Resubmissions
17/10/2024, 00:08
241017-ae5a8avalj 1017/10/2024, 00:04
241017-ac1v1s1bph 1016/10/2024, 23:52
241016-3w4p8szgmc 1016/10/2024, 23:50
241016-3v4c3szgja 1016/10/2024, 22:52
241016-2tp9ds1dkk 10Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
17/10/2024, 00:08
General
-
Target
XWorm-5.6-main/Xworm V5.6.exe
-
Size
14.9MB
-
MD5
56ccb739926a725e78a7acf9af52c4bb
-
SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc
-
SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
-
SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
-
SSDEEP
196608:P4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:PuyIhhkRka4i
Malware Config
Extracted
xworm
5.0
127.0.0.1:8888
maoR2mXoJbzjTaPs
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 3 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 58 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mnndeezm\mnndeezm.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CC5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc798B48D95CB64246867DDF781DA4E9F.TMP"3⤵
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\XClient.exe"C:\Users\Admin\Downloads\XClient.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55acae0dea9d251698d4dedf6fee0955b
SHA17ebb336cd4c086bf8eee73b8ec8350efbcb0ee92
SHA256a5f3ba72675b1fd95c8bc315c2d5f369dab6df27f1a2587f860fa1ed8411f283
SHA512a9f470881c09daaabc86b67a377d62bf60843aa3088c8a60aee554ebbaa5342cb9c6ad2c6b620681119a0c45f9fd68279b8ec27ca32cf7cd51f8242b75944817
-
Filesize
78KB
MD57b664d0b4902d204ca39e672a1f30921
SHA147e51d13c186d01785f2f9ca32b4c523d88fb5e6
SHA25698e2393a4a018274410aa6cefc5d958e6f4ba8f909619310fa6b711997bace9e
SHA5129cba0750ec6eca48742441e02a8a5c691e913f73bf3f9b18eace51d21969bfc1dac681042d2b6e759e7c01a71b976383bb0c3546e745d02088656258814ee1aa
-
Filesize
292B
MD539446f2034cc3d62bff9f777e1a4f7e8
SHA19a52c29cb4cb4dbc3614b28f21165820e94c823e
SHA2561c25bd4ae584bc2ce24621eba16ec016388cbc3de20c043dce9286d4535a213f
SHA512d2e21a29ec8e2f3b3d6da346b1068a8953f952470ef8449103bf40d9c403572ce92ed34eb2915bb41b614c43c01e98b6a00208403c76c64cb3a0aa12750aa64d
-
Filesize
1KB
MD5d40c58bd46211e4ffcbfbdfac7c2bb69
SHA1c5cf88224acc284a4e81bd612369f0e39f3ac604
SHA25601902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca
SHA51248b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68
-
Filesize
32KB
MD57f9066e565de32f43cb94d67cb5f4daf
SHA1674a570057cfec4124097f402157d57689e566f6
SHA2564b38b9ce5fb8080051015970eb58314fdfee9cf8cad406ea0cbc97ef6d090417
SHA5124949b911d4235686123fd7925a3999d52582dd982fdfe98ee513dfffa2193de82ef159220d0ff977ab0ade5b7048d7bfc0f71848152931a52d694516f7dd4252
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
1.1MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
36KB
-
Filesize
280KB
-
Filesize
120KB
-
Filesize
44KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.4MB
-
Filesize
10.8MB
-
Filesize
52KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
520KB
-
Filesize
176KB
-
Filesize
2.9MB
-
Filesize
712KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
14.9MB