eed75f0edf37bdd0d0a64ac8723672dbfe64288fb3845b89cc3596d0511f67d1

Analysis

max time kernel
36s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-10-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-5.6-main.zip
Size

24.8MB
MD5

98af17dc86622b292d58fbba45d51309
SHA1

44a7d9423ce00ddda8000f9d18e3fe5693b5776f
SHA256

eed75f0edf37bdd0d0a64ac8723672dbfe64288fb3845b89cc3596d0511f67d1
SHA512

b3b9c67e373bcba5bd039088953400a3296b374f29f5de00f56c0702da7f9eccf0c452586d486c17ab1ea5ab16240112fda8457ec258d2ba9735b17959db4b05
SSDEEP

786432:3vngbHGYI0DuXXEDgfI+tjIdubuu0SVww6vZqwffr:fgbHGY2hfI8yuxV7oswXr

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

Processes:

lodctr.exe

description	ioc	process
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

4524 7zFM.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 4524 7zFM.exe
Token: 35 4524 7zFM.exe
Token: SeSecurityPrivilege 4524 7zFM.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

4524 7zFM.exe
4524 7zFM.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 2952 wrote to memory of 4776 2952 cmd.exe lodctr.exe
PID 2952 wrote to memory of 4776 2952 cmd.exe lodctr.exe

pid	process
4524	7zFM.exe

description	pid	process
Token: SeRestorePrivilege	4524	7zFM.exe
Token: 35	4524	7zFM.exe
Token: SeSecurityPrivilege	4524	7zFM.exe

pid	process
4524	7zFM.exe
4524	7zFM.exe

description	pid	process	target process
PID 2952 wrote to memory of 4776	2952	cmd.exe	lodctr.exe
PID 2952 wrote to memory of 4776	2952	cmd.exe	lodctr.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Fixer.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:4776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Fixer.bat

Filesize
122B

MD5
2dabc46ce85aaff29f22cd74ec074f86

SHA1
208ae3e48d67b94cc8be7bbfd9341d373fa8a730

SHA256
a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

SHA512
6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
44KB

MD5
bc3d1639f16cb93350a76b95cd59108b

SHA1
47f1067b694967d71af236d5e33d31cb99741f4c

SHA256
004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9

SHA512
fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
47KB

MD5
69c02ba10f3f430568e00bcb54ddf5a9

SHA1
8b95d298633e37c42ea5f96ac08d950973d6ee9d

SHA256
62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e

SHA512
16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
43KB

MD5
8b4b53cf469919a32481ce37bcce203a

SHA1
58ee96630adf29e79771bfc39a400a486b4efbb0

SHA256
a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42

SHA512
62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
42KB

MD5
bea0a3b9b4dc8d06303d3d2f65f78b82

SHA1
361df606ee1c66a0b394716ba7253d9785a87024

SHA256
e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927

SHA512
341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
35KB

MD5
17fc81a0e3f9fc02821e40166f1cb09f

SHA1
2931659b064a216371420db215b1f48de29a1858

SHA256
fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2

SHA512
19a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
307KB

MD5
312d855b1d95ae830e067657cffdd28c

SHA1
8133c02adeae24916fa9c53e52b3bfe66ac3d5a3

SHA256
ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf

SHA512
f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
297KB

MD5
50362589add3f92e63c918a06d664416

SHA1
e1f96e10fb0f9d3bec9ea89f07f97811ccc78182

SHA256
9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce

SHA512
e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
347KB

MD5
49032045f6bcb9f676c7437df76c7ffa

SHA1
f1bf3ba149cd1e581fe12fb06e93d512fe3a241b

SHA256
089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641

SHA512
55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
350KB

MD5
518020fbecea70e8fecaa0afe298a79e

SHA1
c16d691c479a05958958bd19d1cb449769602976

SHA256
9a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125

SHA512
ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
340KB

MD5
f9fcefdf318c60de1e79166043b85ec4

SHA1
a99d480b322c9789c161ee3a46684f030ec9ad33

SHA256
9c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7

SHA512
881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
145KB

MD5
f4f62aa4c479d68f2b43f81261ffd4e3

SHA1
6fa9ff1dbb2c6983afc3d57b699bc1a9d9418daa

SHA256
c2f81f06c86bf118a97fba7772d20d2c4ba92944551cd14e9d9bab40bf22816c

SHA512
cbd94b41fc3136c05981e880e1f854a5847a18708459112ca7eb0bdcb04d0034c42af8c58501a21ae56e07a29751236af9735b0a4ded3a6b0ef57d717acd5ff3

Download Submit