7c65d3e792ca1c0c5ed98143c7ce93684b8e3f78e12d122e5f220f29e2516027

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-3.1-main/GeoIP.dat
Size

1.2MB
MD5

8ef41798df108ce9bd41382c9721b1c9
SHA1

1e6227635a12039f4d380531b032bf773f0e6de0
SHA256

bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA512

4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
SSDEEP

24576:0L/59ah0USm3uwl00odi9AnW1fUmdbxv6bA3wOzRAc3InsZLONMrZb:+/59a6USdi9Ues6bV6boLO6rZ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\dat_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.dat\ = "dat_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\dat_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\dat_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\dat_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.dat	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\dat_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2816	AcroRd32.exe
2816	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2884	1540	cmd.exe	29
PID 1540 wrote to memory of 2884	1540	cmd.exe	29
PID 1540 wrote to memory of 2884	1540	cmd.exe	29
PID 2884 wrote to memory of 2816	2884	rundll32.exe	30
PID 2884 wrote to memory of 2816	2884	rundll32.exe	30
PID 2884 wrote to memory of 2816	2884	rundll32.exe	30
PID 2884 wrote to memory of 2816	2884	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\XWorm-3.1-main\GeoIP.dat
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\XWorm-3.1-main\GeoIP.dat
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-3.1-main\GeoIP.dat"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
ec4b99a4680bd8a362863d513ee2138f

SHA1
e98fbcb08803a3b1b4e58cf59a369ffbe6d930f1

SHA256
4ea7a044976aa5bc90d2082b232927081e74bfb78bac9dc4d5ca465634e34c95

SHA512
f2852dc72fa174fa5c7679134285564130a46b3e9b3648a9c619fded9983b9d8bd40677ba872b2066d0feff29eeae8d0a521650212593cf7c004612fe0db2eff

Download Submit