hxxps://github[.]com/Cryakl/Ultimate-RAT-Collection/raw/main/XWorm/XWorm%20V5[.]6/XWorm%20V5[.]6[.]7z[.]001

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Cryakl/Ultimate-RAT-Collection/raw/main/XWorm/XWorm%20V5.6/XWorm%20V5.6.7z.001

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
10	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
4036	msedge.exe
4036	msedge.exe
4308	identity_helper.exe
4308	identity_helper.exe
1636	msedge.exe
1636	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2188	7zG.exe
4496	7zG.exe
1212	OpenWith.exe
544	7zFM.exe
4452	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	2188	7zG.exe
Token: 35	2188	7zG.exe
Token: SeSecurityPrivilege	2188	7zG.exe
Token: SeSecurityPrivilege	2188	7zG.exe
Token: SeRestorePrivilege	4496	7zG.exe
Token: 35	4496	7zG.exe
Token: SeSecurityPrivilege	4496	7zG.exe
Token: SeSecurityPrivilege	4496	7zG.exe
Token: SeRestorePrivilege	544	7zFM.exe
Token: 35	544	7zFM.exe
Token: SeSecurityPrivilege	544	7zFM.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
2188	7zG.exe
4496	7zG.exe
544	7zFM.exe
544	7zFM.exe
544	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
2332	OpenWith.exe
1212	OpenWith.exe
1212	OpenWith.exe
1212	OpenWith.exe
1212	OpenWith.exe
1212	OpenWith.exe
1212	OpenWith.exe
1212	OpenWith.exe
1212	OpenWith.exe
1212	OpenWith.exe
1212	OpenWith.exe
1212	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
4452	OpenWith.exe
2624	AcroRd32.exe
2624	AcroRd32.exe
2624	AcroRd32.exe
2624	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 1624	4036	msedge.exe	84
PID 4036 wrote to memory of 1624	4036	msedge.exe	84
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 4116	4036	msedge.exe	86
PID 4036 wrote to memory of 2388	4036	msedge.exe	87
PID 4036 wrote to memory of 2388	4036	msedge.exe	87
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88
PID 4036 wrote to memory of 3084	4036	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Cryakl/Ultimate-RAT-Collection/raw/main/XWorm/XWorm%20V5.6/XWorm%20V5.6.7z.001
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff81d546f8,0x7fff81d54708,0x7fff81d54718
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,56187304961606908,12597812330736535733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3212 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1576

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm V5.6\" -ad -an -ai#7zMap11418:88:7zEvent18663
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2188

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm V5.6\" -spe -an -ai#7zMap1602:88:7zEvent16226
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm V5.6.7z.001"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4452
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO022A2009\XWorm V5.6.7z"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2624
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3696
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=121C693990AE161F9E05A442D55B767D --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3992
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8F43C71F7EB976925060F9F1AD9C570D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8F43C71F7EB976925060F9F1AD9C570D --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3244
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C1445DD78EF4D7439684F0702A5EC6B2 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4276
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FEB980FC91FCC70C665C600263A8A330 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1648
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=82908665318A04DBB02C4F14ED4B722B --mojo-platform-channel-handle=2388 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea9ef805116c4ab90b5800c7cd94ab71

SHA1
eb9c7b8922c8ef79eef1009ab7f530bb57fbbbea

SHA256
bff3e3629de76b8b8dd001c3d8fb986e841c392dfe1982081751b92f5bd567b0

SHA512
8c907d2616ce16cfe08ddeb632f93402e765c5d9430a46e90ab5ea32d4df0a854c6007b19f9b0168254ab7aadf720fed8c68d1a055704db09c1b36c201a9b3b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
347755403306a2694773b0c232d3ab2c

SHA1
94d908aa90533fcaef3f1eb5aa93fee183d5f6ac

SHA256
d43f2dd4ac5b6ba779100eb8b84bc92fc8700bedcd339a801c5260b1bb3ce3bf

SHA512
98f1fb18bc34dfc224132dfa2a2e6a131b280b25fcb516fac3bb66da2a47c7a7061124881de6fa5f65602663dc0ea71357b171a3346bb1514176943438322253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a0aac80ddb86019decce1e4eaae4501f

SHA1
1ed5182dd34e326e68a787ba7ec56f7804418dbf

SHA256
ee8e8481b2cf838cddb69aaf1ffe2eaafdb347ba392353f52bf6473fae3014d3

SHA512
7fd9e7450818116ed6572da81e70d1534f6460ecb98164200db6385480e75eb3f73d18cec1c2489ec0367147ae0eff61c920e0e92a02b103ed8a18542c0e243c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e13e3d47974a878f4400f392b3289bd2

SHA1
a79bccdf47267caa9c9ddd42cc90c200e2c543fe

SHA256
198fc4dda53cc0b0e087eee98f6777189cf7a06e589aac79cf071b6a20f9fb2d

SHA512
94cdf4bcdbbb4a7648546c331a01025b822adf925c52e7f5240a17cd648918ca92b38d1b32698b25c42f4215940cbfcfcf5f21e0a9a6500bb94ac831c15dc412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd048badea91fb0c03f1b521613211e2

SHA1
d6ec4f9e0b7edc9a6e7da5e27e7dcb5b17c28f23

SHA256
a4e89649986a65c2dc1855015db5d51cf4ecdad7f4a7b546d99ddf723cb36a77

SHA512
604ae338cde2adaba0499c0ed41fd6df4276a8e459df6a182ea79bad4c21fa03730d353b4a36ad435a648d95fa5304e74aa607594b73f8400568a4c8c0318e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9306289305a6d10cab738d1172c5aefa

SHA1
94e439f9e0041a34816ad516617f00aea864b787

SHA256
f02cd1c0575b32231cc8ba0dac1dbd685d979ff7045aca2de6bfe48eb3a386b2

SHA512
3e1660df91ebb6d55b1d4ccdd6372d444d768f6f0d177f0796c2653113d894998f45bf3e3af82fcbb6ad3aff4ffa09bcaef1c8fdc1ae67468d56725a47bf510b

Download Submit
C:\Users\Admin\Downloads\XWorm V5.6.7z.001

Filesize
10.0MB

MD5
50253a2aa1e12ffb8e4bb1d17fe77e58

SHA1
a2f657b9487b80dba040c8ff429b2d95ead6366f

SHA256
52fdd97a6cb0b19ef2fdcac2ea3f430e40e423a32a513ce7bce075e47aa526d8

SHA512
0d1f6a1679978b4a61dd4e9201356c50929f27c766f9645777a844f311f687bea59b31de33d4ea72f62de371c2db95a71a2aafff344ccaf222094e5fc079c996

Download Submit