Analysis
-
max time kernel
846s -
max time network
848s -
platform
windows7_x64 -
resource
win7-20240220-it -
resource tags
arch:x64arch:x86image:win7-20240220-itlocale:it-itos:windows7-x64systemwindows -
submitted
16-05-2024 12:33
Behavioral task
behavioral1
Sample
XWorm V5.2.rar
Resource
win7-20240220-it
windows7-x64
5 signatures
1200 seconds
Behavioral task
behavioral2
Sample
XWorm V5.2.rar
Resource
win10v2004-20240426-it
windows10-2004-x64
3 signatures
1200 seconds
General
-
Target
XWorm V5.2.rar
-
Size
30.8MB
-
MD5
fedb5514599b1b6b2583d2d02f67b18d
-
SHA1
30bf61c43970f8f60e8770f649ab9a406020ac18
-
SHA256
fa4e6545f776160094004f3bfc1c9e199ec43e22870b1674b48ecc9a80ec71fb
-
SHA512
3bae5883c01222d537dde94cf4a8aedf86023349be2c742f7e6aa78e9faafc10dcd596968773e8287a58051d7696c2024aedd6704f11a3a1fc2c5fdbf17861f7
-
SSDEEP
786432:+yMMBOS745XHHdXOXZCJxMJW18F3JhLDj55I7cTFXPz:dBzEtn0QJ2g12Jhnt9Zb
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2596 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 2596 7zFM.exe Token: 35 2596 7zFM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zFM.exepid process 2596 7zFM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2148 wrote to memory of 2596 2148 cmd.exe 7zFM.exe PID 2148 wrote to memory of 2596 2148 cmd.exe 7zFM.exe PID 2148 wrote to memory of 2596 2148 cmd.exe 7zFM.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2596