Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-08-2024 22:47
Behavioral task
behavioral1
Sample
XWorm V5.2.rar
Resource
win7-20240708-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
XWorm V5.2.rar
Resource
win10v2004-20240802-en
8 signatures
150 seconds
General
-
Target
XWorm V5.2.rar
-
Size
50.1MB
-
MD5
9708d19fa9f583748f252f35606a84e8
-
SHA1
9817368991be44c479eef076338361455efb90f2
-
SHA256
6bde76de6064f5cb941da866a26b81f18d4a7e3d738d416238fa73c0b01149a7
-
SHA512
d7a829b3001e45ac69ff521d7c8a94739d520abaf46fd8b6426b58faed73f296310c8990c5bd0dd17b2efd55efd2698c37fe5b7fa169aa3378abb268ebc3170a
-
SSDEEP
1572864:v35cgiPnjmoHYeSF+v88It5VCpbmrfi37J:vJcpPS9208mHCIzirJ
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 2068 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 2068 vlc.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
vlc.exepid process 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe -
Suspicious use of SendNotifyMessage 14 IoCs
Processes:
vlc.exepid process 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe 2068 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 2068 vlc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exerundll32.exerundll32.exedescription pid process target process PID 2884 wrote to memory of 2740 2884 cmd.exe rundll32.exe PID 2884 wrote to memory of 2740 2884 cmd.exe rundll32.exe PID 2884 wrote to memory of 2740 2884 cmd.exe rundll32.exe PID 2740 wrote to memory of 2668 2740 rundll32.exe rundll32.exe PID 2740 wrote to memory of 2668 2740 rundll32.exe rundll32.exe PID 2740 wrote to memory of 2668 2740 rundll32.exe rundll32.exe PID 2668 wrote to memory of 2068 2668 rundll32.exe vlc.exe PID 2668 wrote to memory of 2068 2668 rundll32.exe vlc.exe PID 2668 wrote to memory of 2068 2668 rundll32.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2068