eb382d10ac17cb218ad59623cbcd5eb9c530aa5ee8735e8f09d7564f5ce027bb

General

Target

only-me-main.rar
Size

30.2MB
MD5

0fa1112b9f38c1c7aceb359124320ea9
SHA1

39a50627700823db60e1f4246db18a5542e26e81
SHA256

eb382d10ac17cb218ad59623cbcd5eb9c530aa5ee8735e8f09d7564f5ce027bb
SHA512

0557d81c30f25e66de3ae4a595ecebfefee9c57ebe0ad9553056bf1440e758ac625bb680dfa2528d0317ff3e40d1e17440249c28368a919da822f42778658911
SSDEEP

786432:qy4dp35cJD55AylVCp3K7kMpeEJfi2I7rYNJuaaJxyXzmD:qp35cD22VCpLqrfi37GPnjmD

Score

7^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4528	XWorm V5.2.exe

Loads dropped DLL 1 IoCs

pid	Process
4528	XWorm V5.2.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x001900000002abb2-171.dat	agile_net
behavioral1/memory/4528-174-0x0000029BB5F10000-0x0000029BB6B48000-memory.dmp	agile_net

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3872	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3872	7zFM.exe
Token: 35	3872	7zFM.exe
Token: SeSecurityPrivilege	3872	7zFM.exe
Token: SeDebugPrivilege	4528	XWorm V5.2.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3872	7zFM.exe
3872	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\only-me-main.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2376

C:\Users\Admin\Desktop\only-me-main\only-me-main\only-me-main\only-me-main\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Desktop\only-me-main\only-me-main\only-me-main\only-me-main\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE02F91A87\only-me-main\only-me-main\only-me-main\only-me-main\XWorm V5.2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\Desktop\only-me-main\only-me-main\only-me-main\only-me-main\XWorm V5.2\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\only-me-main\only-me-main\only-me-main\only-me-main\XWorm V5.2\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Desktop\only-me-main\only-me-main\only-me-main\only-me-main\XWorm V5.2\XWorm V5.2.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/4528-173-0x00007FFAFF0E3000-0x00007FFAFF0E5000-memory.dmp

Filesize
8KB

Download
memory/4528-174-0x0000029BB5F10000-0x0000029BB6B48000-memory.dmp

Filesize
12.2MB

Download
memory/4528-182-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/4528-183-0x0000029BD1F90000-0x0000029BD2B7C000-memory.dmp

Filesize
11.9MB

Download
memory/4528-185-0x0000029BD2E70000-0x0000029BD3064000-memory.dmp

Filesize
2.0MB

Download
memory/4528-186-0x00007FFAFF0E3000-0x00007FFAFF0E5000-memory.dmp

Filesize
8KB

Download
memory/4528-187-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing