Analysis
-
max time kernel
100s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 22:47
Behavioral task
behavioral1
Sample
XWorm V5.2.rar
Resource
win7-20240708-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
XWorm V5.2.rar
Resource
win10v2004-20240802-en
8 signatures
150 seconds
General
-
Target
XWorm V5.2.rar
-
Size
50.1MB
-
MD5
9708d19fa9f583748f252f35606a84e8
-
SHA1
9817368991be44c479eef076338361455efb90f2
-
SHA256
6bde76de6064f5cb941da866a26b81f18d4a7e3d738d416238fa73c0b01149a7
-
SHA512
d7a829b3001e45ac69ff521d7c8a94739d520abaf46fd8b6426b58faed73f296310c8990c5bd0dd17b2efd55efd2698c37fe5b7fa169aa3378abb268ebc3170a
-
SSDEEP
1572864:v35cgiPnjmoHYeSF+v88It5VCpbmrfi37J:vJcpPS9208mHCIzirJ
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 812 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exevlc.exepid process 1264 OpenWith.exe 812 vlc.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
vlc.exepid process 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
vlc.exepid process 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe 812 vlc.exe -
Suspicious use of SetWindowsHookEx 38 IoCs
Processes:
OpenWith.exevlc.exepid process 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 1264 OpenWith.exe 812 vlc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 1264 wrote to memory of 812 1264 OpenWith.exe vlc.exe PID 1264 wrote to memory of 812 1264 OpenWith.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"1⤵
- Modifies registry class
PID:4892
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:812
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5068