Overview
overview
10Static
static
10XWorm V5.2.rar
windows7-x64
7XWorm V5.2.rar
windows10-2004-x64
7XWorm V5.2...db.dll
windows7-x64
1XWorm V5.2...db.dll
windows10-2004-x64
1XWorm V5.2...db.dll
windows7-x64
1XWorm V5.2...db.dll
windows10-2004-x64
1XWorm V5.2...ks.dll
windows7-x64
1XWorm V5.2...ks.dll
windows10-2004-x64
1XWorm V5.2...il.dll
windows7-x64
1XWorm V5.2...il.dll
windows10-2004-x64
1XWorm V5.2...ts.dll
windows7-x64
1XWorm V5.2...ts.dll
windows10-2004-x64
1XWorm V5.2...re.dll
windows7-x64
1XWorm V5.2...re.dll
windows10-2004-x64
1XWorm V5.2...rs.dll
windows7-x64
1XWorm V5.2...rs.dll
windows10-2004-x64
1XWorm V5.2...ed.dll
windows7-x64
1XWorm V5.2...ed.dll
windows10-2004-x64
1XWorm V5.2...ls.dll
windows7-x64
1XWorm V5.2...ls.dll
windows10-2004-x64
1XWorm V5.2/NAudio.dll
windows7-x64
1XWorm V5.2/NAudio.dll
windows10-2004-x64
1XWorm V5.2...on.dll
windows7-x64
1XWorm V5.2...on.dll
windows10-2004-x64
1XWorm V5.2...ws.dll
windows7-x64
1XWorm V5.2...ws.dll
windows10-2004-x64
1XWorm V5.2...ne.dll
windows7-x64
1XWorm V5.2...ne.dll
windows10-2004-x64
1XWorm V5.2...at.dll
windows7-x64
1XWorm V5.2...at.dll
windows10-2004-x64
1XWorm V5.2...rd.dll
windows7-x64
1XWorm V5.2...rd.dll
windows10-2004-x64
1Analysis
-
max time kernel
135s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 13:30
Behavioral task
behavioral1
Sample
XWorm V5.2.rar
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
XWorm V5.2.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
XWorm V5.2/Mono.Cecil.Mdb.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
XWorm V5.2/Mono.Cecil.Mdb.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
XWorm V5.2/Mono.Cecil.Pdb.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
XWorm V5.2/Mono.Cecil.Pdb.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
XWorm V5.2/Mono.Cecil.Rocks.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
XWorm V5.2/Mono.Cecil.Rocks.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
XWorm V5.2/Mono.Cecil.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
XWorm V5.2/Mono.Cecil.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
XWorm V5.2/MonoMod.Backports.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
XWorm V5.2/MonoMod.Backports.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
XWorm V5.2/MonoMod.Core.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
XWorm V5.2/MonoMod.Core.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
XWorm V5.2/MonoMod.ILHelpers.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
XWorm V5.2/MonoMod.ILHelpers.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
XWorm V5.2/MonoMod.Iced.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
XWorm V5.2/MonoMod.Iced.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
XWorm V5.2/MonoMod.Utils.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
XWorm V5.2/MonoMod.Utils.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
XWorm V5.2/NAudio.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
XWorm V5.2/NAudio.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
XWorm V5.2/Newtonsoft.Json.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
XWorm V5.2/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
XWorm V5.2/Plugins/ActiveWindows.dll
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
XWorm V5.2/Plugins/ActiveWindows.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
XWorm V5.2/Plugins/All-In-One.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
XWorm V5.2/Plugins/All-In-One.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
XWorm V5.2/Plugins/Chat.dll
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
XWorm V5.2/Plugins/Chat.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
XWorm V5.2/Plugins/Clipboard.dll
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
XWorm V5.2/Plugins/Clipboard.dll
Resource
win10v2004-20241007-en
General
-
Target
XWorm V5.2.rar
-
Size
30.2MB
-
MD5
f343d9455a27c194b221d7f1c76eef3d
-
SHA1
ce9371c845dc7f90cfb9454192585be1598b7439
-
SHA256
04514a36f74d6d54a58504f54ce8b20755887cffd1c9857d2efe37a94fb4056b
-
SHA512
7a2ba77292709592cd06acf0b23ee0d17e053ce6779871343aee00567895f88bb2ec35ca2831348debabe9739d214a47be268ea4bddd0cc91a69bae61b4a2817
-
SSDEEP
786432:yylsf3F/xaN4VCp3K7c+peEJfi2IxFTb43NJuaaJxyXzmp:7s39saVCpZ8rfi3x+TPnjmp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2724 XWorm V5.2.exe -
Loads dropped DLL 1 IoCs
pid Process 2724 XWorm V5.2.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x000b00000001225f-9.dat agile_net behavioral1/memory/2724-11-0x0000000000910000-0x0000000001548000-memory.dmp agile_net -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings 7zFM.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2860 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2860 7zFM.exe 2796 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 2860 7zFM.exe Token: 35 2860 7zFM.exe Token: SeSecurityPrivilege 2860 7zFM.exe Token: SeSecurityPrivilege 2860 7zFM.exe Token: SeDebugPrivilege 2724 XWorm V5.2.exe Token: SeSecurityPrivilege 2860 7zFM.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2860 7zFM.exe 2860 7zFM.exe 2860 7zFM.exe 2860 7zFM.exe 2860 7zFM.exe 2860 7zFM.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2796 AcroRd32.exe 2796 AcroRd32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2724 2860 7zFM.exe 31 PID 2860 wrote to memory of 2724 2860 7zFM.exe 31 PID 2860 wrote to memory of 2724 2860 7zFM.exe 31 PID 2724 wrote to memory of 2608 2724 XWorm V5.2.exe 32 PID 2724 wrote to memory of 2608 2724 XWorm V5.2.exe 32 PID 2724 wrote to memory of 2608 2724 XWorm V5.2.exe 32 PID 2860 wrote to memory of 2796 2860 7zFM.exe 33 PID 2860 wrote to memory of 2796 2860 7zFM.exe 33 PID 2860 wrote to memory of 2796 2860 7zFM.exe 33 PID 2860 wrote to memory of 2796 2860 7zFM.exe 33
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\7zOC2BF1417\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\7zOC2BF1417\XWorm V5.2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2724 -s 6643⤵PID:2608
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zOC2B3E657\XWorm V5.2.exe.config"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
Filesize
12.2MB
MD58b7b015c1ea809f5c6ade7269bdc5610
SHA1c67d5d83ca18731d17f79529cfdb3d3dcad36b96
SHA2567fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e
SHA512e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
Filesize
3KB
MD57d076212c7d5772cd898541981b8e23e
SHA1f059aef3602babc194d728008986517b0591e597
SHA2567a43e289bc85f876ba522427b27cd6a18c2b531e7b9cfda2317e6788c852d05b
SHA512eeb0199a59aec860244c580f6be2c98f35cb8ddfc4b62195fd8121c25a2c86fdfa27dbf17227d50d38d82ba4898cbc6e1a16eba96fd401b2c17ffda5cf00fc84