0fe4467aabb9b849c5160efabb52cf0f03d78e3abdb7d647e0a56ea1e9a96c18

Analysis

max time kernel
20s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm V5.5.exe
Size

529KB
MD5

a3bb1a669cd23c187b5fdabe4747d177
SHA1

14a0ca33dbc6bc35eb704e5bb7c79eadb34e31e6
SHA256

0fe4467aabb9b849c5160efabb52cf0f03d78e3abdb7d647e0a56ea1e9a96c18
SHA512

3717ab31c4dc90a0745d375a5652f40bdb48588701685bb450089df404ecbe340dabe5d41851df87fa35795d9b940864ad209f2dd386502a0361da8afba403a9
SSDEEP

6144:3rLN7JpWXLqasldR+cmvxK81NJABbn1wzP1/GWGwqqm1:7LN7JMu/L+xfNWh1e1+F

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133711809058160892"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4580	chrome.exe
4580	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 3060	4580	chrome.exe	98
PID 4580 wrote to memory of 3060	4580	chrome.exe	98
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 648	4580	chrome.exe	99
PID 4580 wrote to memory of 2784	4580	chrome.exe	100
PID 4580 wrote to memory of 2784	4580	chrome.exe	100
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101
PID 4580 wrote to memory of 1944	4580	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\Xworm V5.5.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V5.5.exe"
1⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4464,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=1320 /prefetch:8
1⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcbaabcc40,0x7ffcbaabcc4c,0x7ffcbaabcc58
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,12034486365913091139,4810740005699472303,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,12034486365913091139,4810740005699472303,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,12034486365913091139,4810740005699472303,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,12034486365913091139,4810740005699472303,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,12034486365913091139,4810740005699472303,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4676,i,12034486365913091139,4810740005699472303,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4944,i,12034486365913091139,4810740005699472303,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5116,i,12034486365913091139,4810740005699472303,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:3592

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a761eb1dca69b781b1d868623845e173

SHA1
593257b9bbbd562e0024692f2fd9ddab611b0d66

SHA256
21f19fd30652a02f0a987fa9fd2d4f6153d7110b5bd5c9449882d495412613cd

SHA512
a991a475c33c2a1b85d37ac026eb0927a73628d657c31db46dbd93223ce97ed538346ac0fb2f57b4edaa3d46bd32f6406fcb473b55aa7be81463b81655d7cc8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6ae460f32dd6bc92d59b39eb40dc8c87

SHA1
22eba109968068ef9c03abafff8aed4de75571fa

SHA256
7cd1a0df836fb67309e92c41db3697b508ea35faf828770cfddefd95079993da

SHA512
07e7cae4d4ad230000ec2b43971032c1ab475e5a1937d509d51e61663c3767a03aa41199004d820b51a596186d62310e5c89284235ad04165a4fc8d0b2ff8fd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fefe8b04f9740d56995be95e987500da

SHA1
02a0303d16c3b3d1b39b15f7dfd282ce52d5f0c7

SHA256
597850bdf7a59f5166526b753f1a061c3a44e15a3a97e284680f9a6daa459317

SHA512
614238d89fafb0983a5ab9c1049cc2558109acbafeb97082eb37632d4e6d6c52ed5280470e3f3688e3c011a6141ff801aed33a3d1ec8883f88b34dac04f9b967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
71fe238522ae0ca19f6ceec0461e441b

SHA1
35746bbeab5a68b3fe0a6b944c16adb18949c92c

SHA256
84a2a6a7283b0decdd9da96d11e3c8e77db230f410f0bf1fe8fad3deee074b5a

SHA512
b8e67aab35dc04d16361c45df25007fe8c6ad8c81c812481d2c99bdcedba4b72eb96c9637ec8bb2a6c56f731874287b0a5e39081afb9600d693bfc862d0b3aef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d877837445594cf4d7da1be374b551d1

SHA1
1afa971d93992e8368da471833ea532ab217c6a1

SHA256
43b31f3e6089302006e81cac9cab0bac28978f9fcd88b23de8323f8e8d25c004

SHA512
e8b8abc6464b0d50e60a00df2814a25dd3feaac20b8f41b7348998e3776264c88b7a4b7a9088b237b3e1c7328ae7410a1e9188ad4a8f84b3b5afe384f3466590

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
6c35f07f39f1d3d238356a811dbfb1c9

SHA1
dcafc395f7aca2a8bdb2013aba1144cec139aed0

SHA256
7d7094c975e1ebeb9aab69542fae0f5a6afae3d8f8ff7bfa89273c154c76f2eb

SHA512
46f6280a3e028634420145e30e0226e03ed2345e1a88c103da7e7695e18b4cb1d668004e16afcde7de27ea59bddfc2477a554e441957f2a6becb0644a3efb42a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
aaa61cbe3e12356dd73fe7155ae10426

SHA1
a0e92897a005d3bdf7196b83061b93cfe4cecf8f

SHA256
0aca153af15f6f28a35a63be5af293fff2ec5373396fcd9934786f9487610f62

SHA512
66f7b1cb562f98b0d5df8a993de4a3eb65b801ed7a0be475ad387d21bd45c6cbb029104e594e63971a9a85f2c005789d6f57ccc8df73420e6a75cc5ed6d0d364

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/1720-0-0x00007FFCBAA63000-0x00007FFCBAA65000-memory.dmp

Filesize
8KB

Download
memory/1720-1-0x0000000000770000-0x00000000007FA000-memory.dmp

Filesize
552KB

Download