Overview

overview

10

Static

static

10

XWorm v5.6...0r.zip

windows10-2004-x64

5

XWorm v5.6...IP.dat

windows10-2004-x64

1

XWorm v5.6...1).ico

windows10-2004-x64

1

XWorm v5.6...0).ico

windows10-2004-x64

1

XWorm v5.6...1).ico

windows10-2004-x64

1

XWorm v5.6...2).ico

windows10-2004-x64

1

XWorm v5.6...3).ico

windows10-2004-x64

1

XWorm v5.6...4).ico

windows10-2004-x64

1

XWorm v5.6...5).ico

windows10-2004-x64

1

XWorm v5.6...6).ico

windows10-2004-x64

1

XWorm v5.6...7).ico

windows10-2004-x64

1

XWorm v5.6...2).ico

windows10-2004-x64

1

XWorm v5.6...3).ico

windows10-2004-x64

1

XWorm v5.6...4).ico

windows10-2004-x64

1

XWorm v5.6...5).ico

windows10-2004-x64

1

XWorm v5.6...6).ico

windows10-2004-x64

1

XWorm v5.6...7).ico

windows10-2004-x64

1

XWorm v5.6...8).ico

windows10-2004-x64

1

XWorm v5.6...9).ico

windows10-2004-x64

1

XWorm v5.6...gs.txt

windows10-2004-x64

1

XWorm v5.6...io.dll

windows10-2004-x64

1

XWorm v5.6...on.dll

windows10-2004-x64

1

XWorm v5.6...ws.dll

windows10-2004-x64

1

XWorm v5.6...at.dll

windows10-2004-x64

1

XWorm v5.6...um.dll

windows10-2004-x64

1

XWorm v5.6...rd.dll

windows10-2004-x64

1

XWorm v5.6...ss.dll

windows10-2004-x64

1

XWorm v5.6...er.dll

windows10-2004-x64

1

XWorm v5.6...er.dll

windows10-2004-x64

1

XWorm v5.6...er.dll

windows10-2004-x64

1

XWorm v5.6...at.wav

windows10-2004-x64

6

XWorm v5.6...ro.wav

windows10-2004-x64

6

Resubmissions

08-08-2024 19:37

240808-ybxnzayblk 10

Analysis

  • max time kernel
    272s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2024 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm v5.6 Edition Cracked By @Drcrypt0r/Sounds/Chat.wav

  • Size

    45KB

  • MD5

    832a3652fd780edcdb2439ec33532c0d

  • SHA1

    f0754ee6519d77700f5ee5b744b8c99386d7b577

  • SHA256

    45f4136e58a5f749d125d2ab54308f81954d2c5b364b66013660a6c358845d1e

  • SHA512

    3b3b55afcdfa00d9b7085b20ed52a7b4d8b7d403f5d0d1c539781db1a20257efd8c856e19b8f32ea33766a580690b498ff063849519691a9a4cbbcd3e9447cd4

  • SSDEEP

    768:QVPqefmaP5C3KduJn13jSHYHzIcr6DPW75Pvi3Fy5NQbIbhuJLA+LhDclY3Rp6:yP1mU5GlJnBS4TIQ6o163ofQ8b4Pfm

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Sounds\Chat.wav"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:1704
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2cc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    64KB

    MD5

    987a07b978cfe12e4ce45e513ef86619

    SHA1

    22eec9a9b2e83ad33bedc59e3205f86590b7d40c

    SHA256

    f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

    SHA512

    39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    fe5f50dfb0dce9d757c2c6a5cd917560

    SHA1

    6f30c8997848adc5277f11530237f024af6dd97e

    SHA256

    803b78286206e61f538b8927e88fd9b3aa3db797572daf6e3c6673df524f1f94

    SHA512

    ac5bb95843a96dcafd2a0ad9c2444eed534bba0afcf9e4e004f19f9681109cdd331ac3deb789e235d3d7f02ea6e08f1dc217832f59b5573a32e6693ff62d266c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    dd12be02d5bf13e4d864f38be6aad763

    SHA1

    a22a6a5c931fa5898257c029c2107ec44150b954

    SHA256

    314f4e5527ecacb60ccf06488652e83b620ccd99828d05fa8660cc01e86dc524

    SHA512

    31d89b5f60869f72e8cfb9174c9ffed1215809cc0f2ad5a9b0d2836ce166d994e9a36d3180f92815a01dd7c9a7bf9344b37436518bf6edd564921149f70e5810

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
    Filesize

    498B

    MD5

    90be2701c8112bebc6bd58a7de19846e

    SHA1

    a95be407036982392e2e684fb9ff6602ecad6f1e

    SHA256

    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

    SHA512

    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    5433eab10c6b5c6d55b7cbd302426a39

    SHA1

    c5b1604b3350dab290d081eecd5389a895c58de5

    SHA256

    23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

    SHA512

    207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    67b4a64882248900c4a186951a1070d9

    SHA1

    179bce11e3ecd06da56b0cba8d6430a109bc165f

    SHA256

    672eeee013cbd9c75d762612ae9266bc5522e9a44330e212480f578ab6b55c77

    SHA512

    4b941fb1cd2ba131e8d6e69ce0eea7d6645a0fb35982f9dcb6b20ee887b6dfc9ef95bc677f53aaf865b1c33fd4a325e412abe3d138102217b05b268e4f0b4a56

    Download Submit

  • memory/1144-28-0x0000000007370000-0x0000000007380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-27-0x0000000007370000-0x0000000007380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-32-0x0000000007370000-0x0000000007380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-31-0x0000000007370000-0x0000000007380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-29-0x0000000007370000-0x0000000007380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-30-0x0000000007370000-0x0000000007380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-47-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-54-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

    Filesize

    64KB

    Download