7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-5.6-main/Xworm V5.6.exe
Size

14.9MB
MD5

56ccb739926a725e78a7acf9af52c4bb
SHA1

5b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA256

90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA512

2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
SSDEEP

196608:P4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:PuyIhhkRka4i

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Xworm V5.6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1560 ipconfig.exe

pid	process
1560	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

Xworm V5.6.exe

pid	process
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe
1784	Xworm V5.6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1644 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1644 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Xworm V5.6.exe

pid process

1784 Xworm V5.6.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Xworm V5.6.exe

pid process

1784 Xworm V5.6.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 3796 wrote to memory of 1560 3796 cmd.exe ipconfig.exe
PID 3796 wrote to memory of 1560 3796 cmd.exe ipconfig.exe

description	pid	process
Token: 33	1644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1644	AUDIODG.EXE

description	pid	process	target process
PID 3796 wrote to memory of 1560	3796	cmd.exe	ipconfig.exe
PID 3796 wrote to memory of 1560	3796	cmd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1784

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4880

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:1560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1784-0-0x00007FFC187E3000-0x00007FFC187E5000-memory.dmp

Filesize
8KB

Download
memory/1784-1-0x000002421C860000-0x000002421D748000-memory.dmp

Filesize
14.9MB

Download
memory/1784-2-0x00007FFC187E0000-0x00007FFC192A1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-3-0x0000024239290000-0x0000024239484000-memory.dmp

Filesize
2.0MB

Download
memory/1784-4-0x00007FFC187E0000-0x00007FFC192A1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-5-0x00007FFC187E3000-0x00007FFC187E5000-memory.dmp

Filesize
8KB

Download
memory/1784-6-0x00007FFC187E0000-0x00007FFC192A1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-7-0x00007FFC187E0000-0x00007FFC192A1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-8-0x00007FFC187E0000-0x00007FFC192A1000-memory.dmp

Filesize
10.8MB

Download