Analysis

  • max time kernel
    135s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2024 13:30

General

  • Target

    XWorm V5.2.rar

  • Size

    30.2MB

  • MD5

    f343d9455a27c194b221d7f1c76eef3d

  • SHA1

    ce9371c845dc7f90cfb9454192585be1598b7439

  • SHA256

    04514a36f74d6d54a58504f54ce8b20755887cffd1c9857d2efe37a94fb4056b

  • SHA512

    7a2ba77292709592cd06acf0b23ee0d17e053ce6779871343aee00567895f88bb2ec35ca2831348debabe9739d214a47be268ea4bddd0cc91a69bae61b4a2817

  • SSDEEP

    786432:yylsf3F/xaN4VCp3K7c+peEJfi2IxFTb43NJuaaJxyXzmp:7s39saVCpZ8rfi3x+TPnjmp

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Local\Temp\7zOC2BF1417\XWorm V5.2.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOC2BF1417\XWorm V5.2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2724 -s 664
        3⤵
          PID:2608
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zOC2B3E657\XWorm V5.2.exe.config"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zOC2B3E657\XWorm V5.2.exe.config

      Filesize

      183B

      MD5

      66f09a3993dcae94acfe39d45b553f58

      SHA1

      9d09f8e22d464f7021d7f713269b8169aed98682

      SHA256

      7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

      SHA512

      c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

    • C:\Users\Admin\AppData\Local\Temp\7zOC2BF1417\XWorm V5.2.exe

      Filesize

      12.2MB

      MD5

      8b7b015c1ea809f5c6ade7269bdc5610

      SHA1

      c67d5d83ca18731d17f79529cfdb3d3dcad36b96

      SHA256

      7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

      SHA512

      e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

    • C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

      Filesize

      112KB

      MD5

      2f1a50031dcf5c87d92e8b2491fdcea6

      SHA1

      71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

      SHA256

      47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

      SHA512

      1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

      Filesize

      3KB

      MD5

      7d076212c7d5772cd898541981b8e23e

      SHA1

      f059aef3602babc194d728008986517b0591e597

      SHA256

      7a43e289bc85f876ba522427b27cd6a18c2b531e7b9cfda2317e6788c852d05b

      SHA512

      eeb0199a59aec860244c580f6be2c98f35cb8ddfc4b62195fd8121c25a2c86fdfa27dbf17227d50d38d82ba4898cbc6e1a16eba96fd401b2c17ffda5cf00fc84

    • memory/2724-11-0x0000000000910000-0x0000000001548000-memory.dmp

      Filesize

      12.2MB

    • memory/2724-18-0x000000001CAB0000-0x000000001D69C000-memory.dmp

      Filesize

      11.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.