Analysis
-
max time kernel
121s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-09-2024 14:06
Static task
static1
Behavioral task
behavioral1
Sample
XWORM-V5.4.exe
Resource
win7-20240903-en
General
-
Target
XWORM-V5.4.exe
-
Size
14.2MB
-
MD5
741b1f2ee5826897af2ba2ec765296e4
-
SHA1
706534d9c6a16354974b3b6fd6d1f620524b7dd1
-
SHA256
0b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d
-
SHA512
a0b14ab280d906a8ad1681e335d30a457b02355cc941d12208f2ef460a9b1f700b84789749ee2080fb4351cce09e3cceeb9fea94478c3c81ae1fb184892de03a
-
SSDEEP
196608:q1X5v7sGYYHDZH3OrlZPtgLklkC9sSJP/rSzQHvWSpdUorPr/kvmXhJ9aCD:qHqDVgV+9kQH+SfLdrnD
Malware Config
Extracted
xworm
5.0
45.141.26.197:7000
9nYi5R05H806aXaO
-
Install_directory
%AppData%
-
install_file
VLC_Media.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe family_xworm behavioral1/memory/2112-13-0x00000000013E0000-0x0000000001412000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2656 powershell.exe 2652 powershell.exe 1992 powershell.exe 3020 powershell.exe -
Drops startup file 2 IoCs
Processes:
VLC_Media.exe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk VLC_Media.exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk VLC_Media.exe.exe -
Executes dropped EXE 2 IoCs
Processes:
XWorm V5.4.exeVLC_Media.exe.exepid process 2916 XWorm V5.4.exe 2112 VLC_Media.exe.exe -
Loads dropped DLL 1 IoCs
Processes:
XWorm V5.4.exepid process 2916 XWorm V5.4.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe agile_net behavioral1/memory/2916-11-0x0000000001260000-0x0000000002040000-memory.dmp agile_net -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeVLC_Media.exe.exepid process 2656 powershell.exe 2652 powershell.exe 1992 powershell.exe 3020 powershell.exe 2112 VLC_Media.exe.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
VLC_Media.exe.exeXWorm V5.4.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2112 VLC_Media.exe.exe Token: SeDebugPrivilege 2916 XWorm V5.4.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 2112 VLC_Media.exe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
VLC_Media.exe.exepid process 2112 VLC_Media.exe.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
XWORM-V5.4.exeXWorm V5.4.exeVLC_Media.exe.exedescription pid process target process PID 2368 wrote to memory of 2916 2368 XWORM-V5.4.exe XWorm V5.4.exe PID 2368 wrote to memory of 2916 2368 XWORM-V5.4.exe XWorm V5.4.exe PID 2368 wrote to memory of 2916 2368 XWORM-V5.4.exe XWorm V5.4.exe PID 2368 wrote to memory of 2112 2368 XWORM-V5.4.exe VLC_Media.exe.exe PID 2368 wrote to memory of 2112 2368 XWORM-V5.4.exe VLC_Media.exe.exe PID 2368 wrote to memory of 2112 2368 XWORM-V5.4.exe VLC_Media.exe.exe PID 2916 wrote to memory of 2944 2916 XWorm V5.4.exe WerFault.exe PID 2916 wrote to memory of 2944 2916 XWorm V5.4.exe WerFault.exe PID 2916 wrote to memory of 2944 2916 XWorm V5.4.exe WerFault.exe PID 2112 wrote to memory of 2656 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 2656 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 2656 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 2652 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 2652 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 2652 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 1992 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 1992 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 1992 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 3020 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 3020 2112 VLC_Media.exe.exe powershell.exe PID 2112 wrote to memory of 3020 2112 VLC_Media.exe.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWORM-V5.4.exe"C:\Users\Admin\AppData\Local\Temp\XWORM-V5.4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2916 -s 6643⤵PID:2944
-
-
-
C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VLC_Media.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5a9376f54dd83bf547f6188f8904ae3af
SHA185bb802b0ade5b2136c83e6217a2aaace3735edc
SHA25644661d9d0df9aa2e03844719c9e6963a738e431c565f0983d309a0e113508d17
SHA51271a4e6251e201441ccc1ae9633790b977a898e6f42b0d25f4c54d66d99311dad5b63e25f7ac703e932db5a526290f95e9abfe2158b72cd21e8564ac1942a48a9
-
Filesize
13.8MB
MD5efb0528d6978337e964d999dacb621df
SHA1244979b8495d3d173a4359d62ad771f99a0033fc
SHA2564786ac3ceb9ecdcb98bdd19a0e93750e6c9c0df460751994840f8ea9733cc491
SHA5124b16aca5638094741a9e5f0e4581b5c3cdbd77835035362468d2a0e077fba0f96b8dd98c4a4ea853b3b623d5b525fe64091daa1b761597b660840a371fbae0df
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD551a527b50e7c48ee8bf72fcb90c32573
SHA19605b84dea6414fa5fdd1dddd64ec351159c28f9
SHA25603f1c566eb1bcf49d899c9f56a5f0879aa2c1ec4a90c5b54ad1660fc8b47735b
SHA512aa5fc3dbcdf83a4a7172f54a4c69e19e91f737ad914a9d427e4426ad8cee7f9ca944094862b6aee7e0a9d1f94e46103cec06ee6b6eb1fbfadea72128f779c261
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e