Analysis
-
max time kernel
121s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-09-2024 17:21
Static task
static1
Behavioral task
behavioral1
Sample
XWORMV5.4.exe
Resource
win7-20240903-en
General
-
Target
XWORMV5.4.exe
-
Size
14.2MB
-
MD5
741b1f2ee5826897af2ba2ec765296e4
-
SHA1
706534d9c6a16354974b3b6fd6d1f620524b7dd1
-
SHA256
0b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d
-
SHA512
a0b14ab280d906a8ad1681e335d30a457b02355cc941d12208f2ef460a9b1f700b84789749ee2080fb4351cce09e3cceeb9fea94478c3c81ae1fb184892de03a
-
SSDEEP
196608:q1X5v7sGYYHDZH3OrlZPtgLklkC9sSJP/rSzQHvWSpdUorPr/kvmXhJ9aCD:qHqDVgV+9kQH+SfLdrnD
Malware Config
Extracted
xworm
5.0
45.141.26.197:7000
9nYi5R05H806aXaO
-
Install_directory
%AppData%
-
install_file
VLC_Media.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe family_xworm behavioral1/memory/2492-12-0x0000000001310000-0x0000000001342000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2172 powershell.exe 2592 powershell.exe 3016 powershell.exe 1844 powershell.exe -
Drops startup file 2 IoCs
Processes:
VLC_Media.exe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk VLC_Media.exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk VLC_Media.exe.exe -
Executes dropped EXE 2 IoCs
Processes:
XWorm V5.4.exeVLC_Media.exe.exepid process 2296 XWorm V5.4.exe 2492 VLC_Media.exe.exe -
Loads dropped DLL 1 IoCs
Processes:
XWorm V5.4.exepid process 2296 XWorm V5.4.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe agile_net behavioral1/memory/2296-13-0x0000000000EA0000-0x0000000001C80000-memory.dmp agile_net -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeVLC_Media.exe.exepid process 2172 powershell.exe 2592 powershell.exe 3016 powershell.exe 1844 powershell.exe 2492 VLC_Media.exe.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
VLC_Media.exe.exeXWorm V5.4.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2492 VLC_Media.exe.exe Token: SeDebugPrivilege 2296 XWorm V5.4.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 2492 VLC_Media.exe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
VLC_Media.exe.exepid process 2492 VLC_Media.exe.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
XWORMV5.4.exeXWorm V5.4.exeVLC_Media.exe.exedescription pid process target process PID 2352 wrote to memory of 2296 2352 XWORMV5.4.exe XWorm V5.4.exe PID 2352 wrote to memory of 2296 2352 XWORMV5.4.exe XWorm V5.4.exe PID 2352 wrote to memory of 2296 2352 XWORMV5.4.exe XWorm V5.4.exe PID 2352 wrote to memory of 2492 2352 XWORMV5.4.exe VLC_Media.exe.exe PID 2352 wrote to memory of 2492 2352 XWORMV5.4.exe VLC_Media.exe.exe PID 2352 wrote to memory of 2492 2352 XWORMV5.4.exe VLC_Media.exe.exe PID 2296 wrote to memory of 2672 2296 XWorm V5.4.exe WerFault.exe PID 2296 wrote to memory of 2672 2296 XWorm V5.4.exe WerFault.exe PID 2296 wrote to memory of 2672 2296 XWorm V5.4.exe WerFault.exe PID 2492 wrote to memory of 2172 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 2172 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 2172 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 2592 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 2592 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 2592 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 3016 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 3016 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 3016 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 1844 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 1844 2492 VLC_Media.exe.exe powershell.exe PID 2492 wrote to memory of 1844 2492 VLC_Media.exe.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWORMV5.4.exe"C:\Users\Admin\AppData\Local\Temp\XWORMV5.4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2296 -s 6683⤵PID:2672
-
-
-
C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VLC_Media.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5a9376f54dd83bf547f6188f8904ae3af
SHA185bb802b0ade5b2136c83e6217a2aaace3735edc
SHA25644661d9d0df9aa2e03844719c9e6963a738e431c565f0983d309a0e113508d17
SHA51271a4e6251e201441ccc1ae9633790b977a898e6f42b0d25f4c54d66d99311dad5b63e25f7ac703e932db5a526290f95e9abfe2158b72cd21e8564ac1942a48a9
-
Filesize
13.8MB
MD5efb0528d6978337e964d999dacb621df
SHA1244979b8495d3d173a4359d62ad771f99a0033fc
SHA2564786ac3ceb9ecdcb98bdd19a0e93750e6c9c0df460751994840f8ea9733cc491
SHA5124b16aca5638094741a9e5f0e4581b5c3cdbd77835035362468d2a0e077fba0f96b8dd98c4a4ea853b3b623d5b525fe64091daa1b761597b660840a371fbae0df
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5261184ed87142fb10b5a5eed3d2b43d9
SHA11b97ef044d82271b6b2d44474b019f4b70becda6
SHA2565a8f45b94954ff6c78607890026c5e572ea78914821579c583f2b14ca2236a72
SHA512c5b655584b2435c73136811a6ee61ff8f5b7b196cc50387bbc2f9c7964a75ed5e2a2f1dc9ccae11dc865fd2e7acc29e15268eb9bd63e364e23556cd665a093bc