Overview

overview

10

Static

static

10

XWorm v5.6...0r.zip

windows10-2004-x64

5

XWorm v5.6...IP.dat

windows10-2004-x64

1

XWorm v5.6...1).ico

windows10-2004-x64

1

XWorm v5.6...0).ico

windows10-2004-x64

1

XWorm v5.6...1).ico

windows10-2004-x64

1

XWorm v5.6...2).ico

windows10-2004-x64

1

XWorm v5.6...3).ico

windows10-2004-x64

1

XWorm v5.6...4).ico

windows10-2004-x64

1

XWorm v5.6...5).ico

windows10-2004-x64

1

XWorm v5.6...6).ico

windows10-2004-x64

1

XWorm v5.6...7).ico

windows10-2004-x64

1

XWorm v5.6...2).ico

windows10-2004-x64

1

XWorm v5.6...3).ico

windows10-2004-x64

1

XWorm v5.6...4).ico

windows10-2004-x64

1

XWorm v5.6...5).ico

windows10-2004-x64

1

XWorm v5.6...6).ico

windows10-2004-x64

1

XWorm v5.6...7).ico

windows10-2004-x64

1

XWorm v5.6...8).ico

windows10-2004-x64

1

XWorm v5.6...9).ico

windows10-2004-x64

1

XWorm v5.6...gs.txt

windows10-2004-x64

1

XWorm v5.6...io.dll

windows10-2004-x64

1

XWorm v5.6...on.dll

windows10-2004-x64

1

XWorm v5.6...ws.dll

windows10-2004-x64

1

XWorm v5.6...at.dll

windows10-2004-x64

1

XWorm v5.6...um.dll

windows10-2004-x64

1

XWorm v5.6...rd.dll

windows10-2004-x64

1

XWorm v5.6...ss.dll

windows10-2004-x64

1

XWorm v5.6...er.dll

windows10-2004-x64

1

XWorm v5.6...er.dll

windows10-2004-x64

1

XWorm v5.6...er.dll

windows10-2004-x64

1

XWorm v5.6...at.wav

windows10-2004-x64

6

XWorm v5.6...ro.wav

windows10-2004-x64

6

Resubmissions

08-08-2024 19:37

240808-ybxnzayblk 10

Analysis

  • max time kernel
    272s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2024 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm v5.6 Edition Cracked By @Drcrypt0r/Sounds/Intro.wav

  • Size

    238KB

  • MD5

    ad3b4fae17bcabc254df49f5e76b87a6

  • SHA1

    1683ff029eebaffdc7a4827827da7bb361c8747e

  • SHA256

    e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

  • SHA512

    3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

  • SSDEEP

    3072:FU3hYG9X9JzhaLL5+QYKHZDa6D+4LT92KEpcP+b8FGUt0Ybs5e9jXjubLtNmBNs9:GjVsLL5lva6D+4P9llWvaGe9CHeBNm

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Sounds\Intro.wav"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1556
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:2604
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2f4 0x470
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    64KB

    MD5

    987a07b978cfe12e4ce45e513ef86619

    SHA1

    22eec9a9b2e83ad33bedc59e3205f86590b7d40c

    SHA256

    f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

    SHA512

    39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    8ec692343872f4eaf8cfee54f929e23e

    SHA1

    9c76e4f80a1d73069c6ea86c847e9804d0099ada

    SHA256

    440bff28f08e486b5b6fc3fa5f3d57df1ea81ee353708c4f5cb0a243684f4940

    SHA512

    34c22bdb5404eb420b07d0180609e1442e2668b83be304ef8e757e9362af3b4def60dbda068b6a32d34ee047f3392efcd358d691a14035240e6e9c81d98a6f0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    9e42db252f9788b6a1bb9d6d6a6b2143

    SHA1

    eb5837bd5cda4aaa55ff6c079e1c6409c7399522

    SHA256

    022b43cce5ed1a022fbf1507b82d0fa1f38a146f9452e45c4a6243dab9348e93

    SHA512

    e4d062a316e19e6ceb73db5ae347d7ea013c3258e23fb2928cdfb4928d3d67bc2c945426fe784d1ec8fac269b019f53ec07a048085aaaa899cd2845dd6c4d879

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
    Filesize

    498B

    MD5

    90be2701c8112bebc6bd58a7de19846e

    SHA1

    a95be407036982392e2e684fb9ff6602ecad6f1e

    SHA256

    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

    SHA512

    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    2057dfab95452bc568188f08dacfd76d

    SHA1

    c19106bca30b0ce58d804d620592c4c806003141

    SHA256

    7eaae7d823ab580ce3a34c547f46c5b52896e4a6eed49dd6b868365eaf5d0fc6

    SHA512

    a08deb795db84474853f3d6ef14b40ae7e2b899b9070a271a1f399023994c1de36d165cf5351b2cdfecf322ed14f906b9cb4670ee3e90005feb2bca56d5acb5e

    Download Submit

  • memory/1400-33-0x0000000004560000-0x0000000004570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1400-31-0x0000000004560000-0x0000000004570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1400-32-0x0000000004560000-0x0000000004570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1400-34-0x0000000004560000-0x0000000004570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1400-36-0x0000000004560000-0x0000000004570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1400-35-0x0000000004560000-0x0000000004570000-memory.dmp

    Filesize

    64KB

    Download