Analysis Overview
SHA256
1e5b7a3517657a80592c03a3092c606fb4d89393ae7ee45e64066ba69cfed9d3
Threat Level: Known bad
The file XWorm-5.6-main.rar was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
Stormkitty family
Xworm family
Detect Xworm Payload
StormKitty payload
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-29 14:50
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 14:50
Reported
2024-11-29 14:52
Platform
win10ltsc2021-20241023-en
Max time kernel
75s
Max time network
68s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x3d8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.201.84.in-addr.arpa | udp |
Files
memory/1472-0-0x00007FFDD9313000-0x00007FFDD9315000-memory.dmp
memory/1472-1-0x0000028D18340000-0x0000028D19228000-memory.dmp
memory/1472-2-0x00007FFDD9310000-0x00007FFDD9DD2000-memory.dmp
memory/1472-3-0x0000028D362F0000-0x0000028D364E4000-memory.dmp
memory/1472-4-0x00007FFDD9310000-0x00007FFDD9DD2000-memory.dmp
memory/1472-5-0x00007FFDD9313000-0x00007FFDD9315000-memory.dmp
memory/1472-6-0x00007FFDD9310000-0x00007FFDD9DD2000-memory.dmp
memory/1472-7-0x00007FFDD9310000-0x00007FFDD9DD2000-memory.dmp
memory/1472-8-0x00007FFDD9310000-0x00007FFDD9DD2000-memory.dmp
memory/1472-9-0x00007FFDD9310000-0x00007FFDD9DD2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 14:50
Reported
2024-11-29 14:55
Platform
win11-20241007-en
Max time kernel
300s
Max time network
277s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004DC
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3628-0-0x00007FFA87763000-0x00007FFA87765000-memory.dmp
memory/3628-1-0x00000276AC780000-0x00000276AD668000-memory.dmp
memory/3628-2-0x00007FFA87760000-0x00007FFA88222000-memory.dmp
memory/3628-3-0x00000276C9A30000-0x00000276C9C24000-memory.dmp
memory/3628-4-0x00007FFA87760000-0x00007FFA88222000-memory.dmp
memory/3628-5-0x00007FFA87763000-0x00007FFA87765000-memory.dmp
memory/3628-6-0x00007FFA87760000-0x00007FFA88222000-memory.dmp
memory/3628-7-0x00007FFA87760000-0x00007FFA88222000-memory.dmp
memory/3628-8-0x00007FFA87760000-0x00007FFA88222000-memory.dmp
memory/3628-9-0x00007FFA87760000-0x00007FFA88222000-memory.dmp
memory/3628-11-0x00000276C7F80000-0x00000276C7F89000-memory.dmp
memory/3628-10-0x00000276C8760000-0x00000276C87A6000-memory.dmp
memory/3628-14-0x00000276C99E0000-0x00000276C99EB000-memory.dmp
memory/3628-13-0x00000276C99C0000-0x00000276C99DE000-memory.dmp
memory/3628-12-0x00000276C99B0000-0x00000276C99BD000-memory.dmp