Overview

overview

10

Static

static

10

XWorm-5.6-main.zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    100s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-11-2024 16:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm-5.6-main.zip

  • Size

    25.1MB

  • MD5

    95c1c4a3673071e05814af8b2a138be4

  • SHA1

    4c08b79195e0ff13b63cfb0e815a09dc426ac340

  • SHA256

    7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

  • SHA512

    339a47ecfc6d403beb55d51128164a520c4bea63733be3cfd47aec47953fbf2792aa4e150f4122994a7620122b0e0fc20c1eeb2f9697cf5578df08426820fecd

  • SSDEEP

    786432:Ty5jMDNnx2+4NYobtH8VVtKqi9+i514XZ/pjYlp0:MMDNnxV4iobxibiIi5MpjYv0

Score
10/10
lummaxwormdiscoveryratstealertrojan

Malware Config

Extracted

Family

lumma

C2

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

GVVMhs9us05bGRo4

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4284
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1648
    • C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe
      "C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4904
    • C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe
      "C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe"
      1⤵
      • Executes dropped EXE
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vdpjj512\vdpjj512.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:340
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C4F29C8E54A48849DCD75C647E734BE.TMP"
          3⤵
            PID:1084
      • C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe
        "C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:636
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:1000
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B8
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4480

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7zECB0522B7\XWorm-5.6-main\Icons\icon (15).ico
          Filesize

          361KB

          MD5

          e3143e8c70427a56dac73a808cba0c79

          SHA1

          63556c7ad9e778d5bd9092f834b5cc751e419d16

          SHA256

          b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

          SHA512

          74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES14E6.tmp
          Filesize

          1KB

          MD5

          8f97a3e3df1e4996b4cd1477d38e4449

          SHA1

          87cba0d85df2fd1b69494c37b28113ce1251dcbd

          SHA256

          7f3df48f5c88abb5927fb767f795e41c3e65f254769cbae21e0574611a647b14

          SHA512

          640743629a382a9a3976dae1a90cf7da216c34b2818747359e5fe8a7bbad81db8b686073aeac09f9737217f83f299b889cbcefe05876713f53d6b0802b5c5175

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vbc6C4F29C8E54A48849DCD75C647E734BE.TMP
          Filesize

          1KB

          MD5

          d40c58bd46211e4ffcbfbdfac7c2bb69

          SHA1

          c5cf88224acc284a4e81bd612369f0e39f3ac604

          SHA256

          01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

          SHA512

          48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vdpjj512\vdpjj512.0.vb
          Filesize

          78KB

          MD5

          75bff422eebbd58e95adf79a75b7566c

          SHA1

          34f96b9e57a8a146fbe22e02b7945ec1be9feb81

          SHA256

          9782fed5bb9267c1c6f6cc224fc6255a9e8522543d3dc3a94867fe59b67928c6

          SHA512

          b050fd85974846fbf27ef1990ba0b58cd1cea1833edc1ea2e9bee010fbb83c783a99aa607afdce0a066729fcdfa6074a76a795e0dea4b3631ed8038bfd2361d2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vdpjj512\vdpjj512.cmdline
          Filesize

          290B

          MD5

          1229939cd0957896ec026b6955c8e5e3

          SHA1

          86ced7fc71a0eda342e156a4593be5827ccaf610

          SHA256

          a0a649bc263881c0047a8fadc3631dd69f75aba55f485b12064768ad41445c51

          SHA512

          0bd5057ee8f1a71bcf21b076094ccf215c96b6e46b211da6d039f6ae01f1a7f0156a9dd5e1e919d81e6942317487e9876ee04d906820243bd2c84d2ea0869c3c

          Download Submit

        • C:\Users\Admin\Desktop\XClient.exe
          Filesize

          32KB

          MD5

          752c483e93afbf1c176b90c663654971

          SHA1

          9f321784a6634380d2ada5e43619db1b6c3ee8a9

          SHA256

          4d0af067c932ebf7375bc9973e613452d0d01002d10aacdc3c82a82ee1ee7303

          SHA512

          5ac56f452fe4c74015751961f517bffd57e8231bd2d3a2550b9a8770c712dafb1bf7685a83ee425ef2f82dc362bf481d62a7e73252034ab676ca28e7f1296843

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\GeoIP.dat
          Filesize

          1.2MB

          MD5

          8ef41798df108ce9bd41382c9721b1c9

          SHA1

          1e6227635a12039f4d380531b032bf773f0e6de0

          SHA256

          bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

          SHA512

          4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Guna.UI2.dll
          Filesize

          1.9MB

          MD5

          bcc0fe2b28edd2da651388f84599059b

          SHA1

          44d7756708aafa08730ca9dbdc01091790940a4f

          SHA256

          c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

          SHA512

          3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (1).ico
          Filesize

          97KB

          MD5

          4f409511e9f93f175cd18187379e94cb

          SHA1

          598893866d60cd3a070279cc80fda49ee8c06c9b

          SHA256

          115f0db669b624d0a7782a7cfaf6e7c17282d88de3a287855dbd6fe0f8551a8f

          SHA512

          0d1f50243a3959968174aa3fd8f1a163946e9f7e743cbb2c9ef2492073f20da97949bf7d02c229096b97482ff725c08406e2e9aa72c820489535758470cf604f

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (10).ico
          Filesize

          115KB

          MD5

          ad1740cb3317527aa1acae6e7440311e

          SHA1

          7a0f8669ed1950db65632b01c489ed4d9aba434e

          SHA256

          7a97547954aaad629b0563cc78bca75e3339e8408b70da2ed67fa73b4935d878

          SHA512

          eee7807b78d4dd27b51cee07a6567e0d022180e007e1241266f4c53f1192c389be97332fcd9f0b8fda50627b40b8cf53027872304a68a210f4d754aa0243b0c2

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (11).ico
          Filesize

          9KB

          MD5

          1c2cea154deedc5a39daec2f1dadf991

          SHA1

          6b130d79f314fa9e4015758dea5f331bbe1e8997

          SHA256

          3b64b79e4092251ebf090164cd2c4815390f34849bbd76fb51085b6a13301b6d

          SHA512

          dceebc1e6fdfe67afebaef1aff11dd23eda6fae79eb6b222de16edebdfebd8e45de896e501608254fb041824080cb41c81ac972032638407efc6bfeb930bfd00

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (12).ico
          Filesize

          9KB

          MD5

          4ea9ab789f5ae96766e3f64c8a4e2480

          SHA1

          423cb762ce81fab3b2b4c9066fe6ea197d691770

          SHA256

          84b48ca52dfcd7c74171cf291d2ef1247c3c7591a56b538083834d82857fee50

          SHA512

          f917059b6f85e4a25909a27cad38b1ef0659161c32df54860226ff3d858127d8da592ea9072ad41d5a9986dd8c04a37e9ad34e2251883a8c2f0933e6aa201414

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (16).ico
          Filesize

          97KB

          MD5

          14465d8d0f4688a4366c3bf163ba0a17

          SHA1

          9f1fa68a285db742e4834f7d670cae415ce6b3b6

          SHA256

          3f3c5ce486e5b9fa88dc60b60916053e8808c69167df1a11287fd3cd6db1ca6e

          SHA512

          01db4fac75136baf9c162265785877b21fba9c4b8d9dbe4e495191f15aa9c914e3d5baf1c4606041279a7138c7e5c8f4ccf6e64689354fc3fb3fa66ab3b1da2d

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (2).ico
          Filesize

          112KB

          MD5

          f1463f4e1a6ef6cc6e290d46830d2da1

          SHA1

          bda0d74a53c3f7aaf0da0f375d0c1b5aca2a7aaf

          SHA256

          142b529799268a753f5214265c53a26a7a6f8833b31640c90a69a4ff94cee5ec

          SHA512

          0fa93d009cc2f007d19e6fdda7ebe44c7ed77f30b49a6ef65c319133c0570ab84f2d86e8282b5069d7f2e238547722ac3966d2fa2fae4504133f0001a0387ae2

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (3).ico
          Filesize

          131KB

          MD5

          a512719efc9e6ecc5e2375abceb1669a

          SHA1

          51fae98edfab7cd6b6baac6df5ecbda082eeb1db

          SHA256

          b2f7fb22cd5b935cf19a2f58f7fef9db99db40772ff4bb331a73c345161c2574

          SHA512

          e0153dbc8f3fdda8d1a7082bc30a3895d7f4b3bc2982b4b4ece55653d1b4c293eba3ba6d4a0a581f0f7db95ab287d6616ef7bf03af4485904111798bf9d9e625

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (4).ico
          Filesize

          125KB

          MD5

          9c053bef57c4a7b575a0726af0e26dae

          SHA1

          47148d30bc9a6120a1d92617bf1f3e1ba6ca1a2c

          SHA256

          5bb21d6c04ed64a1368dace8f44aff855860e69f235492a5dc8b642a9ea88e41

          SHA512

          482d639ba60f57827d8a343f807f4f914289c45643307efaa666b584a085fe01ac7892252f41b7756fde93d215b4f3fed16e608bc45102d320d77239fa93146a

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (5).ico
          Filesize

          100KB

          MD5

          9dbdd6972e129d31568661a89c81d8f9

          SHA1

          747399af62062598120214cef29761c367cfd28a

          SHA256

          45c85bdaaf0e0c30678d8d77e2585871ea6d1298ee0d30037745bacea6338484

          SHA512

          e52572de3f0d57d24a24d65eca4ff638890ccc9c5aca3f213ff885eda3c40de115849eb64c341f557d601f566ce21f8fc0df25cc4b13aaad5e941449a6b7f87d

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (6).ico
          Filesize

          106KB

          MD5

          d7c9666d30936e29ce156a2e04807863

          SHA1

          845e805d55156372232e0110e5dc80380e2cb1e5

          SHA256

          6ea04cf08751a2f6bb2f0e994258a44d5183b6cdb1471a0ee285659eada045b5

          SHA512

          3cfd7a41f65c5a0dc23a90c6af358179efb3ae771f50534c3d76c486fe2d432ea3128a46b4b367c4714e86e8c0862a7385bd80662fe6ea82d7048f453570ed56

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (7).ico
          Filesize

          164KB

          MD5

          7891c91d1761dc8a8846d362e6e31869

          SHA1

          0229bb01b7b4a0fca305eb521ec5dfbaa53674ea

          SHA256

          29d38c75af79aa0554f34cdfecb311f88f8dd02b02facaa299b9700841806ab8

          SHA512

          ed14614a706da985566853dc13df0d1128a718f39ec9957320813803fe07e59de337d51033970e2f57d9f56da3546c506f5f0f3becfa91ce741576855be14ba7

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (8).ico
          Filesize

          108KB

          MD5

          af1739a9b1a1bf72e7072ad9551c6eea

          SHA1

          8da0a34c3a8040c4b7c67d7143c853c71b3d208d

          SHA256

          a65cbbdc2ca671a9edd7edac0c6737b3b116e357727e003e5fdeff163c6c21ab

          SHA512

          eeeac307371c38b75e256083c55a3fe4ab096c1c7520a4b7acb40fad3af5a0d6c88aaf85f2c3e418034abee422c2a3ba13731adf7ee6078016da4dd2e989b120

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (9).ico
          Filesize

          264KB

          MD5

          3e24e40b41ecc59750c9231d8f8da40b

          SHA1

          91a701cf25aea2984f75846b6c83865d668ccad6

          SHA256

          bd1c33a67244801e828035904882ec53bd2ea8a1db9265a06d1aa08cf444ca80

          SHA512

          fe62edddb62dd4b695f1ef40ffb7a0119d480d1c176f0254acee19a45d6433ef6c308acbe567c721018390626c71f7a0f7bcd195d59d54c19cf019f13c4f7572

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\SimpleObfuscator.dll
          Filesize

          1.4MB

          MD5

          9043d712208178c33ba8e942834ce457

          SHA1

          e0fa5c730bf127a33348f5d2a5673260ae3719d1

          SHA256

          b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

          SHA512

          dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Sounds\Intro.wav
          Filesize

          238KB

          MD5

          ad3b4fae17bcabc254df49f5e76b87a6

          SHA1

          1683ff029eebaffdc7a4827827da7bb361c8747e

          SHA256

          e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

          SHA512

          3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe
          Filesize

          14.9MB

          MD5

          56ccb739926a725e78a7acf9af52c4bb

          SHA1

          5b01b90137871c3c8f0d04f510c4d56b23932cbc

          SHA256

          90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

          SHA512

          2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe.config
          Filesize

          183B

          MD5

          66f09a3993dcae94acfe39d45b553f58

          SHA1

          9d09f8e22d464f7021d7f713269b8169aed98682

          SHA256

          7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

          SHA512

          c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe
          Filesize

          490KB

          MD5

          9c9245810bad661af3d6efec543d34fd

          SHA1

          93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

          SHA256

          f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

          SHA512

          90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

          Download Submit

        • memory/636-265-0x0000000000900000-0x000000000094B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/636-270-0x0000000000900000-0x000000000094B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3224-288-0x00000246E67A0000-0x00000246E6908000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3224-263-0x00007FF9EA4C3000-0x00007FF9EA4C5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3224-262-0x00000246DEAF0000-0x00000246DECE4000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3224-260-0x00000246C1BF0000-0x00000246C2AD8000-memory.dmp

          Filesize

          14.9MB

          Download

        • memory/3224-259-0x00007FF9EA4C3000-0x00007FF9EA4C5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4904-255-0x00000000012F0000-0x000000000133B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4904-253-0x00000000011E0000-0x00000000011E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4904-254-0x00000000011E0000-0x00000000011E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4904-251-0x00000000011E0000-0x00000000011E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4904-246-0x00000000012F0000-0x000000000133B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4904-252-0x00000000011E0000-0x00000000011E1000-memory.dmp

          Filesize

          4KB

          Download