Analysis
-
max time kernel
117s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
24/06/2024, 12:23
General
-
Target
Xworm-V5.6.rar
-
Size
20.9MB
-
MD5
fdbb726bb80ec771b3296a715153d518
-
SHA1
818f734ecfa2b86d06d0154db2aeb3ace92b2283
-
SHA256
e407a948340cdfcd470f25d6a891864e2aea65f06d007cc9d7bd4893b0682319
-
SHA512
b6f79f8e3182113efb6c8fb246f3bf149991a7e2255d6417d19dd478e681c08d8c3ad97d500a43609eb0dbcf5777daf58df5920e00aa40c516d5b1e46f8b3608
-
SSDEEP
393216:PV10n8N0/c2lDGdlMVSGpomu8u5E/ZsiLh5UirAxl9YVjxWiqcrOsb:PQn8N002A6IGS5E/RTrA89WiX9b
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6.rar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6.rar3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3428.0.2048677237\1717247376" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d39f5fa0-1eb1-43a6-88ab-bec414e1bd33} 3428 "\\.\pipe\gecko-crash-server-pipe.3428" 1868 248c700f058 gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3428.1.399993185\1841222948" -parentBuildID 20230214051806 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a6983a2-799d-4a45-88c5-89e88c24346b} 3428 "\\.\pipe\gecko-crash-server-pipe.3428" 2460 248ba38a658 socket4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3428.2.999935552\60140326" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2996 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1244 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {714c2053-2595-4433-808d-6aa6aec4f53c} 3428 "\\.\pipe\gecko-crash-server-pipe.3428" 2948 248c9646b58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3428.3.553338897\1871941412" -childID 2 -isForBrowser -prefsHandle 4044 -prefMapHandle 4040 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1244 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a481b0a-0a9f-4e9b-b3f8-dbed6cf6a166} 3428 "\\.\pipe\gecko-crash-server-pipe.3428" 4052 248cb49ab58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3428.4.694392122\663392515" -childID 3 -isForBrowser -prefsHandle 5048 -prefMapHandle 5232 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1244 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ff32eb0-a367-4c03-aa45-8358f7cb79d4} 3428 "\\.\pipe\gecko-crash-server-pipe.3428" 5096 248cc236658 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3428.5.1218975754\773689848" -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5516 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1244 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d09c383-5543-401f-9626-c17187b440c1} 3428 "\\.\pipe\gecko-crash-server-pipe.3428" 5436 248ce45ef58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3428.6.1962408888\1849077775" -childID 5 -isForBrowser -prefsHandle 5704 -prefMapHandle 5700 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1244 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0255705-ef50-4c17-b6d3-be0bfe4aad81} 3428 "\\.\pipe\gecko-crash-server-pipe.3428" 5712 248ce45f258 tab4⤵
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Xworm-V5.6\" -spe -an -ai#7zMap14214:82:7zEvent261921⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Xworm-V5.6\Xworm V5.6.exe"C:\Users\Admin\Downloads\Xworm-V5.6\Xworm V5.6.exe"1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x38c 0x3f81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5dcba97c83b7f101ee8c5ece31050e517
SHA14bb6dad6373719928a7facfbfd94af355ad3bf45
SHA2569e612e228ce19b9b137eb2e34895c8115149937fa578b341bc8d1234e63c5e24
SHA512a2cc884fa3002cb94662ac60417090b960407741ad2cffb5d947a01d700c04d41db0e0f5e08a32b8c2424d9c994a1d384ac4abecdaa586d3f5ad17a024a029b4
-
Filesize
7KB
MD52ebcdb5d13df4ec289b06ac8a78f2566
SHA1cf962f83806e40fa7d420deb527a9ead3dcd7a7d
SHA25632c8eb9b37a0e079bc565cf390d5c4e4e799004c40d8c0bf823f378fd3959963
SHA5121b7b26a37a4420c23e4a999f5c00d316350f943b5d2b848f89c8005cf13892a9e6fddc9df78565dd42010c71bd93e1d53cd39eed5baf15a50fb79ef2d52fe1a8
-
Filesize
7KB
MD5dc890f7ec9a78e0818dc6c4ba4f63a08
SHA1194778111aa86f3230b781bfedd0be3a6f9a5317
SHA256f7f2a40f4afe3175f9f8d4914bc650a5f985d989e4cc185e03215d9ef8eb277d
SHA51285aba0f4e928d1c3c8bc642bd556b82879042be588607792e5446943fbfed90ce9ca45328864ffe52739d5c8ed5afc86c47fd9ea9353beef7e16a60bef52a4d8
-
Filesize
6KB
MD562badadfee9a6b43afe4a89c3495e066
SHA1335726e1a6a6ea4e0900d5370ee00c9617e941d5
SHA256f736d3694a1811259d9b3c3c766aef4d1b12a63416138c01a1a13bee68176a4a
SHA512ee1e09790cdda1064666c0b0fed62db629704215259e7756b11dc00a646a6f475e7f1d8813cc420e4b48b0cf79f0f561548344796f11ffa806ef5c99d6fcabef
-
Filesize
1KB
MD52fb95c56c38ab769d18256d40e727ae6
SHA1836a6a1018424a3026d4b87a33a321728bdaf3dc
SHA256196aebd4f4d4651756ddc69f4645b3fe2c8f8351c4f60f38a912920a0233b8ab
SHA51221e0f723049673bcbdf35d91c5fae3c6f8fc57f5a3f82fc9282e9326945734772c90487f3433763e4ad3a163d602dbf081d57244ba6484bf1a186d9a44dadb91
-
Filesize
640B
MD5cc4a5e9c444ca1689853aa9664395a4d
SHA11af1859aba38f3d85248f1e41499e0bcf885bf6b
SHA256353d6dc73ed42c8d539de817d2fee3870decda61cf53a1850ad4180c38d6cc11
SHA512585115943d7b6c26ed3524887a8008a49bd2ab399970a27ddd2e8b1c2aaf27d3f4ae99461789dd9bb8e73bb779d012e1c60bd8179fc6fbe957949009c1f2ed55
-
Filesize
20.9MB
MD5fdbb726bb80ec771b3296a715153d518
SHA1818f734ecfa2b86d06d0154db2aeb3ace92b2283
SHA256e407a948340cdfcd470f25d6a891864e2aea65f06d007cc9d7bd4893b0682319
SHA512b6f79f8e3182113efb6c8fb246f3bf149991a7e2255d6417d19dd478e681c08d8c3ad97d500a43609eb0dbcf5777daf58df5920e00aa40c516d5b1e46f8b3608
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
238KB
MD5ad3b4fae17bcabc254df49f5e76b87a6
SHA11683ff029eebaffdc7a4827827da7bb361c8747e
SHA256e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA5123d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3
-
Filesize
14.9MB
MD556ccb739926a725e78a7acf9af52c4bb
SHA15b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA25690f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA5122fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14.9MB
-
Filesize
2.0MB