Analysis
-
max time kernel
91s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 17:21
Static task
static1
Behavioral task
behavioral1
Sample
XWORMV5.4.exe
Resource
win7-20240903-en
General
-
Target
XWORMV5.4.exe
-
Size
14.2MB
-
MD5
741b1f2ee5826897af2ba2ec765296e4
-
SHA1
706534d9c6a16354974b3b6fd6d1f620524b7dd1
-
SHA256
0b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d
-
SHA512
a0b14ab280d906a8ad1681e335d30a457b02355cc941d12208f2ef460a9b1f700b84789749ee2080fb4351cce09e3cceeb9fea94478c3c81ae1fb184892de03a
-
SSDEEP
196608:q1X5v7sGYYHDZH3OrlZPtgLklkC9sSJP/rSzQHvWSpdUorPr/kvmXhJ9aCD:qHqDVgV+9kQH+SfLdrnD
Malware Config
Extracted
xworm
5.0
45.141.26.197:7000
9nYi5R05H806aXaO
-
Install_directory
%AppData%
-
install_file
VLC_Media.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe family_xworm behavioral2/memory/4888-25-0x00000000000B0000-0x00000000000E2000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3624 powershell.exe 740 powershell.exe 3460 powershell.exe 1512 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XWORMV5.4.exeVLC_Media.exe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation XWORMV5.4.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VLC_Media.exe.exe -
Drops startup file 2 IoCs
Processes:
VLC_Media.exe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk VLC_Media.exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk VLC_Media.exe.exe -
Executes dropped EXE 2 IoCs
Processes:
XWorm V5.4.exeVLC_Media.exe.exepid process 2540 XWorm V5.4.exe 4888 VLC_Media.exe.exe -
Loads dropped DLL 1 IoCs
Processes:
XWorm V5.4.exepid process 2540 XWorm V5.4.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe agile_net behavioral2/memory/2540-26-0x0000029B10430000-0x0000029B11210000-memory.dmp agile_net -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeVLC_Media.exe.exepid process 3624 powershell.exe 3624 powershell.exe 740 powershell.exe 740 powershell.exe 3460 powershell.exe 3460 powershell.exe 1512 powershell.exe 1512 powershell.exe 4888 VLC_Media.exe.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
VLC_Media.exe.exeXWorm V5.4.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4888 VLC_Media.exe.exe Token: SeDebugPrivilege 2540 XWorm V5.4.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeDebugPrivilege 740 powershell.exe Token: SeDebugPrivilege 3460 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 4888 VLC_Media.exe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
VLC_Media.exe.exepid process 4888 VLC_Media.exe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
XWORMV5.4.exeVLC_Media.exe.exedescription pid process target process PID 3480 wrote to memory of 2540 3480 XWORMV5.4.exe XWorm V5.4.exe PID 3480 wrote to memory of 2540 3480 XWORMV5.4.exe XWorm V5.4.exe PID 3480 wrote to memory of 4888 3480 XWORMV5.4.exe VLC_Media.exe.exe PID 3480 wrote to memory of 4888 3480 XWORMV5.4.exe VLC_Media.exe.exe PID 4888 wrote to memory of 3624 4888 VLC_Media.exe.exe powershell.exe PID 4888 wrote to memory of 3624 4888 VLC_Media.exe.exe powershell.exe PID 4888 wrote to memory of 740 4888 VLC_Media.exe.exe powershell.exe PID 4888 wrote to memory of 740 4888 VLC_Media.exe.exe powershell.exe PID 4888 wrote to memory of 3460 4888 VLC_Media.exe.exe powershell.exe PID 4888 wrote to memory of 3460 4888 VLC_Media.exe.exe powershell.exe PID 4888 wrote to memory of 1512 4888 VLC_Media.exe.exe powershell.exe PID 4888 wrote to memory of 1512 4888 VLC_Media.exe.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWORMV5.4.exe"C:\Users\Admin\AppData\Local\Temp\XWORMV5.4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VLC_Media.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5dcac476fa19b9b7e00d97d937daf7e9f
SHA12753854fb9097e0c50667c4df11e336bada512e2
SHA256ebbf20b0c098d467090c4115109b5f707b559a8006e9c17f00235a5d23d60399
SHA51281d587000267413d0b829d783aa2ea4d6f7dfdf991d0463cd49bae3090f36db0b16a63b1ca28ae9a8e52fe2a516bffbad3ff624d5b55e8956d728bb44ed5ea4f
-
Filesize
944B
MD5481e5a63ab627f474e7406859a742abc
SHA1adf952634978d42e343896ac546763cc6e7635fa
SHA256ce32fe7b6fec708c52b5293b3ea0de2f0030be59644c9a635882bb7273b664a6
SHA5128d3d8329276e6fac80fbc4d6cf4ca0d05cd336c7a0e85cafe2fd121e783af1c013347909454aab63bd0c51b6f37317958f23608b980d4a5764d23cdc9aa12f95
-
Filesize
176KB
MD5a9376f54dd83bf547f6188f8904ae3af
SHA185bb802b0ade5b2136c83e6217a2aaace3735edc
SHA25644661d9d0df9aa2e03844719c9e6963a738e431c565f0983d309a0e113508d17
SHA51271a4e6251e201441ccc1ae9633790b977a898e6f42b0d25f4c54d66d99311dad5b63e25f7ac703e932db5a526290f95e9abfe2158b72cd21e8564ac1942a48a9
-
Filesize
13.8MB
MD5efb0528d6978337e964d999dacb621df
SHA1244979b8495d3d173a4359d62ad771f99a0033fc
SHA2564786ac3ceb9ecdcb98bdd19a0e93750e6c9c0df460751994840f8ea9733cc491
SHA5124b16aca5638094741a9e5f0e4581b5c3cdbd77835035362468d2a0e077fba0f96b8dd98c4a4ea853b3b623d5b525fe64091daa1b761597b660840a371fbae0df
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8