fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d

General

Target

XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe
Size

109KB
MD5

4bf2058e2fe4ee6490873acd8d00fc71
SHA1

099f6cd30e1db09c0c51fad208a2c2706c6bd437
SHA256

53d7f79b97f9bb3883a26b4cd84127e4c0c932ba82d9dd437b52373099049bea
SHA512

f4382641663486fadb345537b2d2fc8097e918ccc4697e79e5d1c219a6e66f301a2a4bc65f4a95f740fc92eccaef55ebd99ed49dafdbe2a28f906c15c549d4a5
SSDEEP

1536:xPsDAsCSuhbXNBcqhZ6tJaW9lSr89qmyVttdGFQeOPigx:1s5maVJaWPSI9qmyBeu

Score

7^/10

agilenet

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3288	XWormLoader 5.1 x64.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/3288-12-0x000001E5A2E40000-0x000001E5A3792000-memory.dmp	agile_net

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.1 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.1 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.1 x64.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3288	XWormLoader 5.1 x64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3440	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3440	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3288	XWormLoader 5.1 x64.exe
3288	XWormLoader 5.1 x64.exe

C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\XWormLoader 5.1 x64.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\XWormLoader 5.1 x64.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3288

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x3f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eakSv\eakSv.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
memory/3288-21-0x000001E5A37A0000-0x000001E5A4350000-memory.dmp

Filesize
11.7MB

Download
memory/3288-8-0x000001E5881A0000-0x000001E5881A6000-memory.dmp

Filesize
24KB

Download
memory/3288-3-0x000001E5A2240000-0x000001E5A2268000-memory.dmp

Filesize
160KB

Download
memory/3288-4-0x000001E588200000-0x000001E588206000-memory.dmp

Filesize
24KB

Download
memory/3288-22-0x000001E5A4E00000-0x000001E5A4FF4000-memory.dmp

Filesize
2.0MB

Download
memory/3288-6-0x000001E5A2440000-0x000001E5A2496000-memory.dmp

Filesize
344KB

Download
memory/3288-7-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-23-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-9-0x000001E5881E0000-0x000001E5881E6000-memory.dmp

Filesize
24KB

Download
memory/3288-24-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-11-0x000001E5A2390000-0x000001E5A23AA000-memory.dmp

Filesize
104KB

Download
memory/3288-12-0x000001E5A2E40000-0x000001E5A3792000-memory.dmp

Filesize
9.3MB

Download
memory/3288-13-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-1-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/3288-20-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-0-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

Filesize
8KB

Download
memory/3288-5-0x000001E5A23E0000-0x000001E5A243E000-memory.dmp

Filesize
376KB

Download
memory/3288-2-0x000001E589AD0000-0x000001E589B12000-memory.dmp

Filesize
264KB

Download
memory/3288-10-0x000001E5A24A0000-0x000001E5A24DC000-memory.dmp

Filesize
240KB

Download
memory/3288-25-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-26-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

Filesize
8KB

Download
memory/3288-27-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-28-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-29-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-30-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-31-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-32-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-33-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-34-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-35-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-36-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-37-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-38-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-40-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing