8ba9b12031e5f17c36580506ed7ee0c396175a7f569dafe47b800fbb83624a61

Analysis

max time kernel
39s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6.zip
Size

17.3MB
MD5

f5afa2b8b3702b8a63cc8f3ef5347c92
SHA1

a2d3c8e8c082e05157db8e32d55c58ab22adb503
SHA256

8ba9b12031e5f17c36580506ed7ee0c396175a7f569dafe47b800fbb83624a61
SHA512

c1b84587484f89e5183e5d97819a28568ecd47ae55fdbfd53cc9493379c0110a2a1bb06cb5cafc35f44842f71dc50b02831474aed9cbb06b4043791f9893c13a
SSDEEP

393216:GyaLq4XFeuBc9Q+FW7GMm389HCjIR7kjJPGAKbtUb8qcz:Gy74XDBYQw6GP2kjNKtpz

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COM Surrogate.lnk	XWorm V5.6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COM Surrogate.lnk	XWorm V5.6.exe

Executes dropped EXE 1 IoCs

pid	Process
5032	COM Surrogate

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM Surrogate = "C:\\Users\\Public\\COM Surrogate"	XWorm V5.6.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4412	XWorm V5.6.exe
4412	XWorm V5.6.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	XWorm V5.6.exe
Token: SeDebugPrivilege	4412	XWorm V5.6.exe
Token: SeDebugPrivilege	2300	XWorm V5.6.exe
Token: SeDebugPrivilege	5032	COM Surrogate

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4412	XWorm V5.6.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 624	4412	XWorm V5.6.exe	100
PID 4412 wrote to memory of 624	4412	XWorm V5.6.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm V5.6.zip"
1⤵
PID:2724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3076

C:\Users\Admin\Desktop\Xwrom\XWorm V5.6.exe
"C:\Users\Admin\Desktop\Xwrom\XWorm V5.6.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "COM Surrogate" /tr "C:\Users\Public\COM Surrogate"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:624

C:\Users\Admin\Desktop\Xwrom\XWorm V5.6.exe
"C:\Users\Admin\Desktop\Xwrom\XWorm V5.6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Users\Public\COM Surrogate
"C:\Users\Public\COM Surrogate"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\COM Surrogate

Filesize
476KB

MD5
bf1ccd2d127e4ac0dc4ad6307cd1b62f

SHA1
fc95eb4ec00d3b745fb97f7f8f140cfbe51c23ac

SHA256
b32c1554a1a62e6d4c30bad330e5146016fe11521671536c669b429b895e5a11

SHA512
0b6fcb5596904849c5d1ef7439af2849394a56a5f64d337b85cfe2158c8aff2c2a6db5a03c5464520537ec5a203f4c784db4e47d48dc16efdfe064a0e831a3ce

Download Submit
memory/4412-0-0x00007FFD049B3000-0x00007FFD049B5000-memory.dmp

Filesize
8KB

Download
memory/4412-1-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/4412-2-0x00007FFD049B0000-0x00007FFD05471000-memory.dmp

Filesize
10.8MB

Download
memory/4412-6-0x00007FFD049B3000-0x00007FFD049B5000-memory.dmp

Filesize
8KB

Download
memory/4412-10-0x00007FFD049B0000-0x00007FFD05471000-memory.dmp

Filesize
10.8MB

Download