Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-10-2024 21:27
Behavioral task
behavioral1
Sample
XWorm-5.6-main.zip
Resource
win11-20241007-en
General
-
Target
XWorm-5.6-main.zip
-
Size
24.8MB
-
MD5
98af17dc86622b292d58fbba45d51309
-
SHA1
44a7d9423ce00ddda8000f9d18e3fe5693b5776f
-
SHA256
eed75f0edf37bdd0d0a64ac8723672dbfe64288fb3845b89cc3596d0511f67d1
-
SHA512
b3b9c67e373bcba5bd039088953400a3296b374f29f5de00f56c0702da7f9eccf0c452586d486c17ab1ea5ab16240112fda8457ec258d2ba9735b17959db4b05
-
SSDEEP
786432:3vngbHGYI0DuXXEDgfI+tjIdubuu0SVww6vZqwffr:fgbHGY2hfI8yuxV7oswXr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1252 Xworm V5.6.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Xworm V5.6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2956 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 2956 7zFM.exe Token: 35 2956 7zFM.exe Token: SeSecurityPrivilege 2956 7zFM.exe Token: SeDebugPrivilege 4976 taskmgr.exe Token: SeSystemProfilePrivilege 4976 taskmgr.exe Token: SeCreateGlobalPrivilege 4976 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2956 7zFM.exe 2956 7zFM.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe -
Suspicious use of SendNotifyMessage 63 IoCs
pid Process 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe 4976 taskmgr.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2956
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3672
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4976
-
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:1252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
Filesize
14.9MB
MD556ccb739926a725e78a7acf9af52c4bb
SHA15b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA25690f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA5122fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1