463eb31b863993ffc7ebd1e67a593c0fc01bfcef367a988191926facfb93d93a

Analysis

max time kernel
194s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm.xml
Size

161B
MD5

c16b0746faa39818049fe38709a82c62
SHA1

3fa322fe6ed724b1bc4fd52795428a36b7b8c131
SHA256

d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad
SHA512

cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603dc34c774edb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440377059"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{783195F1-BA6A-11EF-BBB7-C6DA928D33CD} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003c13ad211ca3b047916fa8389aed9eb00000000002000000000010660000000100002000000090903a58270f305157ab63f360471cad83d4889773a1092367a95267c4cb336f000000000e8000000002000020000000c7b249dae680a66012821d6de99830516657e69a3305dff830a03af19e9f242e900000001d5f9250a6faac251f13a549fde40019a7facc5945cfd19a3d48b45e58f330f19f761aba1a875639ee16edc276cdc97289abf0bbf3214b0339f83ff70d5f9fdb03d5062b0524b39bdb34817d6839f3f740b1891ae0ac6fb08ef20cce29a3f427b4fb111246efeee3304b2a7534002791eba1df0d60921ed3a94c55739913c3ba05d23f682f2b1ec8994b34f57516f8aa400000000cb79f258a95fda0e9f5e5e7186466804cb7e7ca8c2aec7abf524da10646482e6c248ca763171b6aa3ca9b0783cab87096c3b4163dc15536df77a66671fa8dd0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003c13ad211ca3b047916fa8389aed9eb00000000002000000000010660000000100002000000008d8da65f14e75a82ebb1538a3baa09f34bcaf239e11484baed583bb279b47d3000000000e8000000002000020000000eb866e448ddbe24eb05e9cef61003ef2d834bb5673cb82900bab381de9c27ea120000000baa01af09df8be6a80de76ce448f25d0a11f4afc4d12031c0af7effe0b5345ad4000000040aa53e431b7cd7580adf8167ba8b90f5458d984822b8724c02cd89467c0800fe3b8d81994f8de5400892da1bc97b8d2a5fb58eaa376fbbd084baf37769dccbd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2052	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
484	IEXPLORE.EXE
484	IEXPLORE.EXE
484	IEXPLORE.EXE
484	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2132	2336	MSOXMLED.EXE	31
PID 2336 wrote to memory of 2132	2336	MSOXMLED.EXE	31
PID 2336 wrote to memory of 2132	2336	MSOXMLED.EXE	31
PID 2336 wrote to memory of 2132	2336	MSOXMLED.EXE	31
PID 2132 wrote to memory of 2052	2132	iexplore.exe	32
PID 2132 wrote to memory of 2052	2132	iexplore.exe	32
PID 2132 wrote to memory of 2052	2132	iexplore.exe	32
PID 2132 wrote to memory of 2052	2132	iexplore.exe	32
PID 2052 wrote to memory of 484	2052	IEXPLORE.EXE	33
PID 2052 wrote to memory of 484	2052	IEXPLORE.EXE	33
PID 2052 wrote to memory of 484	2052	IEXPLORE.EXE	33
PID 2052 wrote to memory of 484	2052	IEXPLORE.EXE	33

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\XWorm.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d45424de5dbeda982d329bb84dd70737

SHA1
9c75996f0c8d704712b223ddfe275f4fef5b986d

SHA256
cd877cfa36c3898fed7059412b254e65da411a0a9b080cec38b1476ae46263c9

SHA512
4cfd34855fa853dd5e5560e606575c3337600c82f0840fcd2c6cd0c9ab75cc75660b91abf7d1e23449d2e3ae945f7bf63b45cf687a042debb25d1acc42f81cde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d46338a0ec95dd80b28c60bd7c0a8a4

SHA1
a23255998be89f2213f7ac7b3d7de9079777919e

SHA256
3d0a5c13001d27ada7d344de2d50699c1d4e940cebabef87fdee6c941c414d42

SHA512
fb5fafa9e2be667a077cd0ec32f0c66e90c168d8b521459e7a88d5718b29b0d4cef5549676755a89d9942384000c6e38d7a1431f3b15f0c2630cd7422705f8f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af864228fac4cf735735d3880eeeedf3

SHA1
02d7446a6dd32ad97fe8ee7214dc2b6fb9313afb

SHA256
be8a946951b398ce78a84da67482ba0b66e5511fbcc78184ec0d01bc4dead859

SHA512
4637b16caa6d3cb99f829dc4022696b59351d4c340f3a96816de4c4e5d015b665fe247dee00227b524b3260bf05a785f46d46c92dfee8e06e541440fe3feb3dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66c2c4bea6fe41b4dca709f7ee412671

SHA1
21cb13d6ecd234e4255cdec6dadb3270f1fba249

SHA256
37f30409ef0b9984efc563f30d5a9db0e18fce4088d0fa41f9122fffd0f72e65

SHA512
2f2205753b57811449a59af29fb597583554adda45783dfe4415ee965ab8a01c77fdd336a600b700ef9d7a44dd05d34e35ebee70edf3fed922bbf23b710c89b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18c301839bc1465593bc05a9a82680c6

SHA1
2378a0fda43ca074f15d8c70f02b5f6e89b3a553

SHA256
19c9f035322a781a1e9f0c25e522f6711bd02b72f338daf59b56a29dda6d6f7d

SHA512
7c2d1a8688d23835d2e55c49a603221b0c119e4e1ec657d3293bd7987fb020b52b77cbfed6387cee5807addd9a0c8b1696ad44a76415dd67adb8d56ace58539c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fef819f8001b8ed725f034247e260d1

SHA1
8ac23b2a1d8005919bfb219164c89d1f9d30254b

SHA256
c4ad684bb1d618d4805824058eccc733de8b74d70c2127ec93de33358212c218

SHA512
e10b6fdab8432bf8abc4e045265c13755bf7084ab5e8eab9658866e6c8d6c3cd0ef55cde7068858d550571d25f0e22075e38890c52ce8e7990ce36eaa9b51b8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6a04684a34e76f781819ed16597dce0

SHA1
778d0f56a3a9a07955682fbbad98989df71109b8

SHA256
e3ab6eccc6ae6f8742b69293fb849b663fe6631c6a3f63eb3cdb8f61a05c12c7

SHA512
fb686778db68e7ec41aa4c52572193b87d7ccccf9226822c033e29522984df5cdd90a928526638b9ae9f347f1b41688c2f59a497cd98578448d465122b24ae95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ade37e5bed8484bda9edd455a430555c

SHA1
6dcd2e09d973b44c239bd6aa901d2d9e5711d0a6

SHA256
c28ce4ef0b6e01b19a7c41a56a527e411108dde81ee9d37bd454302d9798c39a

SHA512
0a5caf1d8dda5eb87ccbd08d4162906ab241842162c821a2a149da6b596fc4559ddf69f1c77ccb0969453a2a786fd596ccbbd97563d193c06feecd64c2acb155

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbf5b2259e1ab903aa3371ecfae4b09a

SHA1
0db3f9f9853f27a75625e82a9780d7a2f0b13636

SHA256
df379bc227360fce566ab38c3ee124d05eb0572d8d41227e761df825dc49a283

SHA512
8db855310c88793561440802b2d9dd7f7f8d410bfc6e3663c80b1f961a8fe428d362dd38ccd0d3ce67a236c85b24dfca16b9fffe604be9ef8a2c8683f2e9cdda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b5bec516366ca326b53d72c30fa8d75

SHA1
725cb557193f6632355fb87e9c9d233457d4b1db

SHA256
28d726ab6eae5d612b2e2ce60b4ad5c28e6ea0fe7e91cf782274caf79eafd2e2

SHA512
023c96af9e6fc2af669edd3dab99ff2ca0a4609fc075ff0e52a616963c3fc1822e15d24bd8a08635cfc97d36f29b6ebdf4b23bd6269e7e1c7e2185d7411b4d14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a0cce1211473b7fd882d56370c1be99

SHA1
2642442ee7d3b84cc15b2adbb309c3e0b63983ed

SHA256
47067001d90a2a87d48b37ea83c5d139362cc26bafaf8714b79fe2cd9e2bd9c2

SHA512
bf7afcb02d15f01bc463896a097fbc0cf2bee42ea6821f4ee949d3a6f0efc717673cb51b212446942c13b9cea9e266375eebf52e96156828723f3c875a51d1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5ED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar68C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit