24ea380b035e8768f116f4e20aa1bede85c070c5511b439a020a700ac94b7723

General

Target

XWorm V5.6.zip
Size

24.5MB
MD5

547e575e76fe43feed2f97b0a6b68b3e
SHA1

631dcbd8db53d6275b6236d766a72ad31f5079d4
SHA256

24ea380b035e8768f116f4e20aa1bede85c070c5511b439a020a700ac94b7723
SHA512

630f72520ff9dae8d7cbe4237d1cc6964397867fedf3ca154b9c5bff443bcbad3d574a38ac06af3bf4e280fc9538e0c0bbe54ab90fb333d208193f35342b6ec5
SSDEEP

393216:VyavqxXFeuBc9Q+Fdt6ieJS9xCZGb7kjjJ6AKbKrbdcjXo50Ko+Y2ToxYP:Vy5xXDBYQwn63qkjBKego5Ho+x

Score

1^/10

Malware Config

Signatures

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2356	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2748	7zFM.exe
Token: 35	2748	7zFM.exe
Token: SeSecurityPrivilege	2748	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2748	7zFM.exe
2748	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1736	MiniSearchHost.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4740

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:676

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\a.bat" "
1⤵
PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\a.bat" "
1⤵
PID:2104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\38a5e699-f895-47c3-91af-a0ddb4126f5a.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
96329c73cc49cd960e2485210d01c4d2

SHA1
a496b98ad2f2bbf26687b5b7794a26aa4470148e

SHA256
4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466

SHA512
e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECBA32CF7\XWorm V5.6\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Desktop\a.bat

Filesize
30B

MD5
2d7899117b6eea8e7cbcbc3de1652470

SHA1
00b654d6e48fd5601c9bf43f85e4691af0cf8683

SHA256
a11d7debaa9b6e1ec4faaf1b3a203552610d30741e3231cae89c8b4f8ec0aa23

SHA512
78bdbf309b47e6dd2094709c9fee7acf9fa7d2c26e272762b98bf585b3b19f92a4c7fb1e309b11e537e338c11ec0bb9b9ea334eacf3a388e520ab174093f96ad

Download Submit
C:\Users\Admin\Desktop\a.bat

Filesize
18B

MD5
e1bf562147469a863f9c3447954c4f93

SHA1
1b3f2e7ce3c048749a87cb2b035b2c751018d043

SHA256
dc11a25d29640b63b7ab9b9770bae3f1b36ed6ae008081ec7c03ecb3cc2ae865

SHA512
c325bce464d888c28572a21547277a39843e7cd7ccbc6c986bc1a73029d05d5d6648e70bfa4842a41133a37167143cd75230dcc33c02dba22abc5bd9cab4b22e

Download Submit

Analysis

Sharing