Analysis Overview
SHA256
a4f522406a7b1a0ae35eb4682549ac8f20ce1ca42f4cf11fad546df3e1d45dd2
Threat Level: Known bad
The file Xworm-V5.6.zip was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
AgentTesla
StormKitty payload
Contains code to disable Windows Defender
Agenttesla family
Stormkitty family
Xworm family
AgentTesla payload
AgentTesla payload
Unsigned PE
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-01 05:42
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-01 05:42
Reported
2024-07-01 05:43
Platform
win11-20240508-en
Max time kernel
4s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\RES\XWorm.Resources.vbs"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-01 05:42
Reported
2024-07-01 05:44
Platform
win11-20240508-en
Max time kernel
18s
Max time network
22s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\XWorm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\XWorm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\XWorm V5.6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\XWorm V5.6.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\XWorm V5.6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\XWorm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\XWorm V5.6.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C8
Network
Files
memory/3400-0-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp
memory/3400-1-0x000001DB5ED80000-0x000001DB5FAAA000-memory.dmp
memory/3400-2-0x000001DB7A4C0000-0x000001DB7A6B4000-memory.dmp
memory/3400-3-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
memory/3400-4-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
memory/3400-5-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
memory/3400-6-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
memory/3400-7-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp
memory/3400-8-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
memory/3400-12-0x000001DB03920000-0x000001DB0393E000-memory.dmp
memory/3400-13-0x000001DB03940000-0x000001DB0394B000-memory.dmp
memory/3400-9-0x000001DB03890000-0x000001DB038D6000-memory.dmp
memory/3400-11-0x000001DB03910000-0x000001DB0391D000-memory.dmp
memory/3400-10-0x000001DB038E0000-0x000001DB038E9000-memory.dmp