1836e05f25dddf9426969e13ab80d1dcdf8d7b496b1a05d98ebae9303c18b956

General

Target

XWorm V5.6/XwormLoader.exe
Size

576KB
MD5

f1a4c690564f491ad4f7fc8ce79e2fc3
SHA1

cc16274baae2af0c614566d56b693774fe892168
SHA256

0a3555b2ab1f76066c496eb43ebc520c82824a22cfcb714a75c5edc1ad99d88a
SHA512

f7a1116b889493c079000847f5517e9149d5dce703b85b1520ad1d4810c575500aab47460a6e0d7e266fa5ef70ba10d4b625587725251734404913844897e180
SSDEEP

12288:bwl4OwitTdBZpKfSTUNe/RhCEIX7RIiZmWJyGpfxd8KR0F7Br1dfPDWUw+b5/xgo:bwDdtTdBZISTACRhCE+Gi1yG

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

XwormLoader.exe

pid process

4432 XwormLoader.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

XwormLoader.exe

description pid process target process

PID 4432 set thread context of 1816 4432 XwormLoader.exe MSBuild.exe

pid	process
4432	XwormLoader.exe

description	pid	process	target process
PID 4432 set thread context of 1816	4432	XwormLoader.exe	MSBuild.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

XwormLoader.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeBackupPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe
Token: SeSecurityPrivilege	1816	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

XwormLoader.exe

description	pid	process	target process
PID 4432 wrote to memory of 1816	4432	XwormLoader.exe	MSBuild.exe
PID 4432 wrote to memory of 1816	4432	XwormLoader.exe	MSBuild.exe
PID 4432 wrote to memory of 1816	4432	XwormLoader.exe	MSBuild.exe
PID 4432 wrote to memory of 1816	4432	XwormLoader.exe	MSBuild.exe
PID 4432 wrote to memory of 1816	4432	XwormLoader.exe	MSBuild.exe
PID 4432 wrote to memory of 1816	4432	XwormLoader.exe	MSBuild.exe
PID 4432 wrote to memory of 1816	4432	XwormLoader.exe	MSBuild.exe
PID 4432 wrote to memory of 1816	4432	XwormLoader.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
799KB

MD5
5c79d44ff8563412dce1bb36626781d6

SHA1
a13da89b3ec6becd64e1a5aa2780bde27b4bc467

SHA256
ecea21c9c2bd359747693dc3d34db8338547fdae7f06739336daa3d826a85135

SHA512
25e594e2526e76307f67ebec73bb3c8d96fc4a4b170d8fdffead41b798a00ede67e0fbe3e3d99b54ce424c356a10a262312149d84d76c8248464b135c7cd3d18

Download Submit
memory/1816-14-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/1816-20-0x0000000007950000-0x0000000007962000-memory.dmp

Filesize
72KB

Download
memory/1816-16-0x0000000004B70000-0x0000000004C02000-memory.dmp

Filesize
584KB

Download
memory/1816-17-0x0000000004B50000-0x0000000004B5A000-memory.dmp

Filesize
40KB

Download
memory/1816-15-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1816-23-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1816-13-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1816-22-0x0000000007B10000-0x0000000007B5C000-memory.dmp

Filesize
304KB

Download
memory/1816-24-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1816-21-0x00000000079B0000-0x00000000079EC000-memory.dmp

Filesize
240KB

Download
memory/1816-10-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/1816-18-0x0000000007EB0000-0x00000000084C8000-memory.dmp

Filesize
6.1MB

Download
memory/1816-19-0x0000000007A00000-0x0000000007B0A000-memory.dmp

Filesize
1.0MB

Download
memory/4432-12-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4432-1-0x0000000000220000-0x00000000002BA000-memory.dmp

Filesize
616KB

Download
memory/4432-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

Filesize
4KB

Download
memory/4432-2-0x0000000000AB0000-0x0000000000AB6000-memory.dmp

Filesize
24KB

Download
memory/4432-9-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads