix64.exe"C:\Users\Admin\AppData\Local\Temp\7zO80FDD38A\Fix64.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 8443⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO80F9A69A\Fix64.exe"C:\Users\Admin\AppData\Local\Temp\7zO80F9A69A\Fix64.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 8443⤵
- Program crash
-
-
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1940 -ip 19401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5016 -ip 50161⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zO02029A2B\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\7zO02029A2B\XWormLoader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7zO0208BE3B\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO0208BE3B\XWorm V5.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO020EC24B\Fixer.bat" "2⤵
-
C:\Windows\system32\lodctr.exelodctr /r3⤵
- Drops file in System32 directory
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO0202A29B\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO0202A29B\XWorm V5.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
152B
MD5d4604cbec2768d84c36d8ab35dfed413
SHA1a5b3db6d2a1fa5a8de9999966172239a9b1340c2
SHA2564ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2
SHA512c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855
-
Filesize
152B
MD5577e1c0c1d7ab0053d280fcc67377478
SHA160032085bb950466bba9185ba965e228ec8915e5
SHA2561d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158
SHA51239d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5
-
Filesize
1KB
MD521dc328b80ea14c96337e7e379a93187
SHA1ca988018e5c0dca9893e6063e26b49d3f1d8b3b9
SHA256d5f211975a4353450919ce05ee6dd3d38843dbff4edd53f52ccaeeae6860d847
SHA51212026740ba91a666a5f6bc790722d391a4ccfc3dfb73c3176709d2a083e4f2a7cc07ca7d8aa7980eff61253cb7b0d69eb32aee4bedcadbe9638a0e8876ecb518
-
Filesize
3KB
MD5db01c8bd8a523977913ca58f7b04fa95
SHA17cbb95b4bfebc9dae13994a913e772cd5bbdd115
SHA256604958c8738454d21c9caf240b60ea5342c071e7529e1156ac3fb504e3b770e7
SHA51223673a825f8cc6d03d00ffcf4eea1ca52f0bd5f71dbe944b1b98157bb5684f6e18abf8c305ba7c243e2908e5ae46d007caa7aca30b528fca6254dae5534878cc
-
Filesize
5KB
MD5080697ee611e232b344032f618ce9950
SHA1c84ba2f4ee8fd4e1d7d2bdadb0112f8e4e2ab3cc
SHA256d98f97e71ab479ae6818a3cb26c410277957ac211225f89ef92f020c8510628c
SHA512b24077e9181ca455ba8e70d7955d9dfaec19027da465283a52cc309a02e6a0d88964a8e7cfb99a27106ced7f11145e7827f6a65789f20ec5b226dbc1fdd46753
-
Filesize
8KB
MD58e662b8ecd410760c9a6a9f73570cdd5
SHA16b59c6cc0e124d55a24b72d1868b163b77a9b979
SHA256d444708a6aedb81cdf3d250ccbc5f06d25b4b4b2a15708707848805de8040c92
SHA5126ed49297722fcf08a991dad36b0d25b9afe08f4106cdb992d27ea57680b4fb3421e59cc13d75a2d096759d5394356cd80beb5b0b878e6ac3ffa01ab66bcae675
-
Filesize
7KB
MD57ba9266e06b6424c9566276b0585d225
SHA1fcda45affa3fb9dd40f3df247dfbc7eb0d0179c6
SHA256e5c33c8d740202177909a7fe1ccf23039b918485ca8265ec704d9240bf18bdb2
SHA512054d87766d7dab6f7be790607f77a4259500b1b5b657bc05c1c425a42e282000997d4effef863abf610a5a51b9a7eee77941c357f7adb94cc4a76947b481a8e3
-
Filesize
8KB
MD5351478e9a0ab1edc0064f5339e7e8c4d
SHA18d91d67af4e07f5cc31e0e00eb8f8a14a1965f27
SHA25652b88e3c62534564ab60f293789227a4ba5516174fa7111d1fda98672bbf20b0
SHA5121fe5e6cdc763e9f5f6f393a84377a11918d2461cba5acd745e49a50ea0628af42bfa0ed26e489c1c14252548b85423da215fb48bf5d2186b12b561a16569a23a
-
Filesize
240B
MD591d271306fa0b9b581bb2f5eeceb59e2
SHA18415067a76887f1d93ccd72413e6d2ce70814747
SHA25669cb11be05655da9b7ac1b3aed46766d6c118fe00448e8dd57936c487fccae80
SHA512707c499eef7738e5a26def1860b6471b86d74fe7bc34c7a9c67f72a08869edd2368665606d8d63ba038e70cd182f94e6ecc120ed40fc60f948fff83a26606557
-
Filesize
48B
MD5368fd9b0cf868c7873a285c00d31af92
SHA1cc613f4545f152b99d5336e0714ff7cae23909dc
SHA2561624a8da19084a3e5defe985e761befe7cd4f9d73d4ef506eb5fd05de6feef9a
SHA512414296c18cd9b5513277195683a16fd2d8a1312874261d9de3b82a9f14b1b9044a7e4abcb910edd370fbf00165fdb1eae8c7757a5bc551f918641c56c527c49c
-
Filesize
2KB
MD572faa99835d113982c4e3409e1f2a72e
SHA1b8aa0aa74e18ac12bb87b35a599ef2d59d6f335a
SHA256cd6b8d86f97f3f83cb84de9611c46715350d9884e5caeb0d1f13b00192022bda
SHA5127eb14642038410aa6a02ff1a336982f60d2ac288beb4fa0729856775928803380bbe2e6a848b2092c13c1a902c88758db29d4414650531ec0275175c83a7672a
-
Filesize
2KB
MD57ae6f06b4f7d33468de605d3ddf3b77f
SHA1902558f795b44b3ca5034636111a24fb5f50b468
SHA25693ae5041eafd946f922601e32069d8457d024450371a2e8b869ca340e557e0b6
SHA5127b3a738af401ded64a297ab823227e644361f8a1c641dc64235678131e504f0aaaafd1f6c76b791b247d0b776655e2ffc6acdfe5e2dd70d2606e920cda661041
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD572cecbcc82c8163fb76d17990e999b2c
SHA1a67a85c4098a31c0ba43422df8d09cbb364db82c
SHA256460e27513c2f5f272e636f5d82bfb357eeba9f6c9ee789a33ea3721a04620ab7
SHA51256f75a8f9002735fdb5def7cb98ea99f94e0873f4fff62490747dbbf874ef471fbd502d37e50b28667abf6770b3a579708fda72f6f6182add0726aca356d7b02
-
Filesize
11KB
MD510dd1382343e8556643dec6bd3222bf5
SHA1ae0512dbe0639109a31fe7872ca46bd80e26dff0
SHA25616a38dce4a55f58695de0895da297bcc7c55a3be1544f89bd973431d3ed4ba60
SHA5129e1f2bd9362e4f0531b617cba00ea185f815fae092030350f4a108d217a4df34513f17acccac542fc30d59188ab392fcc411f0fd296bfb190cec9b92e364827e
-
Filesize
11KB
MD59df49f7ea06a964408561ae55094ab32
SHA14deefb4776aa71926885d1ccadd6c2fa522fc205
SHA2565dc41c86b3f391e5312939271567a23210aef29c914feae7cf44346e48e158b1
SHA51281e67ac308620206453a67c5258f8c92294b1bbe7bf136f14ba024360fada3d8a28ced1c23dde8bcd217e8fd1c9ca2143ac9d0a70d661e246428fcc959167659
-
Filesize
14KB
MD58f13c1e871ec6f02652b38b31cfcba9a
SHA1992d553ea0cac9f8e95434418dcf8c3bf618d5f6
SHA2563764b0ce3b692039ae60e9da386a7070dc6c98cede0df101504186746659568d
SHA5122d15217c773c1c1c33c4af93fff26edbe891fadea2b789d493735f5284c99a643d86489bdca678a55ebb1793c8ce37a80b37d2b393722d4c134865ad100bf456
-
Filesize
944B
MD56903d57eed54e89b68ebb957928d1b99
SHA1fade011fbf2e4bc044d41e380cf70bd6a9f73212
SHA25636cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52
SHA512c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e
-
Filesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
Filesize
944B
MD5119f072cb44ba7b650fdcf73c670cef0
SHA1c2c60b6f946a7b06f86ee1f50c2487e6d4c44f3a
SHA256bd76b46dd2400be6c57f805ca3ed77e87a55440d1e2bdbc822b984e07cea8bdb
SHA512f56c37835af1c800362f248344bb00cbab528a2be60d9a8c7e14ffa214b55c9a802769d60151c954051fc52df5a67895d899c18819ee89c1116a5bb66064cf73
-
Filesize
101KB
MD53bd72a361ce4e5514c2e6eee83f08545
SHA1a5089aa08760b87c7940e6e1e0eac39509a1a9da
SHA25662a14b870bde8d57e50360039d3474210d1fdaf490afdd1bf36ce92fbaff893b
SHA5124cc7da68e5b766be6ace9d9ae0458fd09b827fc565dc545ad9d43b4f87638e622f3d280189c23e521dbac3311c583f66d96a9ce751b9aa985036a46b0f2cbc7d
-
Filesize
196B
MD52e9fc08e958c9c759f5453ce430cc8ce
SHA14a9e35901267cec3d9a66b057d2e829a3645c61e
SHA256ce12b7f8deeb2c8c86ff0c4bfe89918605cd1050c2f9bb5d516ff040b801b7a5
SHA512a895710af8ee9cea3453c2c1d0aeb4825d2078e2eb19b4952abdf9362f5fea2b161bf3ab6699fa9c694c16e9360029103209bab1800ebbb2d65ae962543a4d41
-
Filesize
10.4MB
MD5227494b22a4ee99f48a269c362fd5f19
SHA1d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9
SHA2567471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2
SHA51271070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0
-
Filesize
122B
MD52dabc46ce85aaff29f22cd74ec074f86
SHA1208ae3e48d67b94cc8be7bbfd9341d373fa8a730
SHA256a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55
SHA5126a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3
-
Filesize
111KB
MD59158e38c3bacd6cc50e4355783fead8b
SHA1c30c982c2d061e4bd8b5e0e3f89693b3939a0833
SHA2561f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda
SHA51298683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd
-
Filesize
108B
MD5d29fc8fa55dbe2092a0557dc967be12e
SHA196e829d1c325514c1ac86432a6bb101512a8b58e
SHA256454871b7ec4e5870757ad7ca884f70aee89116c154d6126078d2a7d43c2106fd
SHA512c0e2bfca18fb719c1f84145438c8afdeb53012fdf82d14b9bd128da2495352ed2140e6ae9a5e52e2f0b01e371db71d5126ae9f7ba6225349ebd9c79ba370ad2f
-
Filesize
112KB
MD5a239b7cac8be034a23e7e231d3bcc6df
SHA1ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
28.8MB
MD5f778fc725ed79c15d3ad889e7a33bea8
SHA16dfce5a46e080fb2436b09a5ed68b98b4c28c17d
SHA256c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa
SHA512ecb5365ae67963d1d246851a852fda53d7ed100e99377d340124b432a3d502044d4ae3abf2e67f7b1224dd08e42e45906d173fcf0e667ec1f052102a4196745a
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
35KB
MD57f41bddfccdfe4a298b0bfcf14a20836
SHA18acacdd3503c65fb2ddc4fbb9f41811ae8550276
SHA256446d064235ee69494d5797e01e4039eca0a026c9b801cacf0670334104eedbbb
SHA512bb984e7660899c293eb3e8c14156cee5237e0cd2b0ada7b03c850f027a08d728fe8774f7a377e911ed54bd788ac5c88fd6e24b41fda6d5020dc6fae0e4980c85
-
Filesize
297KB
MD550362589add3f92e63c918a06d664416
SHA1e1f96e10fb0f9d3bec9ea89f07f97811ccc78182
SHA2569a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce
SHA512e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
11.7MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.4MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB