Analysis
-
max time kernel
118s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-09-2024 05:03
Static task
static1
Behavioral task
behavioral1
Sample
XWORM-V5.4.exe
Resource
win7-20240903-en
General
-
Target
XWORM-V5.4.exe
-
Size
14.2MB
-
MD5
741b1f2ee5826897af2ba2ec765296e4
-
SHA1
706534d9c6a16354974b3b6fd6d1f620524b7dd1
-
SHA256
0b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d
-
SHA512
a0b14ab280d906a8ad1681e335d30a457b02355cc941d12208f2ef460a9b1f700b84789749ee2080fb4351cce09e3cceeb9fea94478c3c81ae1fb184892de03a
-
SSDEEP
196608:q1X5v7sGYYHDZH3OrlZPtgLklkC9sSJP/rSzQHvWSpdUorPr/kvmXhJ9aCD:qHqDVgV+9kQH+SfLdrnD
Malware Config
Extracted
xworm
5.0
45.141.26.197:7000
9nYi5R05H806aXaO
-
Install_directory
%AppData%
-
install_file
VLC_Media.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe family_xworm behavioral1/memory/2264-12-0x0000000000150000-0x0000000000182000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2768 powershell.exe 2456 powershell.exe 560 powershell.exe 1532 powershell.exe -
Drops startup file 2 IoCs
Processes:
VLC_Media.exe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk VLC_Media.exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk VLC_Media.exe.exe -
Executes dropped EXE 2 IoCs
Processes:
XWorm V5.4.exeVLC_Media.exe.exepid process 1876 XWorm V5.4.exe 2264 VLC_Media.exe.exe -
Loads dropped DLL 1 IoCs
Processes:
XWorm V5.4.exepid process 1876 XWorm V5.4.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe agile_net behavioral1/memory/1876-13-0x0000000000F60000-0x0000000001D40000-memory.dmp agile_net -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeVLC_Media.exe.exepid process 2768 powershell.exe 2456 powershell.exe 560 powershell.exe 1532 powershell.exe 2264 VLC_Media.exe.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
VLC_Media.exe.exeXWorm V5.4.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2264 VLC_Media.exe.exe Token: SeDebugPrivilege 1876 XWorm V5.4.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 560 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 2264 VLC_Media.exe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
VLC_Media.exe.exepid process 2264 VLC_Media.exe.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
XWORM-V5.4.exeXWorm V5.4.exeVLC_Media.exe.exedescription pid process target process PID 1872 wrote to memory of 1876 1872 XWORM-V5.4.exe XWorm V5.4.exe PID 1872 wrote to memory of 1876 1872 XWORM-V5.4.exe XWorm V5.4.exe PID 1872 wrote to memory of 1876 1872 XWORM-V5.4.exe XWorm V5.4.exe PID 1872 wrote to memory of 2264 1872 XWORM-V5.4.exe VLC_Media.exe.exe PID 1872 wrote to memory of 2264 1872 XWORM-V5.4.exe VLC_Media.exe.exe PID 1872 wrote to memory of 2264 1872 XWORM-V5.4.exe VLC_Media.exe.exe PID 1876 wrote to memory of 2904 1876 XWorm V5.4.exe WerFault.exe PID 1876 wrote to memory of 2904 1876 XWorm V5.4.exe WerFault.exe PID 1876 wrote to memory of 2904 1876 XWorm V5.4.exe WerFault.exe PID 2264 wrote to memory of 2768 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 2768 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 2768 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 2456 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 2456 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 2456 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 560 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 560 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 560 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 1532 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 1532 2264 VLC_Media.exe.exe powershell.exe PID 2264 wrote to memory of 1532 2264 VLC_Media.exe.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWORM-V5.4.exe"C:\Users\Admin\AppData\Local\Temp\XWORM-V5.4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1876 -s 6643⤵PID:2904
-
-
-
C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VLC_Media.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5a9376f54dd83bf547f6188f8904ae3af
SHA185bb802b0ade5b2136c83e6217a2aaace3735edc
SHA25644661d9d0df9aa2e03844719c9e6963a738e431c565f0983d309a0e113508d17
SHA51271a4e6251e201441ccc1ae9633790b977a898e6f42b0d25f4c54d66d99311dad5b63e25f7ac703e932db5a526290f95e9abfe2158b72cd21e8564ac1942a48a9
-
Filesize
13.8MB
MD5efb0528d6978337e964d999dacb621df
SHA1244979b8495d3d173a4359d62ad771f99a0033fc
SHA2564786ac3ceb9ecdcb98bdd19a0e93750e6c9c0df460751994840f8ea9733cc491
SHA5124b16aca5638094741a9e5f0e4581b5c3cdbd77835035362468d2a0e077fba0f96b8dd98c4a4ea853b3b623d5b525fe64091daa1b761597b660840a371fbae0df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5687800281806c0f528e7ed164096e415
SHA1d26990fd449bb00eaabf68065cee6a756c1f761f
SHA25631fe225fc6dcb3a8547c1d65c61162e5be22866d81d8b03565f6e8e425118dc8
SHA512c252055fb06ed1ef9b03a4dd277d9e91afcbab8ef349549f18f6b4fa0c96c80818ddf2a972a7a52143e188cd9bc09235f71c6e68db388854539dde5a3a7e7883
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8