Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 10:37
Behavioral task
behavioral1
Sample
XWorm V5.6/XwormV5.6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XWorm V5.6/XwormV5.6.exe
Resource
win10v2004-20241007-en
General
-
Target
XWorm V5.6/XwormV5.6.exe
-
Size
15.0MB
-
MD5
2ff4c5a7eff1d9f19e23156dceeca4d0
-
SHA1
d8c175bb2b968713d48b37e1d018c8736a34ea6d
-
SHA256
198f82a2b491cb5c769d25c03ea7908161e20a9b51b585099f7088cef5c4323e
-
SHA512
2c839576c2a9ce47b4d37325417a4055e4f8674323b6b1a558fac35628eaf32e354271936ceb8dc6a38ccc24b170cc17c08e74a994e8363831b410810d676a05
-
SSDEEP
3072:LJKhDbtkb2D7wyOQnxZd+xYoPdLa5a47Qnx5RUUOMlv1s8W:LJKhDSbFGExYoPJatsjtlv1s8
Malware Config
Extracted
xworm
193.161.193.99:63603
37.4.250.173:63603
-
Install_directory
%AppData%
-
install_file
XwormV6.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/3060-1-0x00000000000D0000-0x00000000000F4000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2236 powershell.exe 2936 powershell.exe 2744 powershell.exe 2528 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwormV6.lnk XwormV5.6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwormV6.lnk XwormV5.6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2236 powershell.exe 2936 powershell.exe 2744 powershell.exe 2528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3060 XwormV5.6.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 3060 XwormV5.6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2236 3060 XwormV5.6.exe 30 PID 3060 wrote to memory of 2236 3060 XwormV5.6.exe 30 PID 3060 wrote to memory of 2236 3060 XwormV5.6.exe 30 PID 3060 wrote to memory of 2936 3060 XwormV5.6.exe 32 PID 3060 wrote to memory of 2936 3060 XwormV5.6.exe 32 PID 3060 wrote to memory of 2936 3060 XwormV5.6.exe 32 PID 3060 wrote to memory of 2744 3060 XwormV5.6.exe 34 PID 3060 wrote to memory of 2744 3060 XwormV5.6.exe 34 PID 3060 wrote to memory of 2744 3060 XwormV5.6.exe 34 PID 3060 wrote to memory of 2528 3060 XwormV5.6.exe 37 PID 3060 wrote to memory of 2528 3060 XwormV5.6.exe 37 PID 3060 wrote to memory of 2528 3060 XwormV5.6.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormV5.6.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormV5.6.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormV5.6.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XwormV5.6.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XwormV6.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XwormV6.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD594bb17432073e9412eac7c6452408e94
SHA1d925814c7f77ee20bfe0d5ad36915af5eec0c056
SHA25682fe84321afeab6abbb309ce4f0010986f6cd92cbf46b4b5d561df4f0bf22704
SHA512b76517dec1ff00742b58670f493ab897679f6b1054a41176c9eb6ca3b4a011dcaae13af7cb49c6dfdee23086597fc7580f167bbe2c7c2b85ad9f39b342225097