c4f4cc66ba639e26c23684103c5f3d229bcbf19a005e572d79f157fca9500859

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.4.exe
Size

136KB
MD5

7777356c70b6cfe98efcb0c2ec2a58d5
SHA1

84c92c257c0ca88481be3d3e05064b89a265a571
SHA256

c4f4cc66ba639e26c23684103c5f3d229bcbf19a005e572d79f157fca9500859
SHA512

872fbdc59034cc2fb0d1521f2c2ee891e205b992d72fd91bfd56531014edf3c31d0ae121e1b40fc37e8ba21c4170af3f3f5d500c466a9ea150392aa037825a6d
SSDEEP

1536:nxkAni0GTlyywlA/tX5AJ4bQoFr5e1wUvaFYtZxdyQ2U:xkAn8TlyyzWmbQoFr5B07byQR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm V5.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2760	1968	XWorm V5.4.exe	30
PID 1968 wrote to memory of 2760	1968	XWorm V5.4.exe	30
PID 1968 wrote to memory of 2760	1968	XWorm V5.4.exe	30
PID 1968 wrote to memory of 2760	1968	XWorm V5.4.exe	30

C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\i6.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i6.bat

Filesize
173B

MD5
0f8f70e88009593eefaa155a8e31b1d6

SHA1
eabcc3f2135e0919e9456da0a4b1084f3382d4b6

SHA256
941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b

SHA512
94df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750

Download Submit