Analysis Overview
SHA256
264c33358030655653d02cf653ca7f2e56a897b28689cdb35e015259afb71731
Threat Level: Known bad
The file sexy.rar was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Xworm
Detect Xworm Payload
AgentTesla payload
Uses the VBS compiler for execution
Executes dropped EXE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-08 23:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 23:50
Reported
2024-06-09 00:03
Platform
win10v2004-20240508-en
Max time kernel
615s
Max time network
562s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sexy.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\sexy\" -spe -an -ai#7zMap736:88:7zEvent19072
C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4
C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\sexy\ClientsFolder\F26943D0D149AD3F4279\Recovery\RecoveryData\cookies.json
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\sexy\Icons\icon (15).ico
| MD5 | e3143e8c70427a56dac73a808cba0c79 |
| SHA1 | 63556c7ad9e778d5bd9092f834b5cc751e419d16 |
| SHA256 | b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188 |
| SHA512 | 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc |
C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe
| MD5 | 56ccb739926a725e78a7acf9af52c4bb |
| SHA1 | 5b01b90137871c3c8f0d04f510c4d56b23932cbc |
| SHA256 | 90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405 |
| SHA512 | 2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1 |
C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe.config
| MD5 | 66f09a3993dcae94acfe39d45b553f58 |
| SHA1 | 9d09f8e22d464f7021d7f713269b8169aed98682 |
| SHA256 | 7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7 |
| SHA512 | c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed |
memory/3468-319-0x0000017070940000-0x0000017071828000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sexy\Guna.UI2.dll
| MD5 | bcc0fe2b28edd2da651388f84599059b |
| SHA1 | 44d7756708aafa08730ca9dbdc01091790940a4f |
| SHA256 | c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef |
| SHA512 | 3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8 |
memory/3468-321-0x0000017075360000-0x0000017075554000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sexy\GeoIP.dat
| MD5 | 8ef41798df108ce9bd41382c9721b1c9 |
| SHA1 | 1e6227635a12039f4d380531b032bf773f0e6de0 |
| SHA256 | bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740 |
| SHA512 | 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b |
C:\Users\Admin\AppData\Local\Temp\sexy\Sounds\Intro.wav
| MD5 | ad3b4fae17bcabc254df49f5e76b87a6 |
| SHA1 | 1683ff029eebaffdc7a4827827da7bb361c8747e |
| SHA256 | e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf |
| SHA512 | 3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xworm V5.6.exe.log
| MD5 | 2d2a235f1b0f4b608c5910673735494b |
| SHA1 | 23a63f6529bfdf917886ab8347092238db0423a0 |
| SHA256 | c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884 |
| SHA512 | 10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 23:50
Reported
2024-06-09 00:04
Platform
win11-20240426-en
Max time kernel
680s
Max time network
675s
Command Line
Signatures
AgentTesla
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "4" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2144 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe |
| PID 2144 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe |
| PID 1992 wrote to memory of 3228 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 1992 wrote to memory of 3228 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sexy.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\sexy\" -spe -an -ai#7zMap13575:88:7zEvent17601
C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC
C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1qzqluca\1qzqluca.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA005F5F473C14F3696A86A47FD3AC62.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\sexy\ClientsFolder\F26943D0D149AD3F4279\Recovery\RecoveryData\cookies.json
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\sexy\Icons\icon (15).ico
| MD5 | e3143e8c70427a56dac73a808cba0c79 |
| SHA1 | 63556c7ad9e778d5bd9092f834b5cc751e419d16 |
| SHA256 | b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188 |
| SHA512 | 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc |
C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe
| MD5 | 56ccb739926a725e78a7acf9af52c4bb |
| SHA1 | 5b01b90137871c3c8f0d04f510c4d56b23932cbc |
| SHA256 | 90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405 |
| SHA512 | 2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1 |
C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe.config
| MD5 | 66f09a3993dcae94acfe39d45b553f58 |
| SHA1 | 9d09f8e22d464f7021d7f713269b8169aed98682 |
| SHA256 | 7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7 |
| SHA512 | c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed |
memory/4776-319-0x00000235140A0000-0x0000023514F88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sexy\Guna.UI2.dll
| MD5 | bcc0fe2b28edd2da651388f84599059b |
| SHA1 | 44d7756708aafa08730ca9dbdc01091790940a4f |
| SHA256 | c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef |
| SHA512 | 3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8 |
memory/4776-321-0x0000023530A50000-0x0000023530C44000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sexy\GeoIP.dat
| MD5 | 8ef41798df108ce9bd41382c9721b1c9 |
| SHA1 | 1e6227635a12039f4d380531b032bf773f0e6de0 |
| SHA256 | bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740 |
| SHA512 | 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b |
C:\Users\Admin\AppData\Local\Temp\sexy\Sounds\Intro.wav
| MD5 | ad3b4fae17bcabc254df49f5e76b87a6 |
| SHA1 | 1683ff029eebaffdc7a4827827da7bb361c8747e |
| SHA256 | e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf |
| SHA512 | 3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3 |
memory/4776-328-0x000002352F9E0000-0x000002352F9EB000-memory.dmp
memory/4776-327-0x000002352F9C0000-0x000002352F9DE000-memory.dmp
memory/4776-324-0x000002352F930000-0x000002352F976000-memory.dmp
memory/4776-326-0x000002352F9B0000-0x000002352F9BD000-memory.dmp
memory/4776-325-0x000002352F980000-0x000002352F989000-memory.dmp
memory/4776-341-0x000002352F980000-0x000002352F989000-memory.dmp
memory/4776-344-0x000002352F9E0000-0x000002352F9EB000-memory.dmp
memory/4776-343-0x000002352F9C0000-0x000002352F9DE000-memory.dmp
memory/4776-342-0x000002352F9B0000-0x000002352F9BD000-memory.dmp
memory/4776-340-0x000002352F930000-0x000002352F976000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sexy\Xworm V5.6.exe
| MD5 | c464e152cccc8b6b8c31a2f2f2c47f56 |
| SHA1 | 6f33badc5bf718775f7e8e403b5804b7dc936735 |
| SHA256 | 4636f65685d60199313f678502dc00d03f6007a96568187f47e5c3f09f5b9a59 |
| SHA512 | 097bb2e5a7ff944ce59470b64cb18cec1a660c9f009b3244aac81bd128469521fa97ec7af86309469df1acaa40cfe8c9b72835bc56f9397d9739a99f27befa48 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xworm V5.6.exe.log
| MD5 | 8e0f23092b7a620dc2f45b4a9a596029 |
| SHA1 | 58cc7c47602c73529e91ff9db3c74ff05459e4ea |
| SHA256 | 58b9918225aee046894cb3c6263687bfe4b5a5b8dff7196d72687d0f3f735034 |
| SHA512 | be458f811ad6a1f6b320e8d3e68e71062a8de686bae77c400d65091947b805c95024f3f1837e088cf5ecac5388d36f354285a6b57f91ea55567f19706128a043 |
memory/2000-351-0x000001EF41FC0000-0x000001EF41FCB000-memory.dmp
memory/2000-350-0x000001EF41FA0000-0x000001EF41FBE000-memory.dmp
memory/2000-349-0x000001EF41F90000-0x000001EF41F9D000-memory.dmp
memory/2000-347-0x000001EF41F20000-0x000001EF41F66000-memory.dmp
memory/2000-348-0x000001EF41F00000-0x000001EF41F09000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sexy\SimpleObfuscator.dll
| MD5 | 9043d712208178c33ba8e942834ce457 |
| SHA1 | e0fa5c730bf127a33348f5d2a5673260ae3719d1 |
| SHA256 | b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c |
| SHA512 | dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65 |
memory/2144-445-0x0000026BFC350000-0x0000026BFC4B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1qzqluca\1qzqluca.cmdline
| MD5 | f7e3232f7b144ff28ca9eb34328580c8 |
| SHA1 | 38abebf59986c82518de76de56137773d4921020 |
| SHA256 | 117dafe3a4705d449528e5e09d4b07c0f2542ac121872b73bb1b5bf1607a23a1 |
| SHA512 | be2721fa375ca0cfaa56affa28839f4d1f7d6ae16df1a1d99b683b54a0b669fba6d6ec78d8c6546f1794b3f9fbc339588aa0fe31672581ef50e231066f6f858c |
C:\Users\Admin\AppData\Local\Temp\1qzqluca\1qzqluca.0.vb
| MD5 | 66836c766dcc211f911a4e39e3e69981 |
| SHA1 | 7d098efe4c98e1d91cf4a18bb1c2152fb6c43f5a |
| SHA256 | 7d4c1a4255eaa7f18f3d627bbc5d4c3cbd8fcf17d35d0f4807478de375fe9ea1 |
| SHA512 | 8c7bed1205bec1f401905eb52c4870c346de7ba7794bc53d82cb32417587573cac66d400af625d41f907156ad40d6d08de94e79adee591b2bc6ffff0c997eab9 |
C:\Users\Admin\AppData\Local\Temp\vbcA005F5F473C14F3696A86A47FD3AC62.TMP
| MD5 | d40c58bd46211e4ffcbfbdfac7c2bb69 |
| SHA1 | c5cf88224acc284a4e81bd612369f0e39f3ac604 |
| SHA256 | 01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca |
| SHA512 | 48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68 |
C:\Users\Admin\AppData\Local\Temp\RES8AAB.tmp
| MD5 | 81e47cd11acfd797fcfbcc19ca6014aa |
| SHA1 | 247c066f0f2a05250fecc920b7c41ceec7dec5cb |
| SHA256 | d3269b1b8a24998f26b3e7e40603600e54595eaf4882e5d13ce583384d235727 |
| SHA512 | fbf8ff7bb6212530185e22cc5adcecce5711a8999d303faf314fbd61ed96e214d7482946a949a78c90fefb67bd527935d4f655e415e5576369209f153dc5418c |