eed75f0edf37bdd0d0a64ac8723672dbfe64288fb3845b89cc3596d0511f67d1

General

Target

XWorm-5.6-main.zip
Size

24.8MB
MD5

98af17dc86622b292d58fbba45d51309
SHA1

44a7d9423ce00ddda8000f9d18e3fe5693b5776f
SHA256

eed75f0edf37bdd0d0a64ac8723672dbfe64288fb3845b89cc3596d0511f67d1
SHA512

b3b9c67e373bcba5bd039088953400a3296b374f29f5de00f56c0702da7f9eccf0c452586d486c17ab1ea5ab16240112fda8457ec258d2ba9735b17959db4b05
SSDEEP

786432:3vngbHGYI0DuXXEDgfI+tjIdubuu0SVww6vZqwffr:fgbHGY2hfI8yuxV7oswXr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Xworm V5.6.exe

pid process

1252 Xworm V5.6.exe

pid	process
1252	Xworm V5.6.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Xworm V5.6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2956 7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exetaskmgr.exe

description	pid	process
Token: SeRestorePrivilege	2956	7zFM.exe
Token: 35	2956	7zFM.exe
Token: SeSecurityPrivilege	2956	7zFM.exe
Token: SeDebugPrivilege	4976	taskmgr.exe
Token: SeSystemProfilePrivilege	4976	taskmgr.exe
Token: SeCreateGlobalPrivilege	4976	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exe

pid	process
2956	7zFM.exe
2956	7zFM.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe

Suspicious use of SendNotifyMessage 63 IoCs

Processes:

taskmgr.exe

pid	process
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3672

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4976

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
\??\c:\users\admin\downloads\xworm-5.6-main\xworm-5.6-main\xworm v5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
memory/1252-260-0x0000018EC6620000-0x0000018EC6814000-memory.dmp

Filesize
2.0MB

Download
memory/1252-258-0x0000018EA9370000-0x0000018EAA258000-memory.dmp

Filesize
14.9MB

Download
memory/4976-248-0x000001FB3E640000-0x000001FB3E641000-memory.dmp

Filesize
4KB

Download
memory/4976-249-0x000001FB3E640000-0x000001FB3E641000-memory.dmp

Filesize
4KB

Download
memory/4976-250-0x000001FB3E640000-0x000001FB3E641000-memory.dmp

Filesize
4KB

Download
memory/4976-254-0x000001FB3E640000-0x000001FB3E641000-memory.dmp

Filesize
4KB

Download
memory/4976-253-0x000001FB3E640000-0x000001FB3E641000-memory.dmp

Filesize
4KB

Download
memory/4976-251-0x000001FB3E640000-0x000001FB3E641000-memory.dmp

Filesize
4KB

Download
memory/4976-252-0x000001FB3E640000-0x000001FB3E641000-memory.dmp

Filesize
4KB

Download
memory/4976-242-0x000001FB3E640000-0x000001FB3E641000-memory.dmp

Filesize
4KB

Download
memory/4976-243-0x000001FB3E640000-0x000001FB3E641000-memory.dmp

Filesize
4KB

Download
memory/4976-244-0x000001FB3E640000-0x000001FB3E641000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads