07f410a24d31af2090a87ffd170bb0cb876aa1e735a754b1dbf50aa57a63a3bb

Analysis

max time kernel
37s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.2.7z
Size

28.8MB
MD5

b965c5e95b3aa608de9bfc6af57df8ee
SHA1

65dc4c9e615182565c60f1d20e297af4652605eb
SHA256

07f410a24d31af2090a87ffd170bb0cb876aa1e735a754b1dbf50aa57a63a3bb
SHA512

bd420b2f44aa9ca424332e6feca63072ac011fdf377dbfd73628c503452e3efcdb131bd6a4091d84aab0d7b3df3da2887bbf47be33eb44dccc9ee1dea3edf7f8
SSDEEP

786432:5qVjpgbD+4a7wlwyYqmsN7tCUEFqkaUgTiJaqji3JVFuVbL:WgbD+XGKqmsNZmNgtIi5VFMP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3036	XWormLoader 5.2 x32.exe

Loads dropped DLL 5 IoCs

pid	Process
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader 5.2 x32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1400	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1400	7zFM.exe
Token: 35	1400	7zFM.exe
Token: SeSecurityPrivilege	1400	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1400	7zFM.exe
1400	7zFM.exe
1400	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1400

C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x32.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x32.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE87513277\XWorm V5.2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x32.exe

Filesize
109KB

MD5
f3b2ec58b71ba6793adcc2729e2140b1

SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2

SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x32.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit