Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 20:28
Behavioral task
behavioral1
Sample
XWorm-5.6-main/Xworm V5.6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XWorm-5.6-main/Xworm V5.6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
XWorm-5.6-main/XwormLoader.exe
Resource
win7-20240903-en
General
-
Target
XWorm-5.6-main/Xworm V5.6.exe
-
Size
14.9MB
-
MD5
56ccb739926a725e78a7acf9af52c4bb
-
SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc
-
SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
-
SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
-
SSDEEP
196608:P4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:PuyIhhkRka4i
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Xworm V5.6.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1560 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe 1784 Xworm V5.6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1644 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1644 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1784 Xworm V5.6.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1784 Xworm V5.6.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3796 wrote to memory of 1560 3796 cmd.exe 120 PID 3796 wrote to memory of 1560 3796 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1784
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4880
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:1560
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x324 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644