Analysis
-
max time kernel
90s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-10-2024 20:58
Behavioral task
behavioral1
Sample
XWorm V5.6.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
XWorm V5.6.zip
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
XWorm V5.6/Xworm V5.6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
XWorm V5.6/Xworm V5.6.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
XWorm V5.6/XwormLoader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
XWorm V5.6/XwormLoader.exe
Resource
win11-20241007-en
General
-
Target
XWorm V5.6/XwormLoader.exe
-
Size
576KB
-
MD5
f1a4c690564f491ad4f7fc8ce79e2fc3
-
SHA1
cc16274baae2af0c614566d56b693774fe892168
-
SHA256
0a3555b2ab1f76066c496eb43ebc520c82824a22cfcb714a75c5edc1ad99d88a
-
SHA512
f7a1116b889493c079000847f5517e9149d5dce703b85b1520ad1d4810c575500aab47460a6e0d7e266fa5ef70ba10d4b625587725251734404913844897e180
-
SSDEEP
12288:bwl4OwitTdBZpKfSTUNe/RhCEIX7RIiZmWJyGpfxd8KR0F7Br1dfPDWUw+b5/xgo:bwDdtTdBZISTACRhCE+Gi1yG
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
XwormLoader.exepid process 2740 XwormLoader.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
XwormLoader.exedescription pid process target process PID 2740 set thread context of 3484 2740 XwormLoader.exe MSBuild.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
XwormLoader.exeMSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XwormLoader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeBackupPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe Token: SeSecurityPrivilege 3484 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
XwormLoader.exedescription pid process target process PID 2740 wrote to memory of 3484 2740 XwormLoader.exe MSBuild.exe PID 2740 wrote to memory of 3484 2740 XwormLoader.exe MSBuild.exe PID 2740 wrote to memory of 3484 2740 XwormLoader.exe MSBuild.exe PID 2740 wrote to memory of 3484 2740 XwormLoader.exe MSBuild.exe PID 2740 wrote to memory of 3484 2740 XwormLoader.exe MSBuild.exe PID 2740 wrote to memory of 3484 2740 XwormLoader.exe MSBuild.exe PID 2740 wrote to memory of 3484 2740 XwormLoader.exe MSBuild.exe PID 2740 wrote to memory of 3484 2740 XwormLoader.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
799KB
MD55c79d44ff8563412dce1bb36626781d6
SHA1a13da89b3ec6becd64e1a5aa2780bde27b4bc467
SHA256ecea21c9c2bd359747693dc3d34db8338547fdae7f06739336daa3d826a85135
SHA51225e594e2526e76307f67ebec73bb3c8d96fc4a4b170d8fdffead41b798a00ede67e0fbe3e3d99b54ce424c356a10a262312149d84d76c8248464b135c7cd3d18